Again the other day, another of our government cyber leaders delivered the usual canned speech about how we must increase our defenses – read expand budgets/personnel – to defend ourselves against an “electronic Pearl Harbor.” And so, once again, the muscles in the back of my neck begin to stiffen wondering when they are going to stop saying this and if, some day, they will arrive in the 21st century. Cyber attacks – they are not wars – are not about total destruction but death by a thousand cuts.
Ok, first things first. A little history lesson. Pearl Harbor took place 70 years ago in the middle of the machine age. Second, we had no intelligence system set up to detect comprehensively the threat presented to us by the Japanese Empire. Third, we had no effective deterrence against the attack even if we had some advanced warning it was going to launched. And, finally, Pearl Harbor was a failure for the Japanese. It damaged us severely; it did not knock us out of the war or cause us to sue for peace. Also, please note who won that war. Please also think carefully about the tons of effort we are currently putting into cyber – detection, attack and prevention. The analogy simply does not hold.
Now, I do understand the concerns we have over unexpected cyber attack. Lord knows, everyone seems to want to play in the new Wild West. We have nation-states (Russia/North Korea), non-nation states (Al Qaeda and affiliates), and we even have Cyber Groups (Anonymous and the Lulzs) playing vandal and destroyer. And the damage they cause is real. But we need to get some sense of what that reality is to develop an effective policy. Think less Pearl Harbor and more (perhaps a politically incorrect term) Indian Wars.
The range of attack within the new Cyber World has ranged from vandalism (DDOS attacks) to massive stealing of personal information to temporary blockage of systems. This is nothing to laugh at when dealing with billions of dollars of commerce and plenty of leaked secrets. The Chinese and others seem to be developing the capability to “blind” temporarily our information systems in the event of real war (with real bombs.)
So let’s start thinking of cyber attack as an adjunct to the real nasty wars where people are killed. When we fight wars, they are done on land, sea, space and air. We have simply added another dimension of attack and a whole bunch of new players – many of whom can only attack in this one dimension.
In comparison to the other dimensions, cyber attacks on helpless wagon trains and the lonely outposts. The resources and strategies we need to deal with this are not found in the world of iron bombs but of subtle tactics and new thinking. Thinking about a world without borders. Thinking about world where there is no separation between public and private interests. Thinking about a world that needs to get serious about spending on security. And remembering that these are manageable if challenging problems.
So, please let Pearl Harbor be. It was of another time and place and does not apply to where we are today.