The Myth of a Cyber Pearl Harbor

The Myth of a Cyber Pearl Harbor

By Daniel Mathis '23; Image by Reuters 

In 2012, then defense secretary Leon Panetta warned of a “Cyber Pearl Harbor”. This warning
served to heighten hysteria over the possibility of a large-scale cyberattack that would threaten
both life and critical infrastructure. However, when considering the danger of cyberattacks, a
“Cyber Pearl Harbor” should not be the primary concern of policymakers and citizens alike.
While theoretically possible, a cyber Pearl Harbor-style attack is highly unlikely and distracts
from the more credible cyber threats.

In talking about a cyber Pearl Harbor, it is important to be specific about what the Attack on
Pearl Harbor actually entailed. The Attack on Pearl Harbor was a surprise attack on US soil that
resulted in the deaths of over 2,000 and the damage or destruction of 19 ships. To meet the
threshold of cyber Pearl Harbor, an attack would have to result in substantial disruption of
physical infrastructure that creates massive economic disruption/damage, threatens the safety of Americans, and/or disrupts daily life for a substantial period of time. These sorts of attacks are
far more difficult and expensive to pull off than attacks that are contained to internet and digital
information technology systems.

At this time, there have been no known attacks on the scale of a cyber Pearl Harbor, and the few
known attacks that have disrupted physical infrastructure have had limited effectiveness.
Furthermore, these attacks have only been able to be carried out by great powers. This is because
attacks on critical infrastructure usually require intelligence and espionage capabilities in
addition to cyber capabilities. Industrial control systems are rarely connected to the broader
internet and therefore, launching an attack requires both intelligence to design the attack and
some form of espionage capability to deliver the attack.

Attacks such as the US/Israeli Stuxnet attack and Russia’s 2014 and 2015 attacks on Ukraine’s
power grid came at great financial cost to the attackers with few lasting consequences for the
victims. According to an analysis by Cornell professor Rebbecca Slayton, the Stuxnet attack cost
the US/Israeli significantly more to develop than it cost Iran to resolve, and at most delayed
Iran’s nuclear program by three months despite being in development for years. Meanwhile,
Russia’s attacks on Ukraine’s power grid were only able to shut off power for six hours. Furthermore, Russia has not been able to replicate the attacks during the current conflict.

This highlights another important fact about cyber attacks. Cyber attacks are often
non-repeatable. Cyber attacks typically involve exploiting a vulnerability. Once the vulnerability
is exploited and the attack is discovered, the vulnerability is typically patched, rendering the
attack useless. This means a country must find a new vulnerability every time it wants to launch
an attack. Developing an attack takes time, and in that time the vulnerability can be patched
without the attackers’ knowledge, again rendering the attack futile.

There have been two known deaths attributed to cyber attacks to date. Both these involved
hospital patients undergoing treatment that died when care was disrupted due to ransomware
attacks. However, there are no known cases of deaths directly attributable to cyber attacks
launched by state actors. If a Pearl Harbor-style cyber-attack was ever to take place, it likely
would be employed by Russia — a known cyber power — during the current conflict in Ukraine.
However, there is no evidence that such an attack has been successfully launched. Instead,
Russia’s cyberattacks have been characterized by a series of brief disruptions to internet service
and communications in Ukraine affecting both civilians and the military alike.

These are the sorts of attacks that we need to be more worried about as attacks on internet
service, communications, and services connected to the world wide web are far more likely than
attacks on infrastructure control systems that are not connected to the broader internet. This is
not to say that we should still prepare for a cyber Pearl Harbor and harden critical infrastructure
as much as possible, only to point out that we should not get distracted from the more realistic
threat of internet/communications attacks and only focus on sensational but less realistic attacks
such as a cyber Pearl Harbor.

Leave a Reply

Your email address will not be published.