In this business, every once in a while you hear somebody bring up the “digital pearl harbor” – sometimes you hear it as “cyber pearl harbor” or (also occasionally, to convey a slightly different connotation) the “digital (or cyber) 911”.
This is “a thing” that comes up from time to time and has for years. And, in fact, today we have an article over on Naked Security posing the question “how likely is it?” to occur. The gist of the article is that it’s been 20 years since someone coined the phrase (which, by the way, seems spurious to me – I contend it’s been maybe longer since the original inception, but whatevs). They spend the article discussing the relative probability of this hypothetical event occurring, and reach what seems to be the general conclusion that it’s improbable but maybe could happen someday. Not sure how much new information that is, but I get it that it’s productive to discuss.
This could very well be true — i.e. that the “cyber-zombie-apocalypse” is unlikely in the next few years (maybe, could be, who knows). But here’s the deal: the question as discussed doesn’t specify a time horizon. The problem with that is that it leaves something really important out of the discussion. Here’s what I mean. If I were to ask you, “what is the probability that pigs will grow wings and fly?”, you’d say that’s pretty unlikely, right? Or “how likely is it that a team of rabid lemurs will win the super bowl?” Also, unlikely. But now assume an infinite time horizon and a non-static, cyclical universe. In that case, the answer (to both questions) is absolutely, provably, “100%.” The same answer as the typewriter monkeys coming up with Hamlet. So really, there’s something off about the question that we’re asking if we leave out when. Meaning, It’s not “will there be a cyber-pearl-harbor?” but instead, “when will it occur?” Because it eventually will – (channeling my best Justin Wilson) “I Gerr-on-tee.”
So let’s assume for the minute that we accept that logic and we assume that this will eventually occur. Is it a short term or a long term thing? Can we point to factors that are likely to make it more or less likely? I think we can. Factors that make it more likely are: 1) belligerent/bellicose digital “powers” such as nation states (e.g. Russia, China, North Korea), 2) an atmosphere rife with vulnerabilities and other “low hanging fruit” critical infrastructure issues, 3) issues with security posture at points that support critical infrastructure, 4) lack of guidance for those points about how to improve and lack of regulatory oversight for same, and 5) vulnerability to single points of critical infrastructure failure. Sound familiar?
Look, I hate FUD. Anybody who knows me knows this to be true. However, it seems to me that anything that we can do to make the “digital pearl harbor” more likely we have already invested heavily in. So I don’t know how one can support the conclusion that it’s unlikely. In fact, I’m at the point of speculating why it is that it hasn’t happened already. In fact, I think the main motivator (at least for a nation state actor) about why it hasn’t happened yet is because we’re all in the same boat. Retaliation is likely to be swift and in kind – kind of like “mutually-assured cyber hijinx” or whatever.
Anyway, tl;dr is that this thing is absolutely coming. That’s not FUD, it’s math. Ergo, it seems to me that we should prepare for the eventuality just the same way that we prepare for other attacks. If we can’t scrape together the national will to at least address a few of the points that make it more likely (see above), maybe we could do just a little bit of prep? A touch of oversight? A soupcon of getting it done? Or is that asking too much?