Leon Panetta was blunt, even for a guy who is known to speak his mind. In the heady aftermath of the Osama bin Laden mission, Panetta’s authority on Capitol Hill was all but unquestioned. Despite an atmosphere of bitter partisanship, the longtime Democrat was about to be confirmed as Defense secretary by a vote of 100-0, a rare feat in any era. Now Panetta, the outgoing CIA director, was telling a rapt audience of senators at his confirmation hearing that America’s national-security defense apparatus was underestimating the gravest danger out there. “We talk about nuclear. We talk about conventional warfare. We don’t spend enough time talking about the threat of cyberwar,” he said. “There’s a strong likelihood that the next Pearl Harbor that we confront could very well be a cyberattack.”
Whoa. Really? You mean, thousands of people could die in a cyberattack? How exactly would this happen? Could it be like some sort of monstrous video game run amok? Or the 1980s classic War Games, in which a teenage Matthew Broderick almost hacks his way into starting a nuclear war? One thing is certain: Panetta is hardly alone in his alarm; indeed, he is channeling the fears of the nation’s top generals and spooks.
On July 14, the Pentagon rolled out its first-ever “cyberspace strategy”—a critical need for the United States because, as Deputy Defense Secretary Bill Lynn declared with alliterative flair that day, “bits and bytes can be as threatening as bullets and bombs.” The U.S. government is now spending about $12 billion a year to wage both offense and defense in cyberspace, and it has set up a Cyber Command at Fort Meade in Maryland. The Homeland Security Department conducts regular war games that it calls “cyberstorming.” A new multibillion-dollar military-industrial complex is emerging, with giant defense contractors like Boeing and Northrop Grumman transforming themselves into part-time cybersecurity contractors.
In truth, cyberskeptics abound. They include many independent analysts as well as some of Panetta’s high-level colleagues in the Obama administration. These skeptics say that much of the alarm stems from a fear of the unknown rather than from concrete evidence of life-and-death threats. It is, they suggest, a 21st-century version of the medieval mapmakers who would mark the boundaries of the known world and then draw mythical beasts on the other side conveying the message: “Here, there be dragons.”
Here was Rep. Mac Thornberry, R-Texas, vice chairman of the House Armed Services Committee, in a recent interview with National Journal: “Very serious four-star generals tell me that cyber is the thing they worry about of all the potential threats, because there is so much that is unknown, and because our laws and military doctrines are so far behind.” For military officers who are trained to plan for every variable, the prospect that an attack on the United States might include some exotic cyber component is the dragon they understand the least. And critics worry that this fear is only going to create the biggest dragon of all: a permanent military-cyber industrial complex not unlike the one that President Eisenhower warned of at the dawn of the nuclear age.
As a result, some skeptical cyberexperts say, the most serious threat may come not from abroad but from our own perceptions and overreactions. Recall the hype around Y2K, the computer glitch that was supposed to paralyze systems around the world once their calendars ticked over to the year 2000. Or think back to a half-dozen “cyberattacks” that turned out to be much less dangerous than believed. To cite just one example: In 1998, someone tried to hack into the Defense Department’s computers in what then-Deputy Defense Secretary John Hamre called “the most organized and systematic attack to date” on U.S. military systems. Suspicions focused on Iraqis conducting “information warfare.” Then it came to light that the culprits were a couple of California teenagers (real-life Matthew Brodericks) egged on by an Israeli teenager.
The danger is that the U.S. government will do what it has been arguably doing in spades since 9/11: overreact. Spend too much. Go overboard with surveillance. Crimp and constrain freedoms, this time involving the Internet.
“That is the history of counterterrorism in this country,” says Neal Pollard, a cyberterrorism expert who has advised the U.S. and British governments, including the U.S. director of national intelligence. “There’s not a whole lot that’s new here. We used to hear about an ‘electronic Pearl Harbor.’ And a ‘digital Pearl Harbor.’ Those types of martial metaphors have gone back to the late ’90s. I don’t think they are particularly helpful. Pearl Harbor was a surprise attack taking out our battleships. Well, we don’t have battleships anymore. We’ve been hearing these kinds of terms for nigh 15 years without any sort of precise thought behind them.”
This article appears in the July 23, 2011 edition of National Journal Magazine.