The Cyber-Warfare Dilemma
U.S. Defense Secretary Leon Panetta called attention to a “Cyber Pearl Harbor.” The catchphrase summarizes what officials have said for some time now: foreign computer hackers are growing increasingly powerful in their ability to disrupt the nation’s vital systems.
Pearl Harbor conjures up images of planes streaking across the morning sky, sinking ships and scrambling soldiers and airmen, all framed by those incongruous palm trees. But a massive attack on a centralized fleet sitting in the Hawaiian harbor isn’t the best comparison. “Nothing like this exists in cyberspace,” said John Arquilla, a defense analysis professor at the Naval Postgraduate School. Instead, another World War 2 event provides a better metaphor understand the cyber-threats and how to prevent it — the menacing attacks of the German U-boats, which bombed points up and down the Eastern coast.
Early on, German U-boats successfully attacked seaboard cities, in part because President Franklin Delano Roosevelt decided not to order a blackout of the blazing lights that dotted skyline. The bright illumination created a helpful backdrop for the Germans to see their targets and aim with precision. But even after significant damage, businesses shied away from blackouts, fearing it would hurt their recovery from the Great Depression. As a result, the Germans sunk over a million tons of cargo, hurting businesses directly. The strategy to keep the harbor lights on proved unsuccessful and by mid-1942, the U.S. moved to black them out, curbing the German U-boat threat.
Today’s e-threats, Arquilla claims, are similar to the harbor lights event, and in analyzing the vulnerabilities of the German strategy, we can find solutions to a cyber-war threat for the future.
The Threats
Think of cyberspace as blinking lights that need protecting. What are the threats? Everything. In movies, hackers trigger exploding oil refineries, knock out power grids and crash planes without air-traffic control guidance. While in reality, they’re not that spectacular, but threats are still very disruptive. Most hacks from outlaw groups like Anonymous are criminal and serious threats are often backed by nation-states like China.
The Internet, frankly, has too many targets to protect. Cyber-criminals target financial institutions like Citigroup and the IMF, infiltrate Sony and Gmail and hack into the Pentagon, FBI and Congress. Breaches cost hundreds of billions of dollars in stolen R&D, and according to the NSA, hackers plan to attack national utilities and infrastructure next. The Pearl Harbor metaphor, where only a few big bases are targets, isn’t accurate today. Everything is well-lit and vulnerable to all types of attacks, so an offensive plan, like the one the U.S. outlined in its cyber-warfare response, is the wrong way to approach the problem.
The Failed Response
Like WW2, the harbor lights of cyberspace remain blazing because legislators and military experts fear security measures are too difficult and costly to carry out. Why can’t they just protect everyone without blacking out the lights? For that to happen, they need to coordinate utilities, businesses, privacy security experts and privacy advocates to fortify a universal defense. That’s akin to working with every citizen to build an interlocking shield — it’s impossible.
Political leaders haven’t been able to build a consensus on a strategy. For example, in August, President Barack Obama published an op-ed imploring Congress to pass the Cyber-Security Act of 2012. “Ultimately, this is about security gaps that have to be filled,” he said, highlighting the need for increased vigilance to protect national security. “We need to make it easier for the government to share threat information so critical-infrastructure companies are better prepared,” he added, emphasizing the need for collaboration. Unsurprisingly, the bill fell victim to partisan in-fighting, even after undergoing several major changes since. The problem? Finding a strategy all organizations can agree on, which assures civilian privacy rights, too.
Lawmakers, meanwhile, are looking at separate proposals like the Cyber-Intelligence Security Protection Act, or CISPA, to beef up critical infrastructure. But again, using the Pearl Harbor analogy, it only protects a few critical bases. Hackers need only to hit the countless other less-critical targets that aren’t protected.
What about striking first? Maybe, but a wide-ranging strategy is needed, including the ability to ferret out the origin of the attack and the power to retaliate to deter future cyber-attacks. The fact is, digital terrorists dwell in a virtual ocean too deep to proactively strike. Simply trying to find them, or detect their fingerprints, is problematic. And hackers use increasingly sophisticated tools to cover their tracks and stay, as the hacker group is called, anonymous.
A Way Forward
According to the Economist, cyber-threats can be lumped in one of five categories: strategic cyber-war, or direct attacks on an enemy’s civilian infrastructure; cyber-espionage, which gives a digital facelift to age-old intelligence technique; cyber-disruption, such as the distributed denial-of-service attacks that briefly overwhelmed Estonian state, banking and media websites in 2007; and cyber-terrorism.
Instead of going on the attack, a defensive stance — turn off the lights, so to speak, and “black out” sensitive cyber-targets — is needed. Basically, turning off the lights is a lot easier than hunting down U-boats on the bottom of the Atlantic. Or said another way, playing defense is sometimes easier than offense, but it starts by changing the approach to the problem. Playing defense makes strategic and economic sense too. Every time the U.S. creates a virus for cyber-sabotage, hostile countries or rogue agents can create copycat programs, heightening the risk. In that climate, having a robust defense system is as crucial as boosting cutting-edge digital weapons.
In the year ahead, governments may not forget Pearl Harbor, but remembering the harbor lights is just as important. Taking a page from history won’t stop every breach, but changing the approach to cyber-warfare will help turn the tide in a digital war with hidden enemies.
