Panetta’s Wrong About a Cyber ‘Pearl Harbor’
The Internet doesn't work that way.
In recent months, the specter of a looming cyber "Pearl Harbor" has reappeared — the phrase having first come into use in the 1990s. But it is the wrong metaphor. Given the surefire emotional effect evoked by memories of the "day of infamy," how can this be? How are good cyber security legislation and regulations to be enacted and pursued in the absence of such galvanizing imagery? Clearly, the Obama administration thinks that trotting out the Pearl Harbor metaphor is essential, and so a range of officials, right up to Defense Secretary Leon Panetta, have been using it recently. But there is a fundamental problem: There is no "Battleship Row" in cyberspace.
In December 1941, a great deal of American naval power was concentrated at Pearl Harbor and Japan dealt it a sharp blow, enabling Imperial forces to pursue their expansionist aims for a while. Of the eight U.S. Navy battleships that were there, four were sunk and the other four were seriously damaged. And if the Kido Butai, the Japanese carrier strike force, had caught the three American aircraft carriers deployed to the Pacific in port — they were out to sea at the time of the attack — or had blown up the base’s massive fuel storage tanks, the damage would have been catastrophic. Pearl Harbor was a true "single point of failure."
Nothing like this exists in cyberspace. Indeed, part of the logic behind the creation of the Internet, going back more than 40 years now, was to ensure continued communications even in the wake of a nuclear war. Redundancy and resilience are the key notions that shaped the structure of cyberspace. Yes, there are very important nodes here and there; but workarounds and fallbacks abound. Cyberspace is more like the oceans that cover two-thirds of the world: it has its choke points, but there are always alternate routes.
If the Pearl Harbor metaphor is misleading — encouraging the belief that strong defenses concentrated in one or a few major areas can protect most, if not all, threatened spaces — there may be another harbor metaphor that does much more good. This one comes from World War II as well and has to do with the harbor lights of the Eastern seaboard cities. Very soon after Germany declared war on the United States — in the immediate aftermath of Pearl Harbor — U-boats were dispatched to attack shipping on our side of the Atlantic. German submarine skippers were assisted in their task by the failure of President Franklin Delano Roosevelt to order a blackout along the coast. And so the U-boats had what their crews called "the happy time," teeing up targets for night attacks because they were illuminated against the backdrop of blazing city and harbor lights.
For several months in 1942, mayors of coastal cities resisted pressure to enforce blackouts because of the loss of business they feared would ensue, plunging an economy still not fully recovered from the Depression into a new downward spiral. It was only when shipping losses grew dangerously high — over a million tons were sunk in the first four months of 1942 — that a blackout was finally put in place and merchant ships began to move in escorted convoys. This didn’t put an end to the U-boat menace, but did bring it under control.
Today, the "harbor lights" are on all over cyberspace. A wide range of targets is well illuminated, highly vulnerable to all manner of cyber mischief. Our armed services, increasingly dependent upon their connectivity, can be virtually crippled in the field by disruptive attacks on the infrastructure upon which they depend — but which are not even government-owned. Leading commercial enterprises hemorrhage intellectual property to cyber snoops every day — a point Governor Romney made twice in his debates with President Obama. And countless thousands of Americans, having had their personal security hacked, are now serving unwillingly and unknowingly as drones or zombies, pressed into service in the robot networks, or "botnets," of master hackers.
Why do the harbor lights remain on in cyberspace? Because, rather than focusing on security, information technology manufacturers and software developers have been driven for decades by market forces that impel them to seek greater speed and efficiency — at the most competitive prices. In short, the virtual harbor lights stay on because the perceived economic cost of improved security — that is, of enforcing a blackout, in metaphorical terms — is seen as too high. And, just like FDR, American political leaders have shied away from forcing their hand.
Where the metaphor breaks down — no metaphor can address every aspect of a problem — is in its invisibility. Mass ship sinkings in the early months of 1942 were tangible events that horrified the nation. Today, the ongoing compromise of sensitive military information systems, the theft of intellectual property, and the recruitment of men, women, and children into zombie armies, all these pass largely beneath our levels of awareness. Cyberwarfare is a lot like Carl Sandburg’s fog, coming in on "little cat feet."
To be sure, senior civil and military leaders know the gravity of the situation. A deeply alarming study of our cyber vulnerabilities by the National Academies was just declassified; it makes quite clear the grave nature of the threat. At the same time, word of a new presidential decision directive (PD-20) about responding aggressively to the cyber threat has leaked out. Reporting about the still-classified directive suggests that it follows the line of Secretary Panetta’s comments in recent weeks about taking pre-emptive action against cyber threats.
All this implies clear awareness of the problem, but the pro-active recommendation to seek out and "attack the attackers" is problematic, given how well-hidden so many of them remain. Eleven years after the Code Red and Nimda computer viruses were unleashed — shortly after 9/11 — the identity of the perpetrators remains unknown. And this is true of many, perhaps most, cyber attacks. Digital warriors and terrorists today hide in the virtual ocean of cyberspace as well as U-boat skippers did during their "happy time" along the Atlantic seaboard 70 years ago. And efforts to track them in advance of their attacks, to hearken yet again to the harbor lights metaphor, will be as fruitless as the U.S. Navy’s original strategy in 1942 of sending out hunter-killer squadrons to search the ocean for the U-boats.
Back then, the right answer from the start was to black out coastal cities at night. Then, when ships sailed, they were evasively routed and escorted by anti-submarine vessels. Losses still occurred, but soon fell to acceptable levels. This is the lesson of the "harbor lights" metaphor. In cyberspace, the analogous approach would consist of far greater use of strong encryption and "evasive routing" of data via the Cloud, making it much harder for the virtual U-boat wolf packs that stalk them to find their targets.
Forget Pearl Harbor. Remember the harbor lights.