Bye bye, cyber Pearl Harbor.
By Jan Kallberg, US Army Cyber Institute
Mar 17, 2021

The Editors: We're pleased to share this op-ed from Jan Kallberg, of the US Army Cyber Institute at West Point. He'd like to introduce a note of skeptical caution about the historical metaphors that often inform thinking about cybersecurity policy and strategy. In this essay, he takes up one of them: concern about a "cyber Pearl Harbor." It's not that a damaging cyberattack couldn't achieve operational surprise, as the 1941 attack on Pearl Harbor did. (Consider, for example, the possibility of exploiting SolarWinds for more than espionage by using it to stage attacks that could have a kinetic effect on critical infrastructure.) Rather, it's that it's important to understand that the adversary has its own challenges to overcome, and any credible adversary will have its own strategic aims as well. And it's also worth remembering that the adversaries have their problems, too.

Bye bye, cyber Pearl Harbor.

The repeated cyber analogy from the US historical past invokes the concept of a “cyber Pearl Harbor,” a story of a potential future massive cyber-attack that, with no warning, would knock out American infrastructure and leave the U.S. vulnerable and unable to respond. The concept of a cyber Pearl Harbor assumes a surprise attack by a prepared and determined adversary launching a massive premeditated sneak attack that has a systematic and crippling impact on the United States.

Is "cyber Pearl Harbor" still a useful metaphor?

The question is if the term is still relevant in year 2021. It’s a plausible narrative: a cyber Pearl Harbor could have happened when the term was first introduced. The name originated in the 1990s. With industrial control systems designed without security considerations, with immature Internet applications, with a massive growth of systems going online without reliable defenses, and with a very low-security awareness, it was probably a genuine concern in the 1990s. As an example of security awareness in the 1990s, in 1998, the term "cyber defense" only had four references in the search engine of that time – Altavista. When I search “cyber defense” today (2021) in Google, the search engines tell me they’ve found 1,480,000 references.    

What makes the term “cyber Pearl Harbor” relevant is the fact that Pearl Harbor was a sneak attack. So was 9-11, which is also cited in warnings of a massive cyberattack. But in both these cases there were significant warnings and indicators that an event of magnitude could unfold. That may be one difference between Pearl Harbor and Cyber Pearl Harbor: in the cyber Pearl Harbor narrative, there is no incremental buildup of hostilities, conflict, or tension. According to cyber Pearl Harbor proponents, there are no warning signs, and the U.S. is not prepared. That leaves you with the feeling that a cyber Armageddon is just around the corner. I’m not convinced. 

In my personal view, the cyber Pearl Harbor analogy is no longer relevant, if it ever was, because it’s based on several flawed assumptions. 

Where's the cyber knock-out punch?

First, a cyber Pearl Harbor would require a systematic point of failure that impacted multiple technical infrastructure layers throughout our society. Even if not all sectors are well defended or completely resilient, we cannot ignore the fact that over the last two decades, the vast majority of corporations, utilities, local and state governments, have made significant investments in cybersecurity. This investment is not only hardware and software, in forming defenses in depth, and in hiring trained staff. Exercises and data resilience efforts have also followed, as have planning for continuity of operations, deployment of backup facilities, and of other steps taken to foster preparedness and recovery. 

A nation-state cyberattack would normally have a strategic objective.

Second, if the majestic cyber Pearl Harbor systematic point of failure existed, the potential adversary would sit on it for a longer time. If a potential adversary had in their hand this opportunity to give the Americans a significant blow, they would be unlikely to use it in the same moment they acquired it. An adversary cannot repeat the high magnitude exploitation of a given vulnerability, and so if a potential adversary has acquired this opportunity, it would be a loss to execute the attack in isolation, at the point of discovery. If executed at the point of discovery, the opportunity would have no tangible value unless there were some strategic goal the end state represented. 

That also assumes that there are only two actors – the U.S. and an evil empire out there waiting to pull the trigger on the huge vulnerability. The U.S. information technology infrastructure is persistently under attack from multiple actors, including states, criminal networks, and hostile groups, and they’re active 24/7/365. Suppose a systematic massive vulnerability existed that would enable the execution of Cyber Pearl Harbor. In that case, it would be improbable that no one else, except one adversary, had identified the large-scale vulnerability. Every threat actor has its agenda. If several threat actors discovered the vulnerability, it is logical that one of these actors would launch an attack at the point of discovery or near time after that. An actor with no strategic end game, only conducting online vandalism and defacement, would not sit on the vulnerability and wait.     

"Cyber Pearl Harbor" might have served its purpose one to two decades ago to help us visualize the broad scope of impact cyber-attacks could have, but today it is an outdated metaphor. The relevance is largely gone, and overusing it belittles the complexity of cyber, crossing over multiple domains, with an unrealistic portrayal of the challenges for a national cyber defense posture as a single framed event.

Note on the author: Jan Kallberg is a research scientist at the Army Cyber Institute at West Point, managing editor of the Cyber Defense Review, and an assistant professor at the U.S. Military Academy. The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute at West Point, the U.S. Military Academy, or the Defense Department.