On 7th December 1941, a surprise raid was launched by the Imperial Japanese naval air force against the United States Pacific fleet while at anchor in Pearl Harbor, Hawaii. This devastating attack formally precipitated the entry of the United States into World War Two, shaping the course of history. A cataclysmic event of comparable magnitude has been anticipated within the cyber domain for more than two decades, encapsulated by the analogy: “Cyber Pearl Harbor”.
The Cyber Pearl Harbor concept has attracted great controversy, not least due to the periodic use of the term by military and political leaders in the aftermath of significant cyber attacks. There have been some major incidents which have received widespread media attention this year including WannaCry, NotPetya and the Equifax breach. Do recent events bring credibility to an imminent threat of catastrophe in a Cyber Pearl Harbor event, or is the concept alarmist and potentially damaging?
In a headline-grabbing statement in 2012, the former United States Defense Secretary Leon Panetta warned of the increasing threat of network attacks conducted by foreign adversaries. He referred to the Cyber Pearl Harbor analogy to illustrate how a sophisticated attack against critical infrastructure such as transport networks, financial markets or the electrical grid, could categorically cripple a developed nation. This would constitute an act of war. His remarks were prompted by the state-sponsored Shamoon attack which disrupted Gulf State oil companies, elevating tensions between Saudi Arabia and Iran.
However, the Cyber Pearl Harbor metaphor predates the declaration made by Panetta. Instead, the term appears to have originated during the early 1990s, corresponding to societal changes in the West including globalisation, emerging systems warfare capabilities and commercial internet access. At the time, individuals including security expert Winn Schwartau, former intelligence officer Robert David Steele and Deputy Defense Secretary John Hamre drew attention to the inadequate defences that underpinned new technology being adopted within the government and private sector.
The phrase “Electronic Pearl Harbor” was established to convey the severity of the threat posed and was used to achieve political momentum in the Senate and Congress. This has gradually evolved into the Cyber Pearl Harbor phrase that is commonplace today.
“Cyber Pearl Harbor” is an unmistakably US-centric concept predicated on a potential network attack against critical infrastructure within the United States. Likewise, the phrase carries additional symbolic value to the United States, as it is evocative of physical attacks on American soil. It is worth remembering that the Cyber Pearl Harbor metaphor entails a significant reaction by the United States, such as a declaration of war.
Nonetheless, the concept could be applicable to any country’s national critical systems, from SWIFT connectivity that enables bank transactions, to Industrial Control Systems (ICS) required for manufacturing or power generation. Arguably, the attack that is most indicative of a Cyber Pearl Harbor scenario did not particularly involve the United States.
The DDoS campaign against Estonia in April 2007 caused major disruption throughout the country, prompting Estonia and NATO to bolster network defences and establish policies to frame cyber operations within international law. In 2017, NATO declared that a significant cyber attack against a member state could constitute a breach of Article 5, resulting in a collective response by NATO.
The Estonia example is hardly an isolated incident. The Cyber Pearl Harbor metaphor could apply to various disruptive attacks worldwide, for instance the targeting of the energy sector in Taiwan which caused widespread blackouts. Universally applicable iterations of the Cyber Pearl Harbor concept have therefore received periodic popularity, including “Electronic Chernobyl”, “Digital Waterloo” and “Cyber Armageddon”.
The upward trend in threats to cyber security is well documented. In July 2017, the National Cyber Security Centre (NCSC) reported that it had mitigated 29 serious cross-border incidents in its first eight months of operations, while numerous security vendors have reported sharp rises in malware variants, and malicious internet traffic.
Recent developments including the exploitation of leaked NSA hacking tools and the mass compromise of unsecured IoT devices have resulted in unprecedented global incidents and threats, from WannaCry to the Mirai botnet. In short, this would imply that a Cyber Pearl Harbor event could be imminent.
Fortunately, the threat posed by a Cyber Pearl Harbor event has never fully materialised, at least to public knowledge. Since the analogy first emerged in the 1990s, there have been countless catastrophic attacks that have resulted in substantial economic and material damage, but no clear link to loss of life. This distinction is important as it somewhat explains why devastating cyber-attacks have yet to trigger conflict.
To provoke a resolute government reaction such as the declaration of war, it would require the threat actor to have the intent to cause physical harm, the capability and opportunity to compromise critical systems, and a reason for opting for less complicated methods such as a physical attack. The likelihood that this combination of factors would align is remote, therefore the Cyber Pearl Harbor analogy is better understood as a wildcard event or Most Dangerous Course of Action (MDCoA) rather than an imminent threat.
In the same way that the doomsday panic over the Y2K Millennium Bug turned out to be largely misplaced, should the fears of a Cyber Pearl Harbor incident be disregarded as fiction? Ultimately, it is impossible to rule out the possibility that such an attack may occur in the future and it would be negligent to be unprepared. The Cyber Pearl Harbor analogy has utility in drawing attention to cyber-related threats. Therefore, the analogy should not be completely discredited.
However, it is should be emphasised that the analogy is misleading and can lead to inaccurate priorities. The ramifications of the highly unlikely Cyber Pearl Harbor scenario could be replicated by an equally unlikely event such as the impact of a solar flare, or a pre-emptive nuclear strike. To that end, it is fundamental that cyber security is prioritised according to the likely threats that face a particular organisation, sector, or geography – now and in the near future.
