On the night of Oct. 11, Defense Secretary Leon Panetta stood inside the Intrepid Sea, Air and Space Museum, housed in a former aircraft carrier moored at a New York City pier, and let an audience of business executives in on one of the most important conversations inside the U.S. government.
He warned of a “cyber Pearl Harbor,” evoking one of the most tragic moments in American history, when Japanese bombers unleashed a devastating surprise attack on a U.S. naval base in Hawaii on Dec. 7, 1941, killing 2,402 Americans and wounding 1,282 more. President Franklin D. Roosevelt called it “a date which will live in infamy” as he asked Congress for a declaration of war.
Sixty years later, another surprise attack killed almost 3,000 people when al-Qaeda terrorists flew two jetliners into New York’s twin towers. Panetta cited the Sept. 11, 2001, strikes, too, warning that the United States is in a “pre-9/11 moment,” with critical computer systems vulnerable to assault.
We all know what an act of war looks like on land or sea, and by evoking two of the most searing attacks in our modern history, Panetta was trying to raise a sense of urgency about the threat in a new domain made of bits and bytes zinging between servers around the world.
But what does an act of war look like in cyberspace?
And perhaps more important, what does the U.S. government do when cyberattacks fall short of that — assuming it can identify the perpetrators in the first place?
What about something like Shamoon, the nickname for a virus that wiped data from 30,000 computers at Saudi Arabia’s state-owned oil company in August, affecting business operations for two weeks? Panetta called that assault, along with a similar strike on Qatar’s RasGas, “probably the most destructive attack” on the private sector to date. Another U.S. official declared it a “watershed” moment, beyond the troubling but all-too-familiar thefts of data and disruption of Web sites.
Unlike the Japanese planes at Pearl Harbor, the virus had no telltale markings that gave away its origins. The U.S. intelligence community has privately concluded that the invader was sent by Iran, though some security experts outside the government say they have reason to believe that Iran was not the perpetrator.
If Tehran is responsible, what was its motive? In the view of intelligence officials, it was striking back for sanctions; for the Saudi kingdom’s implicit support for an oil embargo; and for the damage done to Iran’s nuclear program by Stuxnet, the nickname for a cyber-sabotage campaign by the United States and Israel to slow the country’s pursuit of a nuclear weapon by damaging almost 1,000 uranium-enrichment centrifuges.
The Shamoon attack on Saudi Aramco did not cause enough physical damage to rise to what international law experts call an armed attack. But what if something like it happened to several energy companies in the United States and it could be traced conclusively to a foreign government or a terrorist group? How much damage, pain and fear would need to result before national security officials would say, “We can’t let this go unanswered”?
If government officials have reached a consensus on those questions, they’re keeping it to themselves.
Welcome to the new world of “drip, drip cyber attacks,” in the words of Tufts University law professor Michael J. Glennon. The nature of cyberspace, he says, creates the potential for “a mysterious airliner accident here, a strange power blackout there, incidents extending over months or years,” generally “with no traceable sponsorship.”
Japan’s attack on Pearl Harbor was a direct assault on a U.S. military installation. But much of the nation’s critical computer networks belong to the private sector. The companies that provide transportation, water, telecommunications and energy could become targets for adversaries bent on destruction. That simple fact has led to a complicated set of questions for policymakers responsible for the nation’s security.
Should the U.S. government step in to prevent a destructive cyberattack, if it can see one coming, aimed at the private sector? If not, and such an assault is successful, when should Washington retaliate and how, assuming the attack can be conclusively traced to another nation or to a terrorist group? When should the government make preemptive use of cyberweapons to alter a state’s agenda or behavior?
If a major cyberattack happened — a computer virus knocking out air traffic control, for instance, and sending planes crashing to the ground — the president and the National Security Council would focus first on what type of response would be proportionate, justified, necessary and in the U.S. interest. It might be a military response. It might be a cyber-response. It might be naming and shaming the attacker before the United Nations. It might be imposing sanctions. It might be no response at all.