Digital attacks on critical infrastructure are occurring at a pace that is overwhelming defenders, yet not alarming the public enough to push for greater accountability in the defense of hospitals, schools, and energy distributors. For over a decade, some experts have tried to use analogies of unprecedented attacks on the United States to galvanize policymakers into action. But the similarities between these single tragic events and ongoing cyber attacks are few, and today’s attacks have reached crisis level. Policymakers should not wait for a cyber 9/11 or digital Pearl Harbor before making an immediate change in U.S. cybersecurity investment strategy and international deterrence doctrine.
In an effort to connect looming digital threats with an unforgettable physical attack, there have been calls to prepare for and prevent a “cyber 9/11.” It is quite a stretch to find commonalities between crashing hijacked planes into buildings and shutting down a pipeline due to ransomware. September 11th was quite different: it was an acute series of coordinated attacks resulting in massive civilian casualties, orchestrated by an adversary motivated by ideology and harbored by a cooperative government. Recent cyber attacks have been different. In response to the gas pipeline attack, the nation didn’t shut down all U.S. pipelines for fear of follow-on attacks like it did for air travel on 9/11. Similarly, the Federal government didn’t spin up a new cabinet-level agency with broad-reaching law enforcement authorities in response to a meat-processor halting operations. These attacks on digital infrastructure didn’t galvanize the social collective in the United States and launch a 20-year war on the perpetrators. No, Colonial Pipeline voluntarily stopped selling gas because it couldn’t bill customers, and JBS quickly resumed operations. Both companies paid the ransom, and the attacks quickly faded from the public consciousness.
“Digital Pearl Harbor” is another well-intentioned but misguided analogy that is used to motivate reluctant lawmakers into action. However, the current scenario is disconnected from what actually happened in 1941: Hawaii was a remote territory far from most Americans, nearly all of the casualties were military personnel, and allies of the United States were already at war with Japan and its allies. Only a small number of nation-states were even capable of launching such an attack. Contrast that with the United States’ adversaries today. State and non-state actors have access to cyber arsenals that are orders of magnitude more capable than traditional weapons. They are no longer bound by geography and the logistical challenges associated with the movement of troops and equipment. They can target any critical infrastructure sector in any region, state, or city from any location with an Internet connection. Thus far remote cyber attacks have stopped short of triggering an immediate catastrophic loss of life likely, since it would trigger a significant kinetic response by the U.S. military. There is no need for an adversary to conduct a “digital Pearl Harbor” attack because inducing considerable suffering and wide-scale panic on a large population is possible without actually killing a single person.
We don’t have to wait for analogs of historical scenarios that are unlikely to happen when we can examine present-day attacks or pay attention to experts who have been ringing the alarm about vulnerabilities in critical infrastructure like industrial control systems and medical products for years. The Cybersecurity and Infrastructure Security Agency recognizes that failure of imagination was a key lessoned learned from the 9/11 attacks and offers resources to help organizations prepare for horrifying potential scenarios. The outcome of those exercises often leads to the same conclusions: the United States needs to invest more in cybersecurity, and the international community must establish cyber norms that codify the escalation of force. Unfortunately, there is a disconnect when it comes to policymakers prioritizing and funding those needs that public and private sector network defenders clamor for.
The views expressed in GMF publications and commentary are the views of the author alone.