For the past few years, US officials have warned of a coming mega cyber attack against critical infrastructure, something akin to the Japanese attack on Pearl Harbor in 1941. The threat of a looming “Pearl Harbor” was reiterated last year by then Defense Secretary Leon Panetta, who painted a dark portrait of passenger trains sent careening off the tracks and poisoned water supplies, thanks to hackers.
Press articles and opinion pieces followed suit with doom-laden headlines like The Gathering Cyber Storm, Is America Prepared for a Cyber Pearl Harbor? and The Looming Certainty of a Cyber Pearl Harbor.
What form such an attack might take depends on who you talk to: many experts have pointed to physical destruction that could be wrought by a cyber attack, such as a virus programmed to take down the power grid, sinking whole cities into blackness. Or, the attack could be financial rather than physical, such as a coordinated intrusion on banks that brings the economy to a crashing halt, like what happened on a smaller scale in Estonia in 2007 (major banks have already staged drills against a possible attack).
Yet for all the talk, and warnings, no attack of that magnitude has taken place on the United States, at least not yet. So it is logical to ask whether the rhetoric is being exaggerated. After all, if a determined enemy had the opportunity to carry out such an attack, why wouldn’t they have done so by now?
Some officials are now beginning to tone down the warnings. “We judge that there is a remote chance of a major cyber attack against US critical infrastructure systems during the next two years that would result in long-term, wide-scale disruption of services, such as a regional power outage,” James Clapper, the director of National Intelligence, told the US Congress earlier this year. “It’s not in the realm of anything we’ve seen to date,” said James Caulfield of the Advanced Cyber Security Center in Boston earlier this week. “It would take as much effort to truck in a bomb.”
Here are some reasons why a cyber Pearl Harbor hasn’t happened yet, and possibly never will:
Cyber weapons don’t always work
When Stuxnet, a virus targeting Iran’s nuclear enrichment facilities, was first revealed in 2010, it appeared to demonstrate that such attacks could actually destroy physical infrastructure, as opposed to simply disrupting or exploiting digital information and communication. The Stuxnet virus was specifically created to cause gas centrifuges used for enriching uranium to spin out of control and, in effect, self-destruct.
While touted by many as proof that cyber attacks could do vast damage, some have since questioned whether Stuxnet was really as successful as has been claimed. Earlier this year, Ivanka Barzashka, a research associate at the Centre for Science and Security Studies at King’s College London, published an analysis of Iran’s uranium enrichment capabilities, arguing that even if Stuxnet destroyed some of Iran’s centrifuges, it had a negligible impact on the countries capabilities. “Clearly, Stuxnet had the potential to seriously damage Iranian centrifuges, although there are many technical limiting factors to the malware's success,” writes Barzashka. “Public evidence of the Stuxnet's impact is circumstantial and inconclusive.”
In fact, she argues, the data available through the International Atomic Energy Agency demonstrates that Iran, notwithstanding the Stuxnet attacks, was able to increase its uranium enrichment, moving it potentially closer to a nuclear weapon.