In 2013, when I was in graduate school studying cybersecurity policy, the Atlantic Council, a think tank in Washington, launched its annual Cyber 9/12 Student Challenge. Born out of fears of a coming “Cyber 9/11” or “Digital Pearl Harbor,” the competition asks students to come up with hypothetical response recommendations (hence the day-after title) tackling a fictional cyber catastrophe.
I’ve participated in that event many times over the years—both as a student and later as a faculty coach—so I’ve read through a number of different scenarios explicitly designed to be cyber Sept. 11 equivalents, ranging from widespread malware attacks directed at U.S. oil refineries to massive bots of Internet of Things devices deployed to shut down power plants, trains, and shipping companies.
Yet, for all the years spent thinking about these scenarios, I’m still largely mystified by the comments director of national intelligence Dan Coats gave last week warning of a growing threat of a foreign actor executing a “crippling cyberattack on our critical infrastructure.” He suggested that daily the cyberstrikes on government, corporate, and academic institutions we see today are on par with the “alarming activities” that the U.S. intelligence community saw from al-Qaida in the weeks leading up to Sept. 11, 2001.
“Here we are nearly two decades later, and I’m here to say the warning lights are blinking red again,” Coats said in the talk at the Hudson Institute, apparently referring to increasingly sophisticated or high-volume intrusion attempts from Russia, China, Iran, and North Korea in recent years (activity that comes as no surprise to anyone who followed the Justice Department’s indictment of 12 Russian intelligence officers last week).
This certainly isn’t the first time a government official has raised the alarm about cyberthreats. Coats’ remarks strongly recall then–Defense Secretary Leon Panetta’s 2012 warnings about a potential “cyber-Pearl Harbor.” Still, Coats’ words suggest that what the intelligence community is seeing now constitutes something above and beyond the usual, expected level of online intrusion attempts and manipulation efforts—a kind of threat the likes of which we haven’t seen in nearly two decades. But for all their comparisons to Sept. 11, Coats and other members of the government’s intelligence community still haven’t given us a clear picture about what a cyber 9/11-like event would even look like. And if we’re going to continue talking about cyberattacks in such stark terms—and apparently we are—it’s important for leaders to explain what distinguishes the daily, routine cyber intrusions and attacks from the truly devastating ones.
The closest Coats came to giving a direct warning was to suggest that the 2018 midterm elections might feature some of the same kinds of Russian interference as the 2016 presidential election: more attempts to stoke political and social tensions on social media, more attempts to breach state election systems, and more attempts to hack into voter databases. He clarified that we are not yet seeing the kind of electoral interference this time around, though, he warned, “We fully realize that we are just one click of the keyboard away from a similar situation repeating itself.” That would certainly not be good news—but neither would it be something new, or necessarily more devastating, than what we’ve seen before.
Coats singled out Russia elsewhere in his talk, too, calling out Russian government actors for targeting public and private organizations in the “energy, nuclear, water, aviation and critical manufacturing sectors.” But, here again, it’s unclear if one of these might be the “critical infrastructure” he’s referring to in his warnings about a “crippling attack.” The sheer variety of these targets makes it hard to guess. Even if Coats has intelligence he’s not sharing (potentially for good reason) that suggests Russia has one of these specific marks picked out, there are lots of cyber intrusions and attacks that could be directed at any of those sectors—or the 2018 elections—that would not rise to the level of Sept. 11-scale damage. The standard example that cybersecurity alarmists typically trot out to illustrate what might be considered a “devastating cyberattack on critical infrastructure” is a strike that shuts down U.S.
energy grids. No question, a full-scale shutdown of the power distribution systems in the United States would fit the bill. But there’s no particular reason to believe, based on his remarks, that this specific kind of attack is the one that Coats had in mind.
It isn’t just Coats who has failed to explain what he means when he issues such grave warnings about the possibility of an imminent, devastating cyberstrike. In general, Americans haven’t done a very good job of anticipating what the next set of online threats might look like or how hackers might target us. Nor have we managed to reach much consensus over what kind of cyberthreat might be damaging enough to warrant analogies to the 9/11 attacks.
The Russian interference in the 2016 elections provides a good example of the kind of online threat that, depending on who you ask, might or might not be considered a devastating attack on critical U.S. infrastructure or a so-called cyberwar. Similarly, some suggested the 2017 WannaCry ransomware attacks that shut down much of the U.K.’s National Health Service—as well as a number of other organizations worldwide, including transportation, telecommunications, and energy firms—constituted the first Cyber Pearl Harbor, while others dismissed it as nothing more than large-scale cybercrime. Ditto the ransomware shutdown of the city government of Atlanta earlier this year.
Since we still can’t agree on what constitutes a devastating cyberattack, or even necessarily what counts as critical infrastructure (while the Department of Homeland Security has designated 16 critical infrastructure sectors, election infrastructure—the focus of many of Coats’ remarks—remains sort of a gray area despite a decision from the departing Obama DHS to give it the same “critical” classification), it’s hard to see what purpose warnings about a looming cyber 9/11 or a cyber Pearl Harbor serve beyond drumming up misdirected anxiety and attention. Invoking these devastating days in our nation’s history implies that the digital threats we should be worried about will come in one individual, cataclysmic event—one so clearly devastating, and more damaging than any we’ve seen before, that such invocations will be unquestionably merited. But, for the moment at least, the threat landscape seems to be characterized more by a constant, gradual escalation of a diverse set of cyberattacks and other online threats.
It’s an important distinction because those latter threats matter. These lower-level attacks can be seriously damaging, even if they don’t happen in the sudden, bloody, highly visible ways of those days that will live in infamy. Most of the types of cyberintrusions Coats references in his talk—interference in election systems, breaches of the country’s infrastructure, theft of trade secrets and proprietary intellectual property, espionage by foreign powers—are unlikely to ever make it to those levels. That doesn’t make those threats less worrisome. But constantly invoking the threat of a looming Sept. 11-like attack detracts attention and resources from addressing the persistent and growing number of smaller strikes by suggesting there’s one bigger, scarier thing right around the corner. Instead of making us better prepared, it may just make the invocations of a looming cyber 9/11 even more tired.