17 August 2023

A ‘Cyber Pearl Harbor’ is a myth—daily cyberattacks are the real problem

STEVEN STONE

Google “cyberattack” and the screen fills with returns about the latest troubling breaches or opinions about these breaches.

In the same week I’m writing this, a medical clinic in Murfreesboro, TN, was still assessing damage after being forced to close temporarily and cancel appointments following a ransomware attack.

Cybercriminals took down the website of the European Investment Bank, the lending arm of the European Union. Experts said it likely was the latest in a series of threats against European financial institutions by pro-Russian hackers in response to European support for Ukraine.

And Hayward, a city of 163,000 in San Francisco’s East Bay region, shut down several of its computer systems after a ransomware attack.

In an earlier time, any one of these single events could have dominated the news cycle, but now they’re just part of the morning read. Collectively, they illustrate the environment the world now finds itself in—a steady barrage of day-to-day attacks that undermine governments and companies, expose sensitive data, and even cost lives.

Cyberattacks have come to feel more like death by a thousand cuts than the long-discussed “Cyber Pearl Harbor,” a single cataclysmic breach that ignites a doomsday scenario of crippled infrastructure, social disruption, and human casualties. This hypothetical event would then ideally lead people to take cybersecurity seriously and change this routine.

And, yet, fear of a Cyber Pearl Harbor has persisted among many politicians, military officials, and business leaders in the U.S. cybersecurity conversation for more than a decade.

It is time to acknowledge the Cyber Pearl Harbor event is a myth. In fact, from a technical perspective, every significant threat scenario has already occurred at least once and the succession of significant attacks in recent years, taken as a whole, amounts to the same thing.

But the alarming language is no longer needed to spur defensive action—recognition of the threat already exists and substantive preparation is ongoing.

The continued use of terminology like Cyber Pearl Harbor (or its hyperbolic cousin, Cyber 9/11) is problematic because it obscures the true nature of today’s cyber threats and can distract us from the best ways to deal with them.

Nearly 11 years have passed since then-Defense Secretary Leon Panetta popularized the term Cyber Pearl Harbor. In an October 2012 speech at the Intrepid Sea, Air and Space Museum in New York that received wide media attention, Panetta warned that a “cyber attack could paralyze our country,” with aggressors derailing passenger trains, contaminating water supplies, and shutting down power grids.

Since then, a Cyber Pearl Harbor “has been one of the most prevalent and familiar analogies used by American officials, experts, and pundits to raise awareness of the dangers in this new realm of competition,” says the Carnegie Endowment for International Peace. “The analogy conjures up grainy newsreel footage of burning battleships and the nation’s entry into World War II. It evokes a devastating bolt from the blue that leaves an indelible imprint on the U.S. psyche.”

However, the concept of a single Cyber Pearl Harbor seems overwrought when the barrage of attacks over the last decade has shown that the real threat isn’t a single big bang but a seemingly constant stream of smaller assaults. Additionally, the events discussed as potential Cyber Pearl Harbor(s) have occurred. We’ve seen widespread data destruction, affected infrastructure, deaths at hospitals due to ransomware, and the most sensitive types of data leaked and manipulated publicly.

I get it: Cyber Pearl Harbor is a simple (and scary) concept and makes for good headlines. But it disguises a more complex reality — that we face multiple, relentless threats from a diverse array of bad actors around the world.
FIGHTING BACK

Cyber Pearl Harbor derives much of its rhetorical power from the fallacy that we’re sitting ducks for an attack that no one is sufficiently imagining, much like Japan’s surprise military strike on the U.S. Naval base in Hawaii on Nov. 7, 1941. More action, the argument goes, is needed by the public and private sectors to get ready.

But it would be ridiculous to think that all these years of security incidents, in an increasingly volatile geopolitical climate to boot, haven’t made cyber defense a top priority for governments and businesses. When it comes to major cyberattacks, failure of imagination seems the least of our worries — we’re already seeing them all the time.

Furthermore, despite the common public perception that cybercrime is out of control, there actually are signs of improvement.

For example, the most recent State of Data Security report by Rubrik Zero Labs showed “organizations making positive improvements across 2022 and (we) expect this trend to continue throughout 2023” in every industry and region.

In addition, information sharing on cyber threats between the public and private sectors and even among companies that once kept such information close to the vest keeps growing — a very positive trend. The Russian invasion of Ukraine is an excellent example. More is publicly known now about Russian cyber capabilities as well as defensive measures that produce value than any time previously, and its due to previously unseen levels of sharing and coordination.

To be sure, the attacks we see in the news every week vividly show the many challenges that remain. For example, too many organizations are still naïve in deeply understanding what data they have, which is critical, and which is most important to protect. And a stronger, more consistent set of cybersecurity standards would help ensure consistency across the public and private sectors in defending against breaches.

At its core, cybersecurity is a “forever problem.” That is, we shouldn’t be expecting (or even waiting for) one huge event to spur improvement. Rather, better cyber defense comes from many smaller steps that add up to decisive action.

A good analogy is the auto industry. Moves to improve auto safety didn’t follow some enormous defining event, they occurred because the industry understood it was the right thing to do and to satisfy consumer demand for safer vehicles.

The same holds true for cybersecurity. Rather than buying into the flawed notion of a Cyber Pearl Harbor, the world is better off focusing on what true threats lie ahead and what’s working or not to defend against them.

No comments: