Catching the United States by surprise, the Japanese devastated the U.S. military forces stationed at Pearl Harbor, Hawaii on December 7, 1941. With calculated ferocity, the Japanese destroyed 188 aircraft, sank or damaged 16 warships, and killed 2,402 people. Tragically, the attack on Pearl Harbor should not have been a surprise.
Of the many unheeded warnings that a Japanese attack was imminent, the first came from the U.S. ambassador to Japan in a coded telegram. He warned, “The Japanese military forces planned to attempt a surprise attack on Pearl Harbor.” Intelligence officers did not believe him. U.S. military officers in Washington, D.C. then observed that the Japanese fleet had gone into strict radio silence, a discovery they failed to pass along to officers in Pearl Harbor. President Franklin Roosevelt himself received a memo three days before the attack, warning that the Japanese were “paying particular attention to the West Coast, the Panama Canal and the Territory of Hawaii.” Perhaps worst of all, the first wave of attacking Japanese fighter planes were detected by U.S. radar 132 miles away from Pearl Harbor. The officer manning the radar that day, confusing the Japanese fighters for a returning wave of U.S. bombers, advised, “Don’t worry about it.”
Warning after warning fell on deaf ears, leaving the U.S. forces at their most vulnerable. Today the United States is once again vulnerable, but this time the threat does not come from across the vast Pacific but the far vaster World Wide Web. A series of escalating attacks has exposed the meager defenses of the U.S. cyber infrastructure. Will the United States be victim to a cyber Pearl Harbor, or will it heed these warnings and prepare for the next attack?
The Warning Signs
The year 2015 has seen more than its fair share of massive hacks, but the most notable of these hacks was the breach of the U.S. Office of Personnel Management, which keeps records on every current and past federal employee as well as applicants for federal jobs. Though the U.S. government has made no formal accusations, it is widely believed that China was behind the attack, which gained access to 21.5 million people’s records. The information acquired included important personal information such as social security numbers, and the hackers even obtained the fingerprints of 5.6 million people. Worse yet, the hackers had access to the OPM records for a year before the breach was detected.
While the scale of the OPM hack sets it apart, foreign hackers have obtained various forms of sensitive security information from government agencies frequently in recent years. For example, U.S. Department of Energy computers, which possess information relating to power grids and nuclear weapons, were compromised 159 times from 2010 to 2014, and hackers gained administrative privileges in 53 of those breaches, according to USA Today. In another instance, Russian hackers last year succeeded in hacking some of President Obama’s email correspondence, giving them insight into the president’s scheduling, policy planning, and more. Other major government agencies hacked in the last few years include the Department of State, the National Oceanic and Atmospheric Association (whose servers hold thousands of satellite images), and the United States Postal Service.
These hacks are alarming and illustrate the vulnerability of the U.S. cyber infrastructure, but they do not constitute a cyber Pearl Harbor. They did not cost American lives. In 2012, then Defense Secretary Leon Panetta warned of a cyberattack that could kill by compromising water supplies, public transportation, and power grids.
“An aggressive nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” said Panetta. “[The worst-case scenario would be] cyber-actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack…a cyber-Pearl Harbor that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”
This gloomy portent is already showing signs of coming true. Russian hackers have breached most of the United States’ critical infrastructure in an attempt to “poke and prod U.S. networks for vulnerabilities,” according to The Hill. Darien Kindlund, director of threat research at cyber intelligence firm FireEye, said the Russian hack could have been a “staging tactic for something larger.”
Prepare for Attack
In response to the OPM data breach, the Obama administration launched a 30 day “Cybersecurity Sprint.” This initiative mainly increased the amount of two-factor verification used to access certain networks and investigated each agency’s particular vulnerabilities. However, some senior cybersecurity officials and technology experts told The New York Times that this effort gave the United States’ cyber-defenses “the software version of Bubble Wrap.” If that is the case, then what must be done to make the United States substantially cyber secure?
First, U.S. policymakers should attempt to codify international ground rules for cyber conflict. Obama tried to do this during Chinese President Xi Jinping’s visit to his country. The result was what Obama called a “common understanding” that neither government would knowingly support the theft of corporate secrets. That “understanding” is nonbinding, includes no other countries, establishes no international norms of conduct, limits itself to corporate espionage, and allows ample room for plausible deniability. When Director of National Intelligence James Clapper was asked if he was optimistic that this agreement would eliminate Chinese cyberattacks, he simply answered, “No.”
The type of rules the U.S. government needs to promote is a Geneva-Conventions-style framework that applies to all state actors. Not only would this establish rules of conduct that should be adhered to, but it would define ways in which states can retaliate. With rules like this in place, the next time the United States discovers a hack coming from China, Russia, or another state actor, it could retaliate in a predefined way. This would also enable the United States to make a deterrent threat against a cyberattack.
There is a range of short-term options that U.S. policy makers could choose as well. The Department of Homeland Security outlined many of them in an audit this year. The audit advised instituting a cyber training program for analysts and investigators, ensuring long-term budget allocations for cyber programs from Congress, developing a plan for coordinating cyber activities across agencies when responding to a large cyberattack, and constructing an automated capability to share incident information in near real-time.
Finally, Congress can take action. The House this year passed the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act of 2015. These bills would greatly increase the amount of information shared between the public and private sectors and mandate heads of agencies conduct periodic reviews of their agencies’ cyber performance. The Senate has yet to vote on any cyber legislation this session.
Cyberattacks against the United States have grown in volume and scale. Already, the United States has bled corporate secrets, patented information, and personnel records. With these vulnerabilities comes the risk of a cyberattack capable of taking lives. As in Pearl Harbor, if the United States fails to prepare for the attack, it can only respond to the damage.