Fears of a catastrophic cyber attack against national infrastructure go back well before 2001, but the attacks of a decade ago have given this possibility a new name: a “cyber 9/11.” The feeling persists that a large-scale cyber attack is just around the corner. Yet, despite these fears, there have been no such catastrophic attacks. While there have been disruptions, not a single person has died as a result of a cyber attack.
A discussion, held as part of the Atlantic Council’s look back at ten years since the 9/11 attacks, brought together distinguished panelists and discussants to examine this puzzle. Panelists Franklin Kramer, Bob Giesler, and Greg Rattray led the group through a number of important reasons why we haven’t seen a cyber 9/11 yet:
- Calling a cyber-induced catastrophe a “cyber 9/11” obscures the main concern. While such an attack is possible, for a decade the main scourge has been espionage and wide-scale theft of intellectual property.
- As a nation, we still have yet to decide if such espionage warrants a substantial strategic national security response and have a systematic discussion of what to do about it. Some actions (like a declaratory policy and improved resilience) are well known. Others are not and few are well implemented. The panelists were clear that the development of effective responses should be a high national priority.
- A “cyber 9/11” and “cyber Pearl Harbor” are often wrongly used to mean the same thing. However, one was a non-state group primarily attacking non-state targets; the other was a military attack against military targets. Both were followed by long conventional wars that ultimately displaced the leadership of the attacking group. Accordingly, these names can be useful shorthand for “surprise attack” but should generally only be used with caution or in their full military history and international affairs context.
- A catastrophic cyber attack is still possible and could happen, someday. However, there remain many disincentives and challenges to a catastrophic cyber attack. Armchair cyber warriors that breezily predict how cyber attacks will strike down nations are often ignorant of the reality of offensive cyber operations.
- Individual attacks may be easy so an attack may have significant short-term or local consequences (as have the annoying attacks from Anonymous, say). However, it is exceptionally difficult to take down multiple, specific targets and keep them down over time. Even StuxNet only delayed, not destroyed, the Iranian nuclear program. Key difficulty is proper reconnaissance and targeting, as well as the need to deal with a variety of diverse systems and be ready for countermoves from your adversary. Non-state groups tend to lack such punch and ability to sustain it in the face of a determined response.
- So far, it has been true that adversaries with the capability to cause catastrophic attacks (generally other nations) generally lack the motive, while those adversaries with the motive (terrorist groups) generally lack the capability. This happy situation may not last for much longer, though. Were the United States to become engaged in a war with a capable cyber adversary, the calculus for potential cyber attacks would change. Moreover, criminal groups might develop more destructive cyber capabilities and provide them to terrorist groups as part of their criminal enterprise.
- Moreover, when subjected to such a large-scale attack, the defenders will respond in novel ways– as has happened when faced with other disruptive military technologies. As an example, inter-war air power theorists strongly – but ultimately falsely – predicted that strategic bombardment from the air would paralyze populations, destroy modern economies and win wars within weeks. Resilience of the overall system was greater than predicted. Enhancing resilience of the cyber system should therefore be a high priority both as a deterrent and as a warfighting approach.
- One important way for a cyber attack to have 9/11-like catastrophic consequences is to disrupt industrial control systems, where cyberspace touches the electrical grid and other physical infrastructure. Unfortunately, the number of these touch points are rapidly increasing, especially as we rush for a smart grid, and vulnerabilities have correspondingly increased. Other critical infrastructures also have significant potential vulnerabilities as former Deputy Secretary of Defense William Lynn and other officials have noted on multiple occasions.
- On balance, a cyber national security agenda should include efforts to limit espionage, reduce vulnerabilities against a substantial nation-state attack in the event of war, and protect the most critical assets so that a lesser terrorist type attack would not have systemic consequences.
The Atlantic Council will continue to discuss these problems over the next months and years to hopefully ensure a cyber 9/11 catastrophe never does occur, or at least we are better prepared if it ever does.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey. This blog is the first of a periodic series on cyber conflict history.