James Andrew Lewis: If someone refers to a Cyber Pearl Harbor, it is a sign they don't know what they are talking about
Terrorists don't have the capacity to commit a truly damaging cyber attack, Lewis says
Editor’s Note: James Andrew Lewis is a senior vice president with the Technology Policy Program at the Center for Strategic and International Studies. The views expressed are his own.
Earlier this month, the Pew Research Center released the results of a survey asking the citizens of 38 countries to name a major threat to their nation. This is the second of a special series of op-eds that also appear in Fareed’s Global Briefing looking at the top perceived threats among Americans. You can sign up for the Global Briefing newsletter here.
The airplane brought a new technology to warfare, and in the 1930s, aerial bombardment was portrayed as unstoppable and catastrophic. Drop a few bombs, and citizens would panic and riot, governments would fall, and economies would collapse.
Sound familiar? Replace airplanes with cyberattacks and you get the same over-the-top predictions for hacking. It turns out, however, that catastrophe is hard to produce. Societies are resilient, and anything but a weak government will be resourceful in responding to an attack. In the case of aircraft, years of bombing typically only made people angry and stiffened resistance. People look for ways to retaliate. The same will be true for cyberattacks.
Nuclear weapons are the one exception to this, and Americans became used to thinking in terms of catastrophe and massive attacks during the Cold War. The Cold War reshaped our thinking in ways that distort our views of current threats. However, no cyberattack can match a nuclear weapon in effect. The concept of catastrophe has now been diluted to the point of absurdity. In 1990, say, catastrophe meant the deaths of tens of millions of people and the complete destruction of cities in less than an hour. Now, it means going without lights for a few days.
In fact, there have been very few truly damaging cyberattacks. Cybercrime and espionage occur on a daily basis, and a few countries use cyberattacks to coerce other states (like trying to interfere in an election). But there have been no deaths, and almost no destruction from a cyberattack.
Get our free weekly newsletter
A good way to think about this is the dreaded Cyber Pearl Harbor, sometimes modernized to Cyber 9/11. But if someone refers to a Cyber Pearl Harbor, it is a sign they don’t know what they are talking about. A Cyber Pearl Harbor, in which terrorists would use cyberattacks to cripple critical infrastructure, was first predicted 25 years ago – and it has never happened.
First, terrorists want something dramatic – they want bloodshed, and a cyberattack does not fulfill their sick fantasies. Second, terrorist groups do not have the capabilities required for launching a truly damaging cyberattack. Advanced cyberattacks require engineering skills and a blend of intelligence techniques. Terrorists typically use the internet for recruitment propaganda, not attack.
The fear of non-state actors launching crippling cyberattacks against critical infrastructures is a fantasy. Our most dangerous opponents are other nation states. They have the capabilities, the resources, and the intent to use cyber capabilities to attack the United States and its allies.
In this, the United States has four opponents – Russia, China, Iran and North Korea, all of which have used some kind of cyberattacks against us. These opponents do not seek “cyber catastrophe.” They have used cyberespionage, coercion, and crime to advance their aims (the most important of which is changing the international order in ways that favor them and undercut democracy).
Unsurprisingly, the way they use cyberattacks is not the way we expected. There have not been attacks on critical infrastructure. There are probes and reconnaissance of power plants and oil pipelines, of course, but so far, no damage. Indeed, Russia has an explicit doctrine, called “New Generation Warfare,” that calls for achieving psychological effects to confuse opponents and undercut them politically. By focusing our defense on critical infrastructure as the target for cyberattack, we have created a cyber Maginot Line that our opponents easily move around.
Cyber operations provide unparalleled access to targets, and the only constraint on attackers is the risk of retaliation, a risk they manage by staying below an implicit threshold – avoiding actions that would provoke a damaging American response. Almost all cyberattacks fall below this threshold, including crime, espionage, and (to date) politically coercive acts. Simply put, these four countries – even North Korea – are cautious about doing something that could start a shooting war with America.
Does this mean you can relax about cyberattack? Unfortunately, no.
To understand the risk from cyberattack, you have to look at it through the prism of a bigger conflict. For the first time since 1990, the United States faces powerful opponents who want to damage US interests and leadership. They want to displace the United States and its allies and recreate a more traditional world, where countries have spheres of influence, dominate their smaller neighbors, and where there is no interfering US presence. They want untrammeled sovereign rights so they can do as they please with their citizens.
We are therefore in a new kind of conflict, and cyber provides a new technology that our opponents are already exploiting in this fight. Unfortunately, the United States has not been particularly good at defense. And that does indeed leave us vulnerable to the determined foes we now face – just not in the way that many Americans believe it does.