The Politicians Who Cried 'Cyber Pearl Harbor' Wolf

from the tough-to-believe-them-any-more dept

With all the talk lately about cybersecurity legislation, we've still yet to see anyone lay out an actual scenario for a real "cyber security" threat (or, at least one that goes beyond your everyday malware or corporate espionage, which are covered by existing laws just fine). However, we have heard lots of fear mongering about planes falling from skies and electric grids being shut down -- despite no evidence that there is any such threat (and, if there is, the concern should be focused on why those things are hooked up to the internet in the first place). And, of course, in all this fear mongering, there's one phrase that stands out: "Digital Pearl Harbor," as in, "we must protect ourselves before there's a digital Pearl Harbor."

David Parera, over at FierceGovernmentIT, has done the dirty work of tracing the history of the phrase, and suggesting that these Chicken Littles have been warning about the "imminent" digital Pearl Harbor for many years now.
The earliest public reference appears to be in a June 26, 1996 Daily News article in which CIA Director John Deutch warned that hackers "could launch 'electronic Pearl Harbor' cyber attacks on vital U.S. information systems."

The next month, then-Deputy Attorney General Jamie Gorelick told the Senate Governmental Affairs permanent subcommittee on investigations that "we will have a cyber-equivalent of Pearl Harbor at some point, and we do not want to wait for that wake-up call," according to the Armed Forces Newswire Service.

Thereafter the term appears to have gone into a hiatus, apart from some offhand or derivative references to the original sources cited above. But, not to worry, Sen. Sam Nunn (D-Ga.) used it again in the spring of 1998, being quoted in a March 19 South Bend Tribune article warning that "We have an opportunity to act now before there is a cyber-Pearl Harbor...We must not wait for either the crisis or for the perfect solution to get started."
There's a lot more where that came from, so go hit the link, read it, and be amazed.

Of course, as Parera notes, just because every single one of those fearmongering reports turned out to be false, it's still possible that the "Digital Pearl Harbor" is right around the corner. But, still, it at least raises significant questions of how important it is that we rush through the bill without an explicit explanation of the true threat. Of course, that won't really matter, as everyone's basically playing a giant game of musical chairs, trying to be ready to claim they "called it" should these horrible things ever actually happen.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    TtfnJohn (profile), 15 Jun 2012 @ 1:31pm

    Re: Damned if you do, damned if you don't

    As someone deeply involved in that herculean effort to stave off the Y2K bug (in the telecom industry) the biggest disappointment was that it wasn't going to cause the mess predicted even on most older systems that hadn't been updated in a coons age. I can't speak for the nuclear power industry but I do know that the people involved in it all for the electrical generator and grid builder here were as disappointed as I was. Perhaps anticlimactic is more the word.

    At the end of the day the most affected systems were the billing not operational systems. A few days prior to the millennium turnover IBM downloaded and activated the bug fix to our mainframes with nary a hiccup. All after we;d tested the hell out of things to determine that operational systems would have continued on just fine.

    The night of Dec 31, 199 Jan 1, 2000 we watched and waited while all the mainframe apps ran smoothly on, most of the PC based systems were fine too with the single exception of SAP who hadn't delivered their database update to fix dates from 2 characters to four. so SAP crashed impressively. A couple of phone calls to Germany later, using every swear word imaginable we got SAP to restructure their database, stop and restart the system and kept them online till we were satisfied. And they got us in the correct time zone. :)

    By Jan 2nd we had admin passwords to every part of SAP which, till then, they wouldn't give us. My low opinion of SAP didn't get any better.

    That said, we knew what was coming and had sufficient lead time to be prepared and ensure that all but one, it turned out, of our vendors were prepared and ready.

    If there ever is a cyber Pearl Harbour the problem is that we have no idea what form it will take so the defenses fall back on best practice as well as anyone can. Keeping in mind the human factor which means that someone will leave a Pad device, laptop, smart phone or whatever laying around where anyone can look into it. Insecure password/username combinations and all the rest of it. None of this means lowering vigilance, resting on laurels or anything like it. It does mean planning for the worst possible outcome and how to recover from it. It means that if the power grid HAS to remain in line for whatever ersatz reason that it be significantly hardened that it's extremely difficult to crack.

    For all of that I'd be as or more concerned about an EMP like event and not even a terrestrial one. Strong solar flares matched with coronal mass ejections aimed at Earth have the potential to fry the planet's electrical grid. Less powerful ones have to potential to fry semiconductors, have been known to cause transformers to explode and to cause mass blackouts such as the one that hit Quebec and parts of eastern Ontario in 1989.

    These are associated with "sunspot years" and we're in one of those right now. It's hard to call the Sun a terrorist but a flare/coronal mass ejection on the order of the one in 1859 would take out satellites, the Internet and almost all of the electrical grid planet wide. We know this could happen. We know at some point it will happen and that we're powerless when it does. All we can do it mitigate the damage when it does and pray we have enough hardware to begin to do that.

    Whatever will constitute a "cyber Pearl Harbour" is more problematic. We have no idea who might launch it, what vector(s) it might use and just who has the motivation and skill to construct it. So all that can be done is broad defense against malware(s) that will make Stuxnet look like a programming exercise in middle school. Should be fun. But for all of that it can be done with existing resources if government departments and the private and public sectors simply apply and enforce "best practices" security. Which they should already be doing. Otherwise it's a matter of throwing good money after bad and that never, ever works.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.