What keeps Pentagon planners today up at night, even more than the threat of a terrorist attack? It is the prospect of an act of cyberwarfare – an incursion into America’s financial systems, water treatment plants, or the electrical grid that keeps lights on and homes heated.
“Cyber will overtake terrorism as the persistent, gnawing, constantly-at-us kind of threat and danger,” warned Ashton Carter, deputy secretary of Defense, at a conference last month in San Francisco. He was relaying the fears of FBI Director Robert Mueller, who has been describing the dangers of cyberincursions in the same stark terms for months.
On this front, Pentagon officials have become increasingly vocal. They routinely hire teams of professional hackers to find vulnerabilities in computer systems. And they have lobbied to pass legislation currently circulating on Capitol Hill to step up information-sharing between the government and private industry to increase cybersecurity, especially when it comes to “critical infrastructure” such as power plants.
Yet this information-sharing raises eyebrows among some critics outside the Defense Department, who say private companies have enough incentive to improve cybersecurity without legislating it, and that such exchanges between the Pentagon and industry have the potential to compromise privacy.
The Pentagon, for its part, makes no secret of the fact that, even in a time of fiscal restraint, there is money to be had for firms that can help make the cyber realm more secure. In the midst of tense defense budget negotiations, “I can just tell you that at no time in the deliberations ... was it even considered to make cuts in our cyber expenditures – not even considered,” Mr. Carter said.
In fact, that portion of defense spending is increasing. It would increase still more “if we could find more worthy investments to make,” Carter added.
Even so, companies don’t necessarily understand the threat of cyberattack, Pentagon officials say. Though the “long march” toward cybersecurity is just beginning, Carter says, “It’s difficult to embark on this march, because the market, both economic and political, undervalues security at the moment – doesn’t see it, doesn’t fully get it,” he added. “And I’m afraid events will soon prove it wrong.”
Legislation on Capitol Hill would require a certain degree of federal oversight of cyberprotection for “critical infrastructure” such as power stations and water plants. Disabling such facilities by attacking their computer systems, say defense officials, would be a “cyber Pearl Harbor.” The bill also would require private firms to let the government know when their systems are hacked.
This seems reasonable, say US officials. “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again,” the FBI"s Mr. Mueller said last month. “Maintaining a code of silence will not serve us in the long run.”
Yet it remains unclear how information that private companies share with the US government might be used, says says Jerry Brito, a senior research fellow at the Mercatus Center at George Mason University. “Are we going to start profiling terrorist suspects based on their Internet habits?" he asks. "There are all sorts of things you can do with this information.”
Some say the threat of attacks on these plants may not be as great as some Pentagon officials seem to think.
“We’ve seen what a blackout looks like. It’s not fun,” says Dr. Brito, who also directs the Technology Policy Program at the Mercatus Center. “But it’s not such a huge overwhelming concern that it’s an existential threat – I really haven’t seen any evidence of that.”
Just how much of a role the Pentagon needs to play in defending these systems remains an open question, too, Brito adds. “I’m personally skeptical that we need legislation to solve these cybersecurity issues,” he says. “Why do we believe that the private sector doesn’t have an incentive to protect itself?”
While the threat is real, plant owners, too, have an interest in defending against it. “Folks who own a nuclear power plant invest billions into it – they don’t want to see that investment destroyed,” Brito says.
Disabling power plants and other critical infrastructure is difficult enough that terrorist groups, many of whom are luddites, aren’t capable of doing it, some argue. The only groups that currently have that capability are foreign militaries, such as China's, Brito says, and China and the US have enough economic links that a cyberattack on US infrastructure by China is not a very distinct possibility.
But the Pentagon is not dissuaded from sounding the alarm. At a recent hearing of the House Armed Services Emerging Threats subcommittee, a top official at the Defense Advanced Projects Agency, or DARPA, the Pentagon’s internal futuristic think tank, urged not only the expansion of America’s cyberdefenses, but also the development of offensive cyber capabilities as well – which could include, say, honing the ability of US forces to shut down the power grids and financial systems of other countries.
“Modern warfare demands the effective use of cyber, kinetic, and combined cyber and kinetic means,” Kaigham “Ken” Gabriel, deputy director of DARPA, recently told lawmakers. “We need cyber options that can be executed at the speed, scale, and pace of our military kinetic options,” he added. “We need approaches that match the diversity, dynamic range, and operational tempo of DOD activities.” In short, he said, “We need more options.”