The U.S. defense secretary has warned of a cyber-Pearl Harbor. The national intelligence director ranks cyber threats just behind terrorism and weapons of mass destruction on his list of top U.S. threats. But does the actual threat match those words?
Despite recent successful attacks against Iran's nuclear research infrastructure using malicious software and computer viruses, some experts say the threat of a crippling cyber ambush against U.S. defense systems is overblown.
"It's ridiculous," says Benjamin Friedman of the CATO Institute, who is co-editing an upcoming book on cyber threats. "That kind of rhetoric lets people talk of grand hypotethicals that have not actually occurred without much thought or analysis."
Larry Korb, a former Pentagon official now at the Center for American Progress, calls cyber "just the latest fad" in national security circles. "People say 'cyber war,' but what does that mean?" asks Korb. "No potential enemy is going to disable our Internet and then attack us with nuclear weapons."
Friedman labels the warnings of senior government and industry officials about the economic and security dangers posed by an Internet-based attack "wildly overblown."
While some cyber experts have said a cyber attack was the cause of the 2003 electrical blackout that left much of the American east coast in the dark, Friedman says there is "no evidence" of that.
"Cyber alarmists say someone could shut down important public infrastructure systems," Friedman says. "But cities have put up firewalls and switched to private networks that you can't hack into unless they are really dumb about how they run their networks."
Acting Deputy Assistant Secretary of Defense for East Asia and Asia Pacific Security Affairs David Helvey told reporters on May 18 that officials now have greater confidence that many cyber attacks emanate from Chinese soil.
"China's investing in not only capabilities to better defend their networks, but also they're looking at ways to use cyber for offensive operations, Havely says.
Korb chuckles about the prospect of a major Chinese cyber strike on U.S. national security networks.
"Okay, and then what?" Korb asks. "So the Chinese do it, but then what do they do?"
While there are pockets of doubts in national security circles about the severity of the cyber threat, even the most skeptical experts acknowledge government and industry officials are right to be paying ever-increasing attention.
"It is a big deal," says Friedman. "It's a really important problem," pointing to activities like cyber-based espionage and the theft of data on less-secure networks.
Korb says "there certainly is a need to be concerned about it … but if people do it, I think they'll do it for commercial reasons."
Looking beyond the rhetoric of U.S. officials, experts say Washington—so far—doesn't appear to be over-spending on its cyber security efforts.
"Compared to the broader Pentagon or total security budget," Korb says, "I just don't see much money going into cyber."
In a forthcoming white paper shared with DOTMIL, Loren Thompson of the Lexington Institute states global cyber security spending in 2011 was $60 billion. The annual Pentagon budget is nearly $600 billion.
Thompson's report breaks with Friedman's and Korb's assessment: The threat is real, attacks are on the rise and cyber security deserves attention and resources.
"Cyber assaults against the vital networks of the federal government and private industry are expanding rapidly in their scale and intensity. In 2011, the number of attempted intrusions into the computerized control systems of domestic electric grids, oil refineries, transportation networks and other critical infrastructure rose fivefold from the previous year," Thompson writes. "Criminals stole the algorithms for controlling the International Space Station, which were stored on an unencrypted NASA laptop computer. And Chinese agents executed a sophisticated intrusion into the sensitive information systems of Lockheed Martin, the nation's biggest defense contractor."
Thompson paints a disturbing picture of the ramifications from a cyber strike.
"U.S. utilities might cease functioning without warning. Military command networks might collapse in the midst of a conflict," writes Thompson, also a defense industry consultant. "Financial, transportation and health care systems might be paralyzed."
Those scenarios represent "the dark side of the great advances the information revolution has delivered," the Lexington analyst acknowledges. "The only way of averting these dangers is to fashion a partnership between government and the private sector that provides seamless protection against all known threats."
To the frustration of many in the public and private sectors, however, this issue mirrors the tone in Washington these days: There is scant agreement on how to shape even the guidelines for such a partnership.
John T. Bennett covers national security and foreign policy for U.S. News & World Report. You can contact him at firstname.lastname@example.org or follow him on Twitter.
- Obama's Iran Options: Talk, Threaten or Attack
- Check out U.S. News Weekly: an insider's guide to politics and policy
- Chen Case Reveals Fragility of Chinese Communist Party