I am posting a paper that my colleague Michael Middleton and I presented last fall at a conference at George Washington University. The paper provides a systematic analysis of the origins and use of “cyber Pearl Harbor” as an analogy and metaphor by various actors in the U.S. cyber security debate. The full citation and link to the PDF:
Sean Lawson and Michael K. Middleton, “Cyber Pearl Harbor: Analogy, Fear, and the Framing of Cyber Security Threats in the United States, 1991-2016,” presented at “Legal and Policy Dimensions of Cybersecurity,” George Washington University, Washington, DC, September 27-29, 2016.
Why Study Cyber Pearl Harbor?
Motivation for the paper stems from the fact that “cyber Pearl Harbor” is perhaps the most (over-)used analogy and metaphor in the U.S. cyber security debate. At the 2016 NATO International Conference on Cyber Conflict, I asked several other participants what they thought a cyber Pearl Harbor was supposed to entail and who was most responsible for perpetuating that analogy. Though everyone seemed to agree that Pearl Harbor was an poor and over-used analogy, that’s where the agreement ended. Some thought it was merely meant to convey the idea of a surprise attack. Others thought it was meant to warn of the possibility of catastrophic consequences of a cyber attack. Some thought it was primarily government officials who were responsible for perpetuating this analogy, others that it was a marketing tactic for private cyber security companies. Finally, in his talk, Jason Healey of Columbia University and the Cyber Statecraft Initiative, argued, “For twenty five years of the seventy five since Pearl Harbour, we have been talking about a digital Pearl Harbour. It still hasn’t happened, so we are probably missing the point.”
Sources & Methods
The goal of the paper was to systematically analyze who it is that has perpetuated this analogy in public discourse and what such an event has been said to entail. Beyond that, we wanted to know who has been identified as a possible perpetrator of such an attack on the United States and with what kinds of targets. Finally, we wanted to know what kind of events or conditions are used as evidence in support of the idea that cyber Pearl Harbor is a real threat.
To do this, we looked at twenty five years of coverage in major U.S. newspapers. This suggested another research question, which was the degree to which newspaper coverage of claims for a cyber Pearl Harbor threat were supportive or dismissive of that claim. We also analyzed a collection of key speeches, statements, and other documents in which the cyber Pearl Harbor analogy has been used. We employed a combination of content analysis and rhetorical analysis of the news articles and speeches/statements, respectively.
Officials Promoting Catastrophe with the Help of News Media
In short, we found that government officials have been most responsible for perpetuating the idea that the U.S. faces a cyber Pearl Harbor threat. In 60% of cases where cyber Pearl Harbor was depicted in the news as a realistic threat, government officials were the ones cited as promoting this idea. Conversely, in 65% of cases where cyber Pearl Harbor was portrayed as unlikely or unrealistic, private actors such as industry experts, academics, or journalists were cited.
This threat is most often portrayed as not merely a surprise attack, but as a catastrophic one that leaves the nation paralyzed. News media has tended to report these claims uncritically.
That is where the clarity ends, however. The story about who it is that might threaten the United States with such an attack has remained ambiguous and has shifted over time. Likewise, those who perpetuate the cyber Pearl Harbor analogy often do so without providing clear evidence in support of the threat.
Finally, we found that in the face of twenty five years of failed (so far) predictions of imminent cyber Pearl Harbor, several rhetorical tactics have emerged as a response. These include:
- Redefine cyber Pearl Harbor as not one catastrophic, surprise attack, but rather, a series of smaller attacks over time with costly cumulative effects. This tactic opens the door to
- Claim that some event that has already occurred (e.g. the OPM hack, or the Russian hack of the DNC) is the fulfillment of the cyber Pearl Harbor prediction. That is, cyber Pearl Harbor has already occurred.
- Claim that some single event or series of events has occurred that constitutes a cyber Pearl Harbor, but that we did not recognize it as such. That is, some raise the possibility or a secret or stealth cyber Pearl Harbor.
But It’s “Just Rhetoric,” Right?
With this work, we join a chorus of scholars and practitioners who increasingly recognize the importance of the language we use to frame problems in shaping the solutions we are able to imagine and implement. This has even included U.S. Cyber Command (USCYBERCOM).
In 2012, USCYBERCOM launched the Cyber Analogies Project at the Naval Postgraduate School. Led by respected scholars and policy makers, the project’s mission was “to assist U.S. Cyber Command in identifying and developing relevant historical, economic, and other useful metaphors that could be used to enrich the discourse about cyber strategy, doctrine, and policy.” The final report [PDF] of the project explained the importance of analogies:
“Ability to keep pace with the cyber evolutionary curve, or perhaps to stay a step ahead of those who wish to do harm, depends on the ability to visualize how to fight in this new domain, just as strategists from earlier eras had to imagine how operating in the air, or with nuclear weapons, changed military affairs. Analogies drawn from earlier eras and different disciplines have the potential to help with visualization, allowing us to think through new or difficult subjects. They offer us an inductive approach to developing an understand- ing of high-level conceptual and operational issues related to cyber security and cyber warfare.”
The report argues that appropriate “analogies, metaphors, and parables” are necessary to facilitate learning, communicating, and “winning H.G. Well’s ‘race between education and catastrophe.’”
The importance of language and rhetoric for appropriately framing and responding to problems is abundantly clear. Increasingly, military and national security professionals are coming to this understanding as well. This includes those who are wrestling with complex problems like threats to cyber security, where there is increasing recognition that hyperbolic analogies and metaphors like cyber Pearl Harbor are not only inadequate, but may actually be harmful, to our ability to understand and respond to the cyber threats we face today. It is our hope that the research presented here can aid scholars and policy makers in understanding the emergence, evolution, and persistence of the cyber Pearl Harbor analogy as a first step towards developing more appropriate and productive frames for understanding and responding to cyber security threats.