If I'm remembering correctly, I first heard the term “cyber Pearl Harbor” back in the early 2000s at an SC Forum held in Napa Valley. Richard Clarke – at that time, special advisor to the president on cybersecurity and cyberterrorism – was our keynote and he discussed breaches of government and corporate networks being led by nation-states.
In making suggestions for strengthening security postures, he noted that incidents of cyberespionage were only due to become more rampant, more impactful. Yet, to wait for a cyber Pearl Harbor to occur – an attack in the virtual world possibly as devastating as 9/11 was to us in the physical one, just without the “kinetic” impacts – would be a huge miscalculation given that small groups of skilled technologists already were siphoning off loads of intellectual property, classified data and other proprietary information after successfully penetrating any number of public and private networks time and again. At the time, while many breaches of these networks in the U.S., England and elsewhere were being attributed to the Chinese military (with Russia being mentioned every once in awhile, as well), similar incidents easily could be spearheaded by non-state actors developing similar cybercapabilities, he warned. (Just this year, as an example, we've seen pro-ISIS hackers threaten to launch cyberattacks against interests in the U.S., Europe and Australia.)
Where might a quid-pro-quo escalation of cyberattacks lead?
Fast-forward to today where, in this month's cover story, Lee Sustar, one of our regular contributing reporters, speaks with numerous former intelligence officials and military veterans about how security tactics and plans against nation-state and other organized attacks must evolve and whether the federal government should consider moving beyond simply bolstering their defense and response capabilities with more offensive techniques.
The discussion points, as you'll read, are interesting. However, they're not exactly new. Both defensive and offensive security strategies were being bandied about around the time that our SC Forum was held in California's wine country back in the day. Yet, we are hearing more from those championing offensive tactics to possibly help deter the occurrence of future incidents like the OPM breach, which exposed sensitive details of millions of current and former U.S. government employees – including foreign service and military personnel. Indeed, we've seen this in action, to some degree, with the U.S. enlisting Stuxnet against Iran's nuclear plants a few years back, as revisited in this month's main feature.
Still, even with Stuxnet as an example, the complexities and questions regarding a more consistent reliance on offensive capabilities are concerning. Where might a quid-pro-quo escalation of cyberattacks lead? What are our capabilities versus those with whom we might engage? What truly are the costs and benefits in engaging in such actions? The questions go on, but today, at least, officials and other experts seem to be discussing these more as cyberespionage attacks continue happening, while real possibilities of cyberacts of war occurring in the future loom a bit more greatly.