A cyber Pearl Harbor?

Discussion of a cyberattack of such gravity to be considered a new Pearl Harbor or even a 9/11 moment is now almost clichéd.

For example, in early 2011, then CIA chief Leon Panetta warned the House Permanent Select Committee on Intelligence that the next Pearl Harbor we confront could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.

A response to this threat has been the development of offensive as well as defensive cyber capabilities. The US has a  large Government cyber security construct across civil and military agencies, including US Cyber Command’s Cyber National Mission Forces who, under the leaked US Cyber Operations Policy,  have the authority to ‘defend the nation’ using both offensive and defensive cyber capabilities. In September, UK Secretary of state for Defence Phillip Hammond announced that the UK will pursue the development of its own offensive cyber capabilities to deter would-be attackers, and supplement conventional strike, capabilities as part of a £500 million expansion of military cyber personnel (at a time of deep cuts to UK defence expenditure). While not wanting to add more hyperbole to an already overheated discussion, a possible outcome of developments like this is something of a cyber ‘arms race’, as offensive capabilities solely developed as a deterrent to such an attack would also function as strike capabilities in their own right.

However, for most—if not all—countries, the concept of a ‘cyber Pearl Harbor’ isn’t a credible threat, being likely only as the opening moves of a major war—a situation few states are likely to face in the near term. And this kind of attack would be a tall order. To cripple critical infrastructure such as a power grid using cyber means, an attacker must covertly enter the network, map it to identify vulnerabilities, and develop malicious tools to subvert its control system/s. To conduct an attack on the scale of Panetta’s cyber Pearl Harbor, the attacker must do this on numerous networks, and then maintain access for long periods, possibly many years, across numerous diverse targets and likely in many countries. According to US Director of National Intelligence James Clapper, even the US considers the risk of such an event out to 2015 to be low.

While many commentators discuss the competitive advantage cyber capabilities offer weaker actors, in reality the massive intelligence effort required to cause destructive effects means that by far the most likely attackers in a cyber-Pearl Harbor would be the military and intelligence services of a major state. Considering that, like in 1941, the victim would likely retaliate in in the physical realm as well as cyberspace (if so equipped), this sort of attack makes little sense other than as a precursor to a major armed attack, a scenario that is unlikely for Australia, and many other states, in the near term.

All states must balance their national security resources across many tasks, and identifying serious threats is just as important in cyberspace as it is in the physical world. Given that for most states the risk of a cyber Pearl Harbor scale event is significantly less than the hype, their thin resources would be better focused on raising the operational cost of already widespread espionage conducted on commercial and government networks, through implementation of resilient cyber security measures and policy. The lack of explosions means this activity attracts less attention than the possibility of a catastrophic cyberattack, but offers greater cost-benefit.

However this doesn’t mean that the threat of attacks on critical infrastructure should be dismissed entirely. Poorly protected, and older control systems will remain vulnerable for as long as their owners remain unaware of (or ignore) the risks. Access by malicious actors to access critical infrastructure is largely preventable, and if basic security measures are implemented it can significantly raise the operational cost of these activities.

Basic security requires operators, often private companies, to implement more resilient cyber and personal security measures. For governments, overseeing or assisting with the implementation of these measures can be difficult due to private ownership of most critical infrastructure, but not impossible if Government cyber security providers and industry work to develop good relationships. Failing that, government regulatory mechanisms could be broadened to mandate adequate cybersecurity standards.

Cooperation between government and critical infrastructure operators would do more to reduce the risk of cyber incidents, from low level disruption up to a large scale attack, than the development of the tools to fight back under such conditions, freeing resources to focus on more likely threats in cyberspace rather than a potential cyber Pearl Harbor.

Post by the ASPI International Cyber Policy Centre.