Do we need to take cyberattacks more seriously?
Thomas Rid's warning against cyberwar hype ("Think Again: Cyberwar," March/April 2012) would be more useful if it were not also a contribution to the jousting match between those who claim we're fighting one already (Rid's right; we're not) and those who say there's nothing to worry about (he's wrong; there is).
We're in a period between war and peace when even supposedly secret communications are vulnerable and nasty cyberoperations are becoming the norm. What confuses matters is that we use "attack" to refer to everything from a network probe to a penetration to steal information to a penetration to destroy or degrade a system or the information on it. Even real attacks do not amount to acts of war unless they have physical results.
Rid's dismissal of supply-chain operations is also troublesome. He pooh-poohs accounts of the 1982 Soviet pipeline explosion because the KGB denied it (duh!) and the CIA declined to confirm it (double duh!). Every large corporation I deal with is concerned about supply-chain security -- not just the Pentagon, which has already suffered system degradations. This isn't just a threat from commercial counterfeiting. Supply-chain attacks are a bread-and-butter technique of foreign intelligence services.
Rid is similarly cavalier when arguing that cyberattacks on infrastructure are now more difficult to execute because "[s]ensitive systems generally have built-in redundancy and safety systems." If only this were true of our electric grid! As the North American Electric Reliability Corp. reported in 2010, supposed efficiency improvements "have allowed some inherent physical redundancy within the system to be reduced."
I don't know a single front-line cyberoperator who agrees with his assessment that offensive tactics do not have an inherent advantage over defensive measures in the present state of technology. We are being penetrated, and our infrastructure is vulnerable.
Author, America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare
Thomas Rid replies:
The consulting outfit Digital Bond recently demonstrated that industrial control systems -- specifically, certain components of so-called SCADA systems -- run software that does not prioritize security. These field devices control all sorts of stuff that moves around, from trains to oil to elevators. Worse, many such systems are exposing their open flank through the Internet.
So Joel Brenner is right: Yes, we're very vulnerable. Yes, plenty of actors out there have malicious intent. Yes, we're being penetrated. And yes, we should do something about these problems -- urgently. But harping on about wholesale cyberwar is counterproductive. Discussing WikiLeaks, commercial espionage, financial fraud, and the most potent intelligence operations in the same breath displays a lack of much-needed nuance. Only the thin top end of that range of threats is really scary. "Supply-chain attacks," Brenner insists, "are a bread-and-butter technique of foreign intelligence services."
Why, then, have we not seen a more serious attack against SCADA systems? Stuxnet has been the most spectacular attack to date. Even that mean worm, however, in the larger scheme of things, neither halted nor significantly dented Iran's nuclear program. No serious treatment of cyberwar can dodge this question any longer. Only scaremongers can.
My colleague at King's College London, Peter McBurney, and I have tried to answer this question. Developing and deploying a destructive cyberweapon requires significant resources, intelligence, and time. And the more destructive the design of such a weapon, the smaller the number of targets, the smaller the risk of collateral damage, and, ultimately, the smaller the political utility of cyberweapons.