Sometimes my friends ask me “how bad is it really?” How bad is the cyber threat? It’s hard to answer that question — and its even harder when the experts can’t reach a consensus. It would be almost impossible to find a better example of the problem than this past weekend. In the New York Times, two researchers from Microsoft offered the view that the scope and extent of cyber crime is systematically overstated, casting doubt on survey estimates made by various organizations. A day later, John O. Brennan, President Obama’s senior adviser on counter terrorism and homeland security, warned, in the Washington Post that threats to critical infrastructure are growing, citing 200 known attempted or successful cyber intrusions in the critical infrastructure control systems in 2011. With such widely divergent views on the table, one has to feel a bit of sympathy for the puzzled lawmakers charged with deciding policy.