For the past few years, US officials have warned of a coming mega cyber attack against critical infrastructure, something akin to the Japanese attack on Pearl Harbor in 1941. The threat of a looming “Pearl Harbor” was reiterated last year by then Defense Secretary Leon Panetta, who painted a dark portrait of passenger trains sent careening off the tracks and poisoned water supplies, thanks to hackers.
Press articles and opinion pieces followed suit with doom-laden headlines like The Gathering Cyber Storm, Is America Prepared for a Cyber Pearl Harbor? and The Looming Certainty of a Cyber Pearl Harbor.
What form such an attack might take depends on who you talk to: many experts have pointed to physical destruction that could be wrought by a cyber attack, such as a virus programmed to take down the power grid, sinking whole cities into blackness. Or, the attack could be financial rather than physical, such as a coordinated intrusion on banks that brings the economy to a crashing halt, like what happened on a smaller scale in Estonia in 2007 (major banks have already staged drills against a possible attack).
Yet for all the talk, and warnings, no attack of that magnitude has taken place on the United States, at least not yet. So it is logical to ask whether the rhetoric is being exaggerated. After all, if a determined enemy had the opportunity to carry out such an attack, why wouldn’t they have done so by now?
Some officials are now beginning to tone down the warnings. “We judge that there is a remote chance of a major cyber attack against US critical infrastructure systems during the next two years that would result in long-term, wide-scale disruption of services, such as a regional power outage,” James Clapper, the director of National Intelligence, told the US Congress earlier this year. “It’s not in the realm of anything we’ve seen to date,” said James Caulfield of the Advanced Cyber Security Center in Boston earlier this week. “It would take as much effort to truck in a bomb.”
Here are some reasons why a cyber Pearl Harbor hasn’t happened yet, and possibly never will:
Cyber weapons don’t always work
When Stuxnet, a virus targeting Iran’s nuclear enrichment facilities, was first revealed in 2010, it appeared to demonstrate that such attacks could actually destroy physical infrastructure, as opposed to simply disrupting or exploiting digital information and communication. The Stuxnet virus was specifically created to cause gas centrifuges used for enriching uranium to spin out of control and, in effect, self-destruct.
While touted by many as proof that cyber attacks could do vast damage, some have since questioned whether Stuxnet was really as successful as has been claimed. Earlier this year, Ivanka Barzashka, a research associate at the Centre for Science and Security Studies at King’s College London, published an analysis of Iran’s uranium enrichment capabilities, arguing that even if Stuxnet destroyed some of Iran’s centrifuges, it had a negligible impact on the countries capabilities. “Clearly, Stuxnet had the potential to seriously damage Iranian centrifuges, although there are many technical limiting factors to the malware's success,” writes Barzashka. “Public evidence of the Stuxnet's impact is circumstantial and inconclusive.”
In fact, she argues, the data available through the International Atomic Energy Agency demonstrates that Iran, notwithstanding the Stuxnet attacks, was able to increase its uranium enrichment, moving it potentially closer to a nuclear weapon.
The metaphor is wrong
Part of the problem with a cyber Pearl Harbor is that although the threat is real, the particular metaphor may be flawed. Pearl Harbor was not just an unexpected and devastating blow to US military forces in the Pacific, once the attack took place, the military and the public recognised the threat. A significant cyber attack may not be so immediately crippling.
“The most pressing cyber threat is not likely to be a single, sudden attack that cripples the United States,” wrote Adam Segal, a senior fellow at the Council for Foreign Relations.
That is not to say the threat itself is overhyped, but the attacks may come in the form of cumulative damage done through stealing data or undermining confidence in the Internet. “These low intensity but disruptive attacks are increasing and can damage banking, transport, and communications systems,” Segal continues. “Over time, future attacks could become even more destructive as cyber weapons and capacities proliferate and as electricity, power, transport, and communications infrastructures become increasingly dependent on the Internet.”
It’s already happening
The most insidious part of cyber warfare may be that while people are looking for a monumental type of attack, they miss what is already happening. That, at least, is what some experts are arguing. Financial attacks happen on a daily basis, and there have been ongoing reports of targeted foreign attacks on American defence and aerospace companies. The government is also at direct risk: the Pentagon revealed it was the target of a massive 2008 cyber infiltration that officials linked to a foreign espionage agency.
In other words, the attacks are already happening, just not as a single event. “Today, the ongoing compromise of sensitive military information systems, the theft of intellectual property, and the recruitment of men, women, and children into zombie armies, all these pass largely beneath our levels of awareness,” wrote John Arquilla, professor of defense analysis at the US Naval Postgraduate School. “Cyberwarfare is a lot like [US poet] Carl Sandburg's fog, coming in on ‘little cat feet’.”