By Bob Gourley
Leon Panetta spoke today at the Symantec government conference in DC. No matter what your politics are, I hope you see this man as a great American who always puts country above himself. I believe that. He has spent his entire adult life proving that.
He is a fantastic speaker. He held the attention of an audience of 2000 with a great overview of the state of national security, including threats, and as far as I can tell did that perfectly. He reviewed threats by nations and threats by type, including, of course cyber security threats.
As he has done before, he chose to invoke a metaphor in his depiction of the threat. He warned of the potential of potentially devastating cyber attacks… attacks that could take down our nation’s power, water, transport and communications infrastructure and bring the nation to its knees. He drew parallels to the devastating paralysis and horrific economic impacts of Hurricane Sandy, warning that a Cyber Pearl Harbor would be much worse.
He mentioned solutions that can avoid a cyber Pearl Harbor that I believe everyone in the cyber security world has heard reference to before. He suggests public-private partnerships, more collaboration and info sharing, and education/training.
Overall I loved his focus on the cyber threat. This was, afterall, a conference of cyber security professionals.
But many of us think the old metaphor of a cyber Pearl Harbor is actually becoming counter-productive. The term once had a great importance. The first I heard of it was in the 1990′s when Winn Schwartau used it to help raise awareness of the seriousness of the threat.
Now, however, many of us have come to the strategic conclusion that when people focus on the threat of something with incredibly low odds of occurring they detract from efforts to fix the real threats. Real threats are in our networks right now. Adversaries are stealing intellectual property, learning of business intentions, stealing personal info from citizens, robbing wealth, stealing government information, and doing a whole host of other very bad things. All these things are worthy of significant strategic thought and action to help mitigate the threat.
Meanwhile, there is no real indication that any adversary on earth could conduct an attack that would give us a cyber Pearl Harbor, at least, not without nuclear weapons. Every attack scenario I know of that has Russia or China conducting massive cyber attacks against our infrastructure puts them on an escalation ladder they will not want to be on. Additionally, every attack scenario I know of has incredibly high potential of not having the desired effects from the adversary. For adversaries to get the desired effects they will need to either open with their nuclear weapons or send them as soon after their cyber attack that the laws of physics will allow. It is pretty clear to me that if the nation is under a cyber attack that is designed to be the cyber Pearl Harbor, the ICBMs will be coming within minutes. And in that case, which of those two do you think will have the bigger impact?
I didn’t write that last paragraph to scare you into preparing for nuclear war. I do not believe that is imminent. Neither is a cyber Pearl Harbor. It is being deterred by the same powerful military that dissuades adversaires from attacking us with nuclear weapons.
But we are not dissuading adversaries from cyber attacks and cyber espionage. This is underway now and it is increasing not slowing down. Mitigating these ongoing attacks requires a different approach.
Another reason I don’t like the use of the term cyber Pearl Harbor anymore is it makes many in the community think the person saying it is trying to scare them into an over hyped threat, and that then makes them think all cyber security threats are over hyped.
So with that as a preamble… Since I was on a couple panels at the conference I was invited to a brief photo op with secretary Panetta and had a chance to have a few words with him. Here is the gist of what I said:
Gourley: “Thank you Mr. Secretary, for your talk today and your service”
Secretary Panetta: “You are welcome, thanks for coming.”
Gourley: “Sir I’m from the cyber security community, and I wanted to tell you that many of us are getting tired of you using that old worn out metaphor of a cyber Pearl Harbor, a term that seems to over inflate a particularly low probability attack and underplay the very serious ongoing attacks we need to stop. I think we should get you some new metaphors that might be more relevant.”
Secretary Panetta: “Oh like what ones?”
Gourley: “Many of my friends are using metaphors that come from life sciences. Most attacks today are ongoing operations that need continuous prevention, treatment and mitigation like an infection. You might want to try metaphors like cyber flu perhaps just talk about the seriousness of the threat. But my personal recommendation is to consider dropping the cyber Pearl Harbor phrase, it isn’t helping, in my opinion.”
Secretary Panetta: “Oh I see. Thanks.”
Will my inputs make a difference? I really just had a couple seconds to get that out and I’m not sure I emphasized the right things in my few seconds with him. Was I right to try? I guess time will tell.