'Cyber Pearl Harbor': Could future cyberattack really be that devastating?
On the 71st anniversary of "a date which will live in infamy," the United States faces the possibility of an updated digital version of that threat – a "cyber Pearl Harbor."
That's according to Defense Secretary Leon Panetta, who in an October speech warned of a "cyber Pearl Harbor" threat and the need to bolster America's cyberdefenses. Also, in the 2010 book “Cyber War,” former White House counterterrorism adviser Richard A. Clarke warns of an "electronic Pearl Harbor."
Cyberattacks on US critical infrastructure like the water supply or power grid "could be a cyber Pearl Harbor – an attack that would cause physical destruction and the loss of life," Secretary Panetta argued in his speech. "In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability."
As an imagistic catchphrase, "cyber Pearl Harbor" is an emotionally evocative term for Americans. The Japanese surprise attack on Dec. 7, 1941, killed 2,402 and damaged or sank 18 ships including five battleships, effectively burning its memory into the national psyche.
But could there really be anything in the digital realm as horrific or stunning to the US as the Pearl Harbor bombing today? Or is using that charged phrase just saber rattling to build up defense budgets, as many experts and non-experts contend?
"I do think it's a genuine concern," says Stewart Baker, a lawyer and former senior official at the National Security Agency and the Department of Homeland Security. "I'd love to think it's overstated, but that view is supported more by wishful thinking than by analysis. If you judge adversaries by capabilities rather than intent, there's no doubt that anyone with a really strong cyberespionage capability can cause something that will feel like a cyber Pearl Harbor."
Some others aren't so sure that the world is full of big adversaries with substantial cyberespionage capabilities. In an article in Foreign Policy magazine headlined "Panetta's wrong about a cyber 'Pearl Harbor,' " John Arquilla says it's the "wrong metaphor."
"There is no "Battleship Row" in cyberspace," writes the professor of defense analysis at the Naval Postgraduate School in Monterey, Calif. "Pearl Harbor was a true ‘single point of failure.’ Nothing like this exists in cyberspace."
The logic behind creating the Internet, he says, was to ensure continued communications even after a nuclear war. Resilience is a key idea that shaped the structure of cyberspace, he says. Still, he's not entirely sanguine:
"Our armed services, increasingly dependent upon their connectivity, can be virtually crippled in the field by disruptive attacks on the infrastructure upon which they depend – but which are not even government-owned," he writes.
Still others say the whole concept is overblown.
"Digital Pearl Harbor is just a funding term, a way to get money for military and cybersecurity budgets," says John Robb, a former Air Force pilot who served in Special Operations Forces and is author of "Brave New War" about new modes of warfare. "It has no real relevance because we still live in a world dominated by nuclear weapons."
There are also those who say the cyber threat is quite real, but they don't much like the “cyber Pearl Harbor” term.
"When people started talking about a cyber Pearl Harbor, the general rule is to wildly overestimate the ability of hackers to turn America into a Stone Age economy," says James Lewis, a cybersecurity expert with the Center for Strategic and International Studies in Washington. "It's hard to think of any scenario in which you could kill a lot of people in a cyberattack. So that part of the analogy doesn't make sense."
But the other part of the analogy – the sneaky part – does make sense, he says.
"It's not hard to imagine a surprise cyberattack for which we are unprepared, which I think is why some people continue to use the phrase," he says. "With Pearl Harbor, there was plenty of warning it was coming – and military commanders didn't do much. If we were in a tense situation with China today, it might make the analogy more credible. They might try to launch a surprise cyberattack."
Even so, he says, it "would be nice if the phrase went away, but it seems to be stuck."
A few years ago, a cybersecurity group that Mr. Lewis meets with held a contest with a free pizza dinner for anyone who could think of a better term. "Digital Dunkirk" and a few other alternatives were offered, but none won much support.
"If some nation takes down the US power grid, that will certainly disrupt Americans' lives, but it might also galvanize action – which would be the same strategic blunder made by the Japanese," Lewis says. "I don't know. Maybe we'll have to revive the [naming] contest."