Since 1991, proponents of greater cybersecurity have warned of an impending “cyber Pearl Harbor”–or sometimes its sibling, the cyber 9/11–to motivate a response to the cyber threats facing the United States. For years, I have been a critic of such cyber-doom rhetoric, arguing that it is a potentially dangerous distraction from the real threats that we face. In 2016, I was happy to see several prominent cybersecurity experts speaking out against preoccupation with cyber doom. But I won’t hold my breath for cyber Pearl Harbor’s demise just yet.
Cyber Pearl Harbor Under Fire
Cyber Pearl Harbor came under fire directly and indirectly back in the spring. At this year’s NATO conference on cyber conflict, Jason Healey of Columbia University and the Cyber Statecraft Initiative said bluntly,
For twenty five years of the seventy five since Pearl Harbour, we have been talking about a digital Pearl Harbour. It still hasn’t happened, so we are probably missing the point.
Martin Libicki from RAND had perhaps the most prescient comments. He reminded the audience that the United States once had a much broader definition of “information warfare.” This definition included more than just cyber-physical attacks like those contemplated in cyber Pearl Harbor. While the U.S. conception of cyber conflict had narrowed from its original definitions, he warned, the Russians had maintained a broader understanding of information warfare. Actions carried out based on this broader understanding could provide a serious challenge to the West, one we might not at first recognize or be equipped to counter.
More recently, several prominent cybersecurity experts have linked exaggerated fears of cyber Pearl Harbor and cyber 9/11 to alleged Russian information warfare efforts during the 2016 U.S. presidential election. For example, James Lewis of the Center for Strategic and International Studies told the Wall Street Journal,
We tend to over-militarize everything and spend our time looking for a cyber 9/11, and Russia completely went around us on it. Our doctrine is very much about protecting critical infrastructure, and their doctrine is about information warfare.
Just this week, Joseph S. Nye of Harvard University argued that alleged Russian cyber meddling in the U.S. election points to the real challenge that we face: deterring the much more numerous lower-level attacks. He wrote,
Ironically, deterring states from using force may be easier than deterring them from actions that do not rise to that level. The threat of a surprise attack such as a “cyber Pearl Harbor” has probably been exaggerated. Critical infrastructures such as electricity or communications are vulnerable, but major state actors are likely to be constrained by interdependence.
Cyber Doom Dead Enders
I am encouraged by these recent statements by such prominent voices in the U.S. cybersecurity debate. However, I would not count cyber doom rhetoric out just yet.
Such scenarios still play an important part in commentary about cyber threats. One recent piece warned that “the vast majority [of experts] consider a ‘cyber-9/11’ inevitable.” Another warned that cyber attacks could be as bad or worse than 9/11 or Pearl Harbor, and even pose a threat on par with nuclear weapons.
Finally, another recent piece acknowledged that most cyber attacks do not come close to the impacts contemplated in cyber Pearl Harbor scenarios. Nonetheless, it argued that “the U.S. has no choice but to anticipate the worst.”
Let’s not forget the various pieces that have used the occasion of Pearl Harbor’s anniversary to raise the alarm about cyber attacks. This has become somewhat of a Pearl Harbor Day tradition at this point.
More important still is the continuing use of the cyber Pearl Harbor and cyber 9/11 metaphors by incoming Trump administration national security officials. For example, Politico reported that K.T. McFarland, Trump’s pick for Assistant National Security Advisor, has worried “about cyberattacks ‘bigger than’ Sept. 11. ‘It’s gonna be Pearl Harbor.'”
Ultimately, as I have written previously, the use of cyber doom rhetoric is not really about accurately diagnosing threats. Instead, it is about using fear appeals to raise awareness and motivation to act. Research demonstrates that such rhetoric often backfires, including in the case of cybersecurity (PDF). Regardless, policy makers and activists alike have a strong proclivity towards the use of fear to make their case. Thus, I will not hold my breath for the demise of cyber Pearl Harbor and similar analogies and metaphors in the U.S. cybersecurity debate.