The Washington PostDemocracy Dies in Darkness

The hack on the U.S. government was not a ‘cyber Pearl Harbor’ (but it was a very big deal)

(Kacper Pempel/Reuters)

The U.S. government has suffered a hacking attack that has potentially revealed highly sensitive information about millions of government employees. Some commentators are claiming that this is the “cyber Pearl Harbor” that they have been warning of for years.

Noah Rothman, writing for Commentary, says that this attack aims at the “preventative neutering of America’s defensive capabilities” and compares to the moment when “the zeros [sic] screamed out of the sky over Hawaii in 1941.” Rothman also says that the “professorial voices of mock prudence” have been proved to be utterly wrong, referring to a Monkey Cage post. We don’t particularly object to being described as professorial voices of mock prudence, but the underlying errors in Rothman’s post provide a useful opportunity to clear up some of the widespread confusion about cybersecurity and cyber war.

The hack on the U.S. government was not the “cyber Pearl Harbor”

Very serious people, including then-Defense Secretary Leon Panetta, have warned that the United States is vulnerable to a “cyber Pearl Harbor.” They have cautioned that adversaries could launch attacks on “critical infrastructure” and seek to disable or degrade “critical military systems and communication networks.” They argue that this could have crippling consequences for the nation.

By referring to “cyber Pearl Harbor,” observers are talking about attacks that — like physical attacks — could disable communications systems, power plants, electricity transmission systems and the like. Such attacks would indeed resemble the one on the real Pearl Harbor, a devastating surprise attack that could determine the outcome of a war. Our original post talked about the risk of a “major online attack aimed at taking down key communications systems,” as did the research by Erik Gartzke that was summarized in the article.

But hacking into information on U.S. government employees, however sensitive, is not a Pearl Harbor attack. It doesn’t disable large-scale communications systems, power systems or the like. It doesn’t have any direct consequences for the nation’s ability to defend itself. Instead, it is an (extremely worrying) exercise in espionage, of the kind that the original post distinguishes from Pearl Harbor-type attacks, noting that even if Pearl Harbor-type attacks are unlikely, “many actors have an interest in penetrating U.S. networks to spy or to carry out covert actions.”

The distinction between warfare and spying is important

Since people have begun to worry about cyber warfare, military and civilian experts have stressed that there is a crucial difference between cyber warfare and cyber spying. As the National Academies of Science pointed out in one of the most influential early documents on cybersecurity, we shouldn’t treat spying as an exercise in the use of military force:

. . . if a cyberattack would have the same effects as certain governmentally initiated coercive/harmful actions that are traditionally and generally not treated as the “use of force” (e.g., economic sanctions, espionage, or certain covert actions), such a cyberattack should also not be regarded as a use of force.

This expert report further warns that treating cyber-espionage as the equivalent of a military attack “overstates the actual threat, thus inflaming public passion and beating the drums of war unnecessarily,” as well as incorrectly implying that the United States should respond militarily. In actuality, nations have been spying on one another for centuries without going to war over it.

A strong distinction between warfare and spying is in the nation’s interest

The National Academies report says that treating cyber-espionage as an act of war could mean that the United States found itself “outside international norms even when it might not object to limiting certain attack capabilities.” More plainly put, the nation doesn’t want to treat cyber-espionage as Pearl Harbor-type attacks, because it engages in an awful lot of cyber-espionage itself. If successful cyber-espionage is an act of war, then the United States is engaging in overt warfare all the time, against its allies as well as its adversaries.

Many reports suggest that China is responsible for this latest hacking incident. The United States has indeed been trying to force China to stop engaging in certain kinds of hacking. However, the United States has been arguing that political espionage (where governments try to discover information that is in their national interest) is okay, but that commercial espionage (where governments try to hack into companies to pass on trade secrets to their competitors) is not. As Jack Goldsmith notes, the recent hacking is just the kind of cyber-espionage that the U.S. government has been defending as acceptable. Moreover:

This is almost certainly the type of collection we are trying to do, and probably succeeding in doing, against China’s government officials. . . . We can hardly go ballistic if we are doing the same thing.

If the United States wanted to treat this as the equivalent of a Pearl Harbor attack by China, it would have to deal with the fact that it has been engaged in the same kind of hostilities against China. In fact, the U.S. government doesn’t want to treat this attack as the equivalent of an act of armed hostility, and it is perfectly right not to, regardless of how much excitable Internet commentators may want to condemn it.

The key implications are domestic

Even if the United States should not treat this as a “cyber Pearl Harbor,” it should treat it as an important wake-up call. Espionage is a very real problem, and it appears that the nation has seriously let down its defenses. At the very best, this is enormously embarrassing for the U.S. government. Very likely, it is seriously damaging, just as other major incidents of espionage have been in the past.

It’s clear that there are grave cybersecurity problems within the federal government. As Marcy Wheeler notes, elementary security steps were not taken. It is very likely that there are much worse problems in the private sector. The appropriate responses to these problems are painstaking and technical improvements in security and procedures, not amateur dramatics on the Internet.

As noted on the Monkey Cage, the new U.S. cyber strategy moves away from Pearl Harbor alarmism to a focus on “advanced persistent threats” — sneaky and continuous forms of hacking that can gather large amounts of data and subvert systems over time.