The Cyber-Pearl Harbor Threat
The next major attack on the U.S. may not involve bombs and guns, but instead be a “Cyber-Pearl Harbor.”
It sounds like a disaster movie scenario: you wake up one morning and realize the power is out. Calls to the electric company are out. You think the power will come back soon, and life goes on for the first few hours. But then nothing happens, and panic begins to set in. Critical systems at hospitals and corporations begin to falter. Finally, news trickles in: hackers have taken down public utilities, like the electrical grid, water and gas.
That sounds like an apocalyptic drama series, but government officials warn it isn’t a far-fetched scenario. In fact, Defense Secretary Leon Panetta said foreign computer hackers have the power to disrupt the nation’s vital systems, which can lead to that frightening situation. He urged regulators to take control and not wait for disaster to strike. Despite the warnings, however, the U.S. political system and bipartisan bickering is preventing the issue from becoming a top priority.
A Real Threat
“An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Panetta said. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
Senators plan to bring cybersecurity legislation back for discussion in November. The Cybersecurity Act of 2012 had been under debate but senators rejected it outright in August. Meanwhile, the threat of a cyber-attack looms, and Congress is the only entity that can approve tools to help defend the country against the threats.
Panetta, speaking at the Intrepid Sea, Air and Space Museum in New York, said nations such as China, Russia, Iran and militant groups are increasingly aggressive and tech-savvy. The Pentagon agreed he’s not too far off base, and a wave of cyber-attacks on banks have hindered their ability to conduct business online. Government officials say cyber-terrorists can hack into power grids, water supplies and more, creating potentially deadly situation.
Partisan Politics Hinder Cyber-Security Legislation
Sen. Harry Reid (D., Nev.) plans to re-introduce cybersecurity legislation in November, after a group of Republicans, led by Sen. John McCain, blocked the act due to its cost to corporations.
Critical private-sector companies, such as power plants and water treatment facilities — not to mention banks — would have to make significant, expensive changes to defend their computers from attack, and McCain and the other senators agreed with the U.S. Chamber of Commerce that forcing companies to change will be too difficult and costly.
Backers of the bill say the government needs to require reporting or nobody will comply. Opponents, meanwhile, claim companies shouldn’t be forced to show private records. But Panetta said businesses are too vulnerable without Congressional action.
“The fact is that to fully provide the necessary protection in our democracy, cybersecurity must be passed by the Congress,” he asserted. “Without it, we are and we will be vulnerable.”
Other Government Options
President Barack Obama is increasingly hawkish about the threat of a cyber-attack. He pushed Congress to pass legislation and toughen up the laws to protect vital computer systems. In an op-ed to the Wall Street Journal, he said, “We need to make it easier for the government to share threat information so critical-infrastructure companies are better prepared.” He added data sharing isn’t enough, since businesses still need to fill security gaps.
With legislation on hold, Obama is weighing an executive order that forces businesses to share cybersecurity data. But a presidential decree is only a temporary fix, and private industry won’t comply unless required to by law.
“I’m not sure they’re going to volunteer if they don’t feel that they’re protected legally in terms of sharing information,” Panetta said, “so our hope is that ultimately we can get Congress to adopt that kind of legislation.”
The Cybersecurity Act will be difficult to pass, especially after the general elections. Leadership positions in the House and Senate are up for grabs, and a Republican majority will agree with McCain that a cyber-security bill would cost businesses too much.
Even Reid, who championed the legislation, is up for reelection, and if he’s defeated, he’ll be a lame duck lawmaker with little power. Furthermore, if Republican presidential nominee Mitt Romney wins in November, Obama’s cyber-security decree may not even be enacted.
Romney has said he plans to make cyber-security a top priority. And if elected, he’ll form a cyber-security strategy to deter and defend against cyber-attacks. Then he’ll decide how to carry it out. But backers are worried because his statements don’t mention Congressional action. So it’s possible Romney — with his years of experience in the private sector — will agree with fellow Republicans and say legislation is too heavy-handed on innovation.
Panetta, though, insists legislation doesn’t mean a too-heavy government in business matters. But he claims since safety is at stake, companies need to open up their servers and share information, codes and more.
“We’re not interested in looking at e-mail, we’re not interested in looking at information in computers, I’m not interested in violating rights or liberties of people,” Panetta told the New York Times. “But if there is a code, if there’s a worm that’s being inserted, we need to know when that’s happening.”
Going On the Offensive
Officials, including Panetta, are careful not to imply the U.S. will conduct attacks of its own. Instead, they’ll focus on legislation that will define the Pentagon’s ability to defend the vital infrastructure.
But the U.S. has conducted cyber-attacks on its adversaries, such as the notorious Flame and Stuxnet viruses that crippled Iran’s uranium enrichment program as part of its “Olympic Games” initiative. The attacks began during former President George W. Bush’s administration and Obama decided to accelerate them in the early part of his own administration.
Panetta also conceded it may not even be able to prevent cyber-attacks by beefing up defenses alone, and offensive action may need to be taken to keep the U.S. safe.
“If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president,” he said. “For these kinds of scenarios, the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace.”
Pentagon officials said the U.S. could take preemptive action on cyber-attacks, or launch retaliation attacks for hacks on American targets. The agency developed a cyber-warfare protocol, and said certain cyber-attacks constitute acts of war and merit military retaliation.
Can Congress Agree on Action?
On both sides of the Congressional aisle, Republicans and Democrats agree of the growing cyber-threat. But the fine line to draft, pass and enforce legislation — and balance the need to protect the U.S., private business and personal privacy — is a high hurdle to jump over.
Republicans aren’t the only ones against the Cybersecurity Act either, and others will join the protest. Privacy advocates such as the ACLU, Electronic Frontier Foundation, Mozilla Foundation — the creators of Firefox — and Tim Berners Lee, one of the founders of the Internet, are all concerned that a Congressional act will give the government too much access to information on private citizens.
But without increased security — either by federal law or presidential decree — a growing number of voices are concerned the Internet’s freedom may lead to deadly, world-changing assaults on the U.S. But lame-duck legislation may put cyber-security on the back burner — a victim in a slow-moving political process, which opens up the country to enemies that take advantage of indecision.
