In recent months, the specter of a looming cyber "Pearl Harbor" has reappeared -- the phrase having first come into use in the 1990s. But it is the wrong metaphor. Given the surefire emotional effect evoked by memories of the "day of infamy," how can this be? How are good cyber security legislation and regulations to be enacted and pursued in the absence of such galvanizing imagery? Clearly, the Obama administration thinks that trotting out the Pearl Harbor metaphor is essential, and so a range of officials, right up to Defense Secretary Leon Panetta, have been using it recently. But there is a fundamental problem: There is no "Battleship Row" in cyberspace.
In December 1941, a great deal of American naval power was concentrated at Pearl Harbor and Japan dealt it a sharp blow, enabling Imperial forces to pursue their expansionist aims for a while. Of the eight U.S. Navy battleships that were there, four were sunk and the other four were seriously damaged. And if the Kido Butai, the Japanese carrier strike force, had caught the three American aircraft carriers deployed to the Pacific in port -- they were out to sea at the time of the attack -- or had blown up the base's massive fuel storage tanks, the damage would have been catastrophic. Pearl Harbor was a true "single point of failure."
Nothing like this exists in cyberspace. Indeed, part of the logic behind the creation of the Internet, going back more than 40 years now, was to ensure continued communications even in the wake of a nuclear war. Redundancy and resilience are the key notions that shaped the structure of cyberspace. Yes, there are very important nodes here and there; but workarounds and fallbacks abound. Cyberspace is more like the oceans that cover two-thirds of the world: it has its choke points, but there are always alternate routes.
If the Pearl Harbor metaphor is misleading -- encouraging the belief that strong defenses concentrated in one or a few major areas can protect most, if not all, threatened spaces -- there may be another harbor metaphor that does much more good. This one comes from World War II as well and has to do with the harbor lights of the Eastern seaboard cities. Very soon after Germany declared war on the United States -- in the immediate aftermath of Pearl Harbor -- U-boats were dispatched to attack shipping on our side of the Atlantic. German submarine skippers were assisted in their task by the failure of President Franklin Delano Roosevelt to order a blackout along the coast. And so the U-boats had what their crews called "the happy time," teeing up targets for night attacks because they were illuminated against the backdrop of blazing city and harbor lights.
For several months in 1942, mayors of coastal cities resisted pressure to enforce blackouts because of the loss of business they feared would ensue, plunging an economy still not fully recovered from the Depression into a new downward spiral. It was only when shipping losses grew dangerously high -- over a million tons were sunk in the first four months of 1942 -- that a blackout was finally put in place and merchant ships began to move in escorted convoys. This didn't put an end to the U-boat menace, but did bring it under control.
Today, the "harbor lights" are on all over cyberspace. A wide range of targets is well illuminated, highly vulnerable to all manner of cyber mischief. Our armed services, increasingly dependent upon their connectivity, can be virtually crippled in the field by disruptive attacks on the infrastructure upon which they depend -- but which are not even government-owned. Leading commercial enterprises hemorrhage intellectual property to cyber snoops every day -- a point Governor Romney made twice in his debates with President Obama. And countless thousands of Americans, having had their personal security hacked, are now serving unwillingly and unknowingly as drones or zombies, pressed into service in the robot networks, or "botnets," of master hackers.