Defense Secretary Leon Panetta made some alarming predictions during a speech on Oct. 11. Cyber attacks are looming, he said. They “could be as destructive as the terrorist attack of 9/11” and might amount to a “cyber Pearl Harbor.”
Strong words — and ones that have the virtue of being both accurate and necessary. One of the most pressing military threats facing the United States today is one we can’t see, and therefore is the most difficult to have a sensible discussion about.
Panetta provided chilling details of recent attacks that disrupted U.S. financial institutions and a virus that infiltrated the computers of the Saudi Arabian Oil Co. These are just the latest examples of a disturbing trend. According to Gen. Keith Alexander, leader of the U.S. Cyber Command, computer-based intrusions against U.S. infrastructure increased 17-fold between 2009 and 2011, and cyber attacks have led to the theft of about $1 trillion in intellectual property.
There are two prudent ways the government can respond.
First, because Congress this year failed to pass the Cybersecurity Act, a bipartisan measure that would have been an important first step, President Barack Obama would be justified in taking the initiative. He could issue an executive order directing regulators to require companies operating critical infrastructure to meet federal cybersecurity standards. The order should follow the spirit of the legislation: Companies should have to meet certain goals, but be given free rein to determine how best to do so. As a partial blueprint, regulators could use the Consensus Audit Guidelines, a set of 20 best-practices developed by government agencies and private-sector cybersecurity experts.
As we’ve argued before, uniform federal requirements are the best way to ensure companies spend enough to protect their networks. A study by Bloomberg Government of 172 organizations found that cybersecurity spending would need to increase almost nine-fold to repel 95 percent of potential attacks. Under current rules, responsible businesses that make such investments are at a competitive disadvantage to those that don’t. A single set of requirements would even the playing field and reduce the chance that one poorly secured company would leave everyone else vulnerable.
Second, Panetta said that the Department of Defense is drawing up new rules of engagement for the age of cyberwarfare. In doing so, it should make clear that the U.S. is prepared to preempt attacks, and to respond with overwhelming force — in kind or through conventional warfare — when facing a serious threat. Adversaries disrupting essential services, stealing information or engaging in espionage should know that they can be targeted for retaliation.
What the Pentagon shouldn’t do is draw “red lines” — or describe the specific U.S. response to various types of attacks or intrusions. If adversaries know precisely what they can’t get away with, they’ll have an incentive to invent new weapons and new forms of attack. Red lines could also commit the U.S. to imprudent reactions. Panetta was right to say that any retaliation should be a presidential decision: Cyberattacks can escalate quickly and have unpredictable consequences, and they should only be undertaken in extreme circumstances.
He was also right to note that more information-sharing between the government and the private sector — with adequate privacy and legal safeguards — is essential. Establishing hotlines between countries, much as the U.S. and the Soviet Union did during the Cold War, would also help. And increased investment in cyber-intelligence and forensic investigations should be a priority.
Our digital infrastructure is vulnerable. Yet the Department of Defense can’t do everything on its own. Companies that don’t protect themselves are putting both their bottom lines and national security at risk. Yes, cybersecurity standards are an imperfect response to a strange and dangerous new realm of warfare. At the moment, though, they’re the only thing standing between us and the abyss.