Stop saying 'cyber Pearl Harbor'
The Japanese surprise attack on Pearl Harbor in 1941 has captured the imagination of wonks with a predilection for predicting future calamity unless the government takes immediate steps to change some aspect of its policy.
There are many "X-Pearl Harbors" out there. A space Pearl Harbor. An energy Pearl Harbor. But probably none is as common as the cyber Pearl Harbor. Sen. Lindsey Graham (R-S.C.) easily led Defense Secretary Leon Panetta into agreeing that the United States faces the possibility of a "cyber Pearl Harbor" only this week, during a June 13 hearing of the Senate Appropriations subcommittee on defense.
"Technologically, the capability to paralyze this country is there now," Panetta said. "There's a high risk," reported FCW.
The thing about prophets is that they may be Cassandras--doomed to be right but unheeded--or they might be guy in Times Square proclaiming that the end is nigh.
To shed some light on how deeply we should actually be worried about a cyber Pearl Harbor, I decided to look for when the term came into prominence, using the Nexis database in order to draw some conclusions about what type of prophets predictors of a cyber Pearl Harbor are: Cassandras, or doomsday criers.
The earliest public reference appears to be in a June 26, 1996 Daily News article in which CIA Director John Deutch warned that hackers "could launch 'electronic Pearl Harbor' cyber attacks on vital U.S. information systems."
The next month, then-Deputy Attorney General Jamie Gorelick told the Senate Governmental Affairs permanent subcommittee on investigations that "we will have a cyber-equivalent of Pearl Harbor at some point, and we do not want to wait for that wake-up call," according to the Armed Forces Newswire Service.
Thereafter the term appears to have gone into a hiatus, apart from some offhand or derivative references to the original sources cited above. But, not to worry, Sen. Sam Nunn (D-Ga.) used it again in the spring of 1998, being quoted in a March 19 South Bend Tribune article warning that "We have an opportunity to act now before there is a cyber-Pearl Harbor...We must not wait for either the crisis or for the perfect solution to get started."
Sen. Jon Kyl (R-Ariz.) soon did his Senate colleague one better in terms of warning of the gravity of a cyber Pearl Harbor by telling a June 10, 1998 meeting of the Senate Judiciary subcommittee on technology, terrorism and government information that as an analogy, Pearl Harbor "doesn't really work to describe the real danger that we face today." He thought Pearl Harbor was too tame a reference.
At this point, it appears the term started assuming the ubiquity it has today. "The threat of an electronic Pearl Harbor or the threat of cyber-terrorism…is clearly one that's getting increasing attention in this building and throughout the government," said Pentagon spokesman Kenneth Bacon during a Dec. 16, 1998 press conference.
But, based on the Nexis sample, it wasn't until after 9/11 that things got really rolling. "America's next Pearl Harbor, many experts predicted, would be a cyber-attack, a high-tech strike on the nation's critical computer systems, such as those controlling power grids or financial networks," said the Oct. 1, 2001 edition of the San Jose Mercury News, in a news story that could have appeared, verbatim, this week.
After that, the tempo appears not to have let up. There's then-Rep. Tom Davis (R-Va.) in the March 16, 2004 National Journal Technology Daily being quoted as stating that "computer viruses and other malicious activities by hackers create the 'potential for a cyber Pearl Harbor.'"
Here's a Jan. 26, 2006 Chattanooga Times Free Press article noting that former counterterrorism official Richard Clarke has been widely warning "about a potential 'digital Pearl Harbor' where terrorists use cyber attacks to shut down power grids and communication networks and damage nuclear plants and oil refineries."
And just to bring things in to more recent times, here's Rep. Jim Langevin (D-R.I.) in a Feb. 11, 2011 meeting of the House Armed Services subcommittee on emerging threats and capabilities stating that Leon Panetta (again!) "testified that cyber threats to our critical infrastructure had the potential to be the next Pearl Harbor, and I agree, and remain unconvinced that we have the abilities or the authorities to stop a large-scale cyber attack."
Of course, just because a prediction was wrong before doesn't mean it's wrong now. The fact that warnings of a cyber Peal Harbor made every year since 1998 (and sporadically before then) didn't come true in the days, months, years--or decades, by now--after they were uttered doesn't mean that some calamitous digital strike doesn't await us all.
But I believe it's unlikely. First, urgent warnings repeated urgently every year must necessarily lose some urgency after they fail to warn of real happenings. That's unavoidable.
And, arguably, all the warnings worked! So many people cried "cyber Pearl Harbor" that we took sufficient steps to prevent that possibility. People, this time, took Cassandra at her word! Of course, that's entirely the opposite of what people who utter the phrase intend. (I think it's true that we're more secure now than in the past, however.)
Another scenario is that our post-9/11 fears led us to turn the specter of a surprise attack and project it onto every conceivable attack vector. Cyberspace, already the source of pre-9/11 fright, became the supercharged vessel of the sudden vertigo we experienced as a society after finding out that all our advanced but open systems could be turned against us. Cyberspace is good for this sort of thing because hackers have always taken advantage of the open architecture of the Internet and because cyberspace is pervasive yet mysterious for most people. Doomsday predictions about it are in its very base. 9/11 just put them on steroids.
What "cyber Pearl Harbor" criers forget is that attacks on the scale of a Pearl Harbor occur within a political context. Japanese militarism was no secret in December 1941. Moreover, the Japanese attack had a certain strategic logic to it. A cyber attack that would attempt to wrack the equivalent damage on American soil, whether on civilian or military infrastructure, won't occur outside the bounds of a conflict that's also pursued in nonvirtual arenas, and it won't occur unless the attacker can calculate that the advantage will outweigh the assured furious U.S. response (that's a gamble the militarist government of Japan took, and lost).
The Pearl Harbor analogy breaks down, not--as the hyperbolic Kyl would have it--because it's not sufficiently threatening, but because nobody can reasonably say who the Japanese are in the analogy. In fact, given the recent revelations that the federal government had a big part in crafting the Stuxnet, Duqu and Flame worms, they're hard pressed now even to explain why we shouldn't be considered the Japanese.
The only thing cries of "cyber Pearl Harbor" really add up to are expressions of badly articulated fear. Put it on a poster and wave it in Times Square. Or yet better, retire it. - Dave