Despite many warnings, no major attack has occurred in the United States. So, it's reasonable to ask why this hasn't happened yet and if it ever will.
For the past few years, U.S. officials have warned of a potential massive cyberattack on critical infrastructure, similar to the Japanese attack on Pearl Harbor in 1941. Last year, then-Defense Secretary Leon Panetta reiterated the threat of a looming "Pearl Harbor," describing a grim scenario of passenger trains derailing and water supplies being poisoned by hackers.
Press articles and opinion pieces echoed these warnings with alarming headlines like "The Gathering Cyber Storm," "Is America Prepared for a Cyber Pearl Harbor?" and "The Looming Certainty of a Cyber Pearl Harbor." The nature of such an attack varies depending on who you ask. Many experts suggest it could cause physical destruction, like a virus designed to take down the power grid, plunging entire cities into darkness. Alternatively, the attack might target financial systems instead of physical ones, such as a coordinated assault on banks that could crash the economy, similar to the smaller-scale incident in Estonia in 2007 (major banks have already conducted drills to prepare for such an attack). Despite all the discussions and warnings, no attack of this scale has occurred in the United States, at least not yet. This raises the question of whether the threats are overstated. If a determined adversary had the chance to launch such an attack, why haven't they done it by now?
Some officials are starting to downplay the warnings. "We believe there is a low chance of a major cyber attack on US critical infrastructure systems in the next two years that would cause long-term, widespread service disruptions, like a regional power outage," James Clapper, the Director of National Intelligence, told the US Congress earlier this year. "It's not something we've seen so far," said James Caulfield of the Advanced Cyber Security Center in Boston earlier this week. "It would take as much effort as bringing in a bomb."
Here are some reasons why a cyber Pearl Harbor hasn't happened yet, and might never happen:
Cyber weapons don't always work
When Stuxnet, a virus targeting Iran’s nuclear facilities, was revealed in 2010, it seemed to show that such attacks could actually destroy physical infrastructure, not just disrupt or exploit digital information. The Stuxnet virus was specifically designed to make gas centrifuges used for enriching uranium spin out of control and self-destruct.
While many saw this as proof that cyber attacks could cause significant damage, some have since questioned how successful Stuxnet really was. Earlier this year, Ivanka Barzashka, a research associate at the Centre for Science and Security Studies at King’s College London, published an analysis of Iran’s uranium enrichment capabilities. She argued that even if Stuxnet destroyed some of Iran’s centrifuges, it had little impact on the country’s capabilities. “Clearly, Stuxnet had the potential to seriously damage Iranian centrifuges, although there are many technical limiting factors to the malware's success,” writes Barzashka. “Public evidence of Stuxnet's impact is circumstantial and inconclusive.”
In fact, she argues, the data from the International Atomic Energy Agency shows that Iran, despite the Stuxnet attacks, was able to increase its uranium enrichment, potentially moving closer to a nuclear weapon.
The metaphor is incorrect
Part of the issue with the "cyber Pearl Harbor" metaphor is that while the threat is real, the comparison might not be accurate. Pearl Harbor was not only a sudden and devastating attack on U.S. military forces in the Pacific, but once it happened, both the military and the public recognized the threat. A major cyber attack might not be immediately crippling. “The most pressing cyber threat is not likely to be a single, sudden attack that cripples the United States,” wrote Adam Segal, a senior fellow at the Council on Foreign Relations.
This doesn't mean the threat is exaggerated, but the attacks might come as ongoing damage through data theft or by undermining trust in the Internet. “These low-intensity but disruptive attacks are increasing and can harm banking, transport, and communication systems,” Segal continues. “Over time, future attacks could become even more destructive as cyber weapons and capabilities spread and as electricity, power, transport, and communication infrastructures become increasingly reliant on the Internet.”
It's already happening
The most concerning aspect of cyber warfare might be that while people are focused on a major attack, they overlook what's already occurring. This is what some experts are suggesting. Financial attacks occur daily, and there are ongoing reports of targeted foreign attacks on American defense and aerospace companies. The government is also at risk: the Pentagon disclosed it was the target of a massive cyber infiltration in 2008, which officials linked to a foreign espionage agency.
In other words, the attacks are already happening, just not as a single event. "Today, the ongoing compromise of sensitive military information systems, the theft of intellectual property, and the recruitment of men, women, and children into zombie armies, all these pass largely beneath our levels of awareness," wrote John Arquilla, professor of defense analysis at the US Naval Postgraduate School. "Cyberwarfare is a lot like [US poet] Carl Sandburg's fog, coming in on ‘little cat feet’."