Everyone's favorite Italian grandmother and likely next Secretary of Defense Leon Panetta made headlines last week when he cautioned that "there's a strong likelihood that the next Pearl Harbor we confront could be a cyber attack." That's fear-mongering nonsense.
Look, we know cyber-security is an important issue. Stuxnet showed unequivocally that state-sponsored cyberwar is already upon us. News that the recent IMF hack was likely pulled off by a sovereign government feeds that fire. Hell, Anonymous is even kinda-sorta bullying NATO and the Federal Reserve, and meanwhile Lulz Sec is hitting the US Senate's Website.
And you know what? We were even okay with hearing the military muttering that "if you shut down our power grid, maybe we will put a missile down one of your smokestacks." Not because we want to see a war over some silly DDOS attack. But rather because it at least means the government is finally treating cyber-security seriously.
But a cyber attack will not be the "next Pearl Harbor."
Panetta is concerned by electronic attacks on the nation's electrical grid, and communications networks. As he should be. Cut off the heat to Chicago in the winter, or the AC to Atlanta in the summer, and you've got a situation where people are going to lose their lives. Cut off our communications and you disrupt our command and control operations. It's all bad.
But in order to seriously devastate the United States, to kill thousands of Americans and cripple our military as Pearl Harbor did, a cyber attack would need to be coupled with a military attack. And the only entities cable of launching that kind of coordinated attack are state actors.
And look, here's the deal, grandma: No state actor (especially not the Chinese with whom we've got a mutually beneficial relationship) is going to sucker punch us. Panetta is worried about the wrong thing.
We need a program focused not just on massive, system-wide attacks, but on the nickel and dime stuff that's taking a slow but steady toll. We need to be worried about the steady drumbeat of theft and espionage and vandalism that goes on daily, only a fraction of which makes the news. We need to sweat the incremental damage lone individuals and stateless groups can do to harass and harangue and weaken us. We need to understand what weaknesses in our information security allowed Bradley Manning and Wikileaks to access a treasure trove of our secrets. We need to identify and secure vital portions of our infrastructure, both public and private. And we need to not oversell the notion of total electronic devastation.
Yeah, the US needs to be worried about cyber-security. But if you want it to be effective, or to have anyone pay attention, it needs a realistic program that focuses not just on grandstanding and the pie in the sky threats, but on the real and present dangers we face right now.