Dec 07Are We Destined for Another “Date Which Will Live in Infamy?” Two Retiring U.S. Senators Call for Action to Avoid a Cyber Pearl Harbor.
It’s been 71 years since President Franklin Roosevelt said, “Yesterday, December 7, 1941—a date which will live in infamy—the United States of America was suddenly and deliberately attacked by naval and air forces of the Empire of Japan.”
These words, of course, were in response to the surprise attack on Pearl Harbor. It was an attack far more devastating than anyone — including the Japanese — were aware of at the time. In reality, the entire West Coast was left vulnerable. But, by what some would call supreme luck and others divine intervention, all American aircraft carriers were at sea when the attack came. And, aircraft carriers, not battleships as had been assumed, turned out to be the decisive weapons for victory in the Pacific.
Two senators would just as soon not rely on luck or prayer to avoid a “cybergeddon.” On the anniversary of the Japanese attack on Pearl Harbor, Senators Joe Lieberman, Connecticut independent and chairman of the Senate Committee on Homeland Security and Governmental Affairs and Susan Collins, Republican of Maine and the senior Republican on the committee, call on Congress to pass legislation to protect the country from cyberattack. And, since both senators are retiring, their words carry even more weight.
In a New York Times opinion piece, “At Dawn We Sleep,” the senators warn congress that there is more than just the fiscal cliff it should be trying to keep the country from plummeting over:
If you read the newspapers on the morning of December 7, 1941, you would have been led to believe that Japan was poised to attack — but in Southeast Asia, not Pearl Harbor. Few experts believed that Japan was prepared to take on the United States; war, they believed, was not necessarily imminent.
“In view of the presence of new British naval strength at Singapore and powerful American squadrons in the rear of any southward Japanese expedition, it is believed there is no immediate likelihood of a large-scale invasion or bombing,” The New York Times quoted an Australian official as saying.
On this anniversary of the Pearl Harbor attack, it’s worth remembering that enemies will attack at a time of their choosing.
In fact, they rely on surprise.
A storm is surely gathering again, and we must resist the false sense of calm. The attack is not a matter of if, but when. It will not be launched from aircraft carriers, missile silos or massed armies. It will come through cyberspace and will strike our most vital computer systems, those that manage our electricity grids, oil and gas pipelines, telecommunications networks and financial markets.
We know that digital networks are being tested, on a minute by minute basis, by would-be cyberterrorists, criminal gangs, rogue hackers and rival nations who look for unguarded digital back doors that would allow them to seize control of our most essential computers.
In invoking Pearl Harbor, we’re not trying to be alarmist — we’re borrowing an analogy the defense secretary, Leon E. Panetta, himself used in an October 11 speech about what a catastrophic cyberattack might look like.
“An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” he said. “They could, for example, derail passenger trains or even more dangerous, derail trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shut down the power grid across large parts of the country. The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack on our country. Attackers could also seek to disable or degrade critical military systems and communication networks.”
Mr. Panetta added: “The collective result of these kinds of attacks could be a cyber-Pearl Harbor, an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation.”
The harsh reality is that such an attack does not require extensive computer skills. Earlier this year, The Washington Post reported on an overseas hacker who gained control of a small Texas water utility using Internet tools available to anyone. It took him just 10 minutes. The utility learned of the attack only when proof of it appeared online — the hacker’s warning of how susceptible the plant was.
Given these warnings and actual evidence of successful attacks, you would hope that Congress would be working urgently to strengthen the cyberdefenses of our critical infrastructure — to make them well-defended forts, rather than undefended targets.
But twice this year the Senate failed to pass bipartisan cybersecurity legislation, with the United States Chamber of Commerce leading the opposition.
What made this so frustrating was that we — along with our Democratic co-sponsors, Senators Thomas R. Carper of Delaware, Dianne Feinstein of California and John D. Rockefeller IV of West Virginia — had already agreed to a major compromise to address the concerns of the chamber and its Senate allies by replacing mandatory cybersecurity requirements with voluntary, industry-developed standards that would also have protected from lawsuits companies that chose to implement the new standards.
Indeed, the concept of a voluntary, incentive-based system was proposed by the chamber and other industry groups in a March 2011 white paper and endorsed by a Republican-led House task force in October 2011.
Our willingness to compromise and adopt this reasonable, moderate approach was met with irrational resistance — even after the chamber learned — thanks to the FBI — that it had been the victim of Chinese cyberespionage.
One of the biggest mistakes that enabled the attack on Pearl Harbor was a belief that Japan lacked the capacity to mount devastating aerial bombing attacks so far from its borders.
For a modern-day equivalent, look at the recent attack against one of the world’s largest energy businesses, the Saudi oil business Aramco, which had 30,000 of its computers crippled in a cyberattack, wreaking havoc on the company’s operations. If that wasn’t a clear enough warning, the destroyed computers’ files were replaced with pictures of burning American flags.
Recently, the consumer banking sites of Bank of America, JPMorgan Chase, Wells Fargo, PNC and others came under the largest sustained denial of service attack in history. The attacks went on for weeks, knocking many of these sites off line or slowing them to a crawl.
These attacks did not have to be initiated from within the United States or even a few miles offshore. Cybersecurity experts believe Iran is the likely culprit in both attacks, and we fear this is just the beginning.
The headlines before the attack on Pearl Harbor turned out to be delusional. No one can reasonably entertain such a delusion about our adversaries’ capacity to attack us in cyberspace today.
Time has almost run out in this session of Congress, and President Obama will soon issue an executive order that will establish cybersecurity standards for critical infrastructure according to the statements of his top cabinet officials.
But the president’s powers are limited, and the issuance of an executive order is controversial even among some supporters of cybersecurity legislation. The new Congress must take up this issue, and pass comprehensive legislation to defend our nation against this gathering cyberthreat. If it doesn’t, the day on which those cyberweapons strike will be another “date which will live in infamy,” because we knew it was coming and didn’t come together to stop it.