11 December 2015

Pearl Harbor Should Remind Us What Real War Looks Like; Cyber Attack Isn't It

http://www.forbes.com/sites/seanlawson/2015/12/08/pearl-harbor-should-remind-us-what-real-war-looks-like-cyber-attack-isnt-it/
Dec 8, 2015, Sean Lawson
Opinions expressed by Forbes Contributors are their own.

Yesterday, Americans remembered that day that still lives in infamy, the day in 1941 when the Imperial Japanese Navy carried out a devastating surprise attack on the U.S. Navy base at Pearl Harbor, Hawaii. Each year, Americans reflect on the damage that was done in that attack, which killed 2,403 service members, injured 1,178, damaged or destroyed a good portion of the U.S. Pacific fleet, and damaged or destroyed hundreds of aircraft. Of course, Americans also reflect on the four years of war that followed, in which millions were killed worldwide and that only ended in the Pacific with the first use of atomic weapons. In short, the anniversary of Pearl Harbor invites us to remember how horrific war can be.

This is all the more important given the tendency of some government officials and industry experts to appropriate the memory of Pearl Harbor to push various contemporary security agendas. For example, the appropriation of Pearl Harbor has figured prominently in U.S. public debate about cyber security since the early 1990s when some began to warn of a possible “electronic Pearl Harbor.” Perhaps most famously, in 2012, then-Secretary of Defense Leon Panetta warned of a devastating “cyber Pearl Harbor.” But the use of the Pearl Harbor analogy goes far beyond Panetta and is a regular rhetorical feature of American cyber security discourse.
In perhaps most cases, the memory of Pearl Harbor is appropriated to warn of an as-yet unrealized but devastating cyber-attack-to-come. But in other cases, Pearl Harbor is used to exaggerate the impacts of cyber attacks that have already occured. For example, in June, some called the hack of the Office of Personnel Management (OPM) a “cyber Pearl Harbor.”
Even earlier, in February, Director of the National Security Agency, Admiral Michael Rogers, defined “cyber Pearl Harbor” and said that one had already occurred.


Asked to define a ’cyber Pearl Harbor’, a phrase used in 2012 by then-Defense Secretary Leon Panetta, Rogers replied: ‘An action directed against infrastructure within the United States that leads to significant impact—whether that’s economic, whether that’s in our ability to execute our day-to-day functions as a society, as a nation.’ He added that the hack of Sony Pictures Entertainment last November met that dire criteria. Movie studios fit into the U.S. government’s broad definition of critical infrastructure.

The appropriation of Pearl Harbor to exaggerate the impacts of the Sony and OPM hacks came at a time when Director of National Intelligence James Clapper was telling Congress that “Cyber Armageddon” scenarios are unlikely and that the OPM hack was not a cyber attack.
Recommended by Forbes

The anniversary of Pearl Harbor offers us the valuable opportunity to see such rhetoric for what it is: rank fear mongering. Neither Sony nor OPM are comparable to Pearl Harbor in terms of loss of life, damage to property, or political and military implications. In fact, we have yet to see any cyber attack that is even remotely comparable to Pearl Harbor in these terms. The analogy is not only inapt but is also not in line with U.S. intelligence community assessments of real cyber threats. Such rhetoric has one function: to cause enough fear to raise “awareness” of the cyber threat and motivate a response to it. But examining recent “cyber Pearl Harbor” use cases illustrates that the awareness that this analogy raises is a false one from the beginning, which should raise doubts about the appropriateness of any responses that follow.

Pearl Harbor is not the only event to be appropriated for the purposes of promoting fear. But, we can use it to help us recognize this same pattern when it pops up elsewhere. This pattern, a rhetorical strategy that I have called “piggybacking” or “appropriation,” is a regular feature of U.S. cyber security debate that is regularly used in the wake of natural and manmade disasters or other non-cyber attacks. Cyber security policy entrepreneurs appropriate the fear and anxiety caused by these events to promote their cyber security agendas, sometimes even if the events they are appropriating have nothing to do with cyber security.

The most recent events to have been appropriated to push a cyber security agenda are the terrorist attacks in Paris and, even more recently, the terrorist attack in San Bernardino. This is despite the lack of evidence that either had a strong cyber component, that the cyber security responses offered in response would have done anything at all to stop the attacks, and in the face of evidence that such measures might actually make cyber security worse, not better.

As Steve Ragan of CSO Online argued, “Cyber Pearl Harbor is a tasteless term, and should be a catchphrase for ‘guard your wallet’ or ‘I have a bridge I’d like to sell you.’” But it’s not just “cyber Pearl Harbor” that is tasteless and a distraction from real cyber threats. Appropriating the memory of other events, like 9/11, or using ongoing diasters like Superstorm Sandy; the Fukishima earthquake, tsunami, and nuclear disaster or the Paris attacks is equally tasteless.

Perhaps this year’s rememberance of Pearl Harbor can help us to become better at detecting and then rejecting the appropriation of this and other, actual disasters to promote fears of hypothetical cyber-doom. Perhaps we can take this opportunity to start addressing the real and serious cyber threats we actually face without resort to fear and hyperbole. We can hope; but I have my doubts.

Sean Lawson is Associate Professor in the Department of Communication at the University of Utah. He is author of Nonlinear Science and Warfare. Follow him on Twitter @seanlawson.

No comments: