The specter of a “Cyber Pearl Harbor” is kicked around the media frequently, usually riding the tides of Federal budget debates. This month, I’ll throw my ideas about the prospect of a catastrophic cyber attack into the mix.
Many alarmists have talked about a massive cyber attack crippling the nation. Scenarios range from hackers shutting down the power grid in the depths of winter to attackers crippling strategic port facilities. Former Secretary of Defense Panetta swung for the fences when he described how a cyber-capable enemy could lay waste to the country. His speech was intended to bring attention to the issue and, presumably, aid the Defense Department’s efforts to gain Congress’ backing for the increase in cyber security funding.
Although many of these Doomsday scenarios are technically feasible, the probability of them occurring is less likely than advertised. To examine my assertion, let’s consider a few key points.
The first point is that massive, annihilation attacks rarely work. Take the real Pearl Harbor attack, for example. The Japanese Empire caught the US by surprise, but failed to cripple us sufficiently to win the war. Taking this analogy into cyber space shows the flaws in this logic. An attack against the stock exchange, a power grid, or any other strategic target would stun us, without a doubt, but could it wreak more devastation than a natural disaster? Hurricanes Katrina and Sandy did more to this nation than any of these “Cyber Pearl Harbor” predictions. National emergencies, yes. Crippling death blows, no.
My second point is that I’m not sure that we have a good handle on who the potential enemy is. Secretary Panetta and others like to call out the Chinese government as likely adversaries, but how realistic is that given that they own so much US debt. Any loan shark will tell you that you can’t get the money back if the borrowed is dead. Since they have $1.28 trillion reasons to see us solvent, I think it’s safe to say that they’re happy to steal our intellectual property rather than cripple our economy.
The same goes for other nation states and all the criminal organizations, which leaves political adversaries. Here I’ll go out on a limb and say that I think the capabilities of the nations and terrorist groups that we tussle with aren’t up to the standard of a crippling attack. Their ranks are full of enthusiastic volunteers, but they’ve fallen short of showing any strategic planning or strike capability.
Going back a step, my third point questions this “to be determined” enemy’s motivation. There has to be a reason to attack. So what might that reason be? Evil overlords bent on global domination have long since become cliche. (Calling Doctor Blofeld. Doctor Blofeld…) Even one of the transnational terrorist groups would have trouble pulling together the sustained effort to run a hack of this magnitude.
Without a scrap of motivation, I can only conclude that most of these media reports boil down to their desire to spread Fear, Uncertainty, and Doubt. FUD for short. It’s the modern equivalent of yellow journalism and has failed to work, as evinced by how quickly the story faded away.
Despite all of my misgivings, make no mistake. The threat of cyber vulnerabilities is very real. How do we get and hold the attention of the vendors, administrators, and management who blithely or apathetically operate vulnerable systems? “Scare briefings” that show how a portion of the power grid can be brought down with a simple ping sweep have achieved the same status as crying wolf.
Everyone knows these problems are there, but I think the real question is “When will an outage cost enough money to justify the investment to fix the problem?” Bearing in mind that the organizations protecting our nation’s infrastructure are answerable to their shareholders, not the government and not you or me, what does it take to get vendors to produce secure devices or industries to use these devices in secure ways?
After all, untrimmed trees and a software bug shut down 55 million people in 2003. Eleven people died, over $6 billion was lost, and yet we’re still chasing the solution.