LONDON — In the fall of 2012, aboard a retired aircraft carrier permanently docked on the west side of Manhattan, I listened as then-United States Secretary of Defense Leon Panetta delivered one of the most chilling speeches I have ever heard. To a roomful of leading CEOs and military leaders, Panetta spoke about the new cyber threats faced by civilized society and the many ways in which America’s adversaries could use computer networks to spread panic, paralyze the country and inflict mass casualties.
“Let me explain how this could unfold,” he said. “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could, for example, derail passenger trains or, even more dangerous, trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shut down the power grid across large parts of the country.
“The most destructive scenarios,” he continued, “involve cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack on our country. … The collective result of these kinds of attacks could be a cyber-Pearl Harbor, an attack that would cause physical destruction and loss of life. In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.”
Those words echoed again for me with today’s news that a mammoth breach of data occurred last month at America’s second-largest health insurer, Anthem. The attack, which authorities have linked to Chinese hackers, reportedly pilfered the birthdays, Social Security numbers, email addresses and home addresses of 80 million customers and employees. This comes on the heels of a series of cybercrimes that have recently ricocheted through headlines — from the vicious attack that sought to destroy Sony’s computer network to the more benign hacking of the YouTube and Twitter accounts of the U.S Central Command by somebody claiming links to the Islamic State.
While Panetta’s fears have thankfully not yet been realized, it’s time to acknowledge that cyberwar is a greater threat to the U.S. today than more traditional forms of terrorism. If the first 15 years of the 21st century were defined by the so-called Axis of Evil — the phrase George W. Bush applied to Iraq, Iran, and North Korea in the days after 9/11 for their support of terrorists — the next 15 years will likely be defined by the Access of Evil, as state and non-state cyberterrorists use technology to bypass our defenses in ways that damage businesses, lives, and nations.
There is little question about the charter members of this club. As Texas Congressman Michael McCaul, the chairman of the House Committee on Homeland Security, recently put it, “Russia, China, North Korea and Iran are increasingly hacking into U.S. companies and government networks for espionage purposes or financial gain.”
So what does this Access of Evil look like?
Russia has been tied to state-sponsored cyberattacks as far back as 2007, when Kremlin-linked hackers disabled the government websites of Georgia and Estonia. Last fall, Western governments accused Moscow of sponsoring cyberattacks that sought to infiltrate the White House, the German government, the North Atlantic Treaty Organization (NATO), the Ukrainian government, telecom companies and universities. More troubling were reports that Russia, angry over Western sanctions for its illegal invasion of Ukraine, had gained access to some of the industrial-control software that drives part of America’s critical national infrastructure. For good measure, last July’s cyberattack on J.P. Morgan — which saw hackers steal personal information from 83 million account-holders — was also traced back to Russia.
China is strongly believed to have funded a program starting in 2006 (dubbed Operation Shady Rat) that saw its hackers stealing information from more than 70 national governments, global corporations and nonprofit organizations. In 2012, the Pentagon accused China of attacking U.S. government computers to extract sensitive information. Last May, a U.S. grand jury indicted five hackers associated with the Chinese military for stealing information from six American companies in the nuclear and solar power industries and passing it along to competitors in China. Today’s Anthem news is just more of the same.
Meanwhile, North Korea has reportedly carried out six major cyberattacks on South Korea since 2009, costing that nation nearly $1 billion. Warning bells were raised last September when Hewlett-Packard issued a cyberthreat report alleging that Pyongyang was significantly expanding its cyberwarfare capabilities. Those fears were realized in December, when both the Federal Bureau of Investigation and the U.S. Department of Homeland Security linked the attack on Sony Pictures Entertainment to Pyongyang. Further stoking fears, last month, Seoul alleged that Kim’s hacker army was now 6,000 strong and planning new digital mayhem.
Iran, by contrast, was first associated with cybercrime as a victim. In 2012, Iran’s nuclear program was the target of a massive cyberattack — allegedly spearheaded by Israel and the U.S. — that infected the software running hundreds of centrifuges as they spun uranium into nuclear material, causing them to lose control and fail. Iran reportedly retaliated by backing a massive attack that disabled three quarters of the computers at Saudi Arabia’s national oil company. By early 2013, having invested billions to improve its online arsenal, Iran declared itself the “fourth biggest cyber power among the world’s cyber armies.” A remarkably sophisticated Iran-linked attack on the websites of major U.S. banks, combined with the news that Iran had successfully infiltrated the U.S. Navy’s network, raised alarm bells and led the U.S. Army War College’s Strategic Studies Institute to declare that “Iran as a cyber power is the elephant in the room that everyone is finally beginning to notice.”
And this is just the start — according to intelligence reports, more than 140 countries have some kind of cyberweapon development program. For small nations in particular like North Korea, which has just 24 million people, cyberwarfare is the great equalizer, enabling them to take on larger nations and wreak havoc in ways that aren’t possible with conventional warfare.
Of course, with the leak of thousands of classified documents by former U.S. government contractor Edward Snowden in 2013 and their revelations of secretive global surveillance programs run by the U.S. National Security Agency, every member of the Access of Evil has charged the U.S. government with hypocrisy. That’s understandable. But I’d argue that there is a world of difference between using technology as a cyberear — to monitor global networks in order to root out terrorist cells and advance global security — and using it as a cyberweapon to steal, disrupt and destroy the hard work of others for one’s own benefit.
Thus far, the damage of this ongoing cyberwar has been largely commercial, costing the world economy an estimated $575 billion a year. Last year, a range of U.S. companies — from Target to Home Depot to eBay — were added to a list of more than 75 American corporations that have suffered attacks resulting in a million records or more being compromised or publicly disclosed. We now have a decade’s worth of stories like the one recounted in Fortune last fall, of an American biomedical company that went through a five-year process to introduce a new innovation to market — only to see a Chinese competitor infiltrate its mainframe, steal its design, and rush the same exact product to market in less than half the time.
While we have been spared the kinds of attacks that Panetta spoke about, a leading expert on cybersecurity warned The Times of London that such attacks are “very close.” And the worst part, said Eugene Kaspersky, who advises organizations ranging from Interpol to the British government, is that “[s]tates are scared. They’re absolutely not ready for this challenge [and] they don’t yet have the strategy in place” to stop attacks on national infrastructures. Indeed, numerous organizations have warned that the U.S. electrical power grid in particular is nearly defenseless against cyberattacks. With extremist organizations like ISIS already using social media in sophisticated ways to attract recruits, cyberwar could be the next battlefield.
For 40 years, Americans have asked: What is the next moonshot? What big, audacious goal could this generation set that is as grandly ambitious as President John F. Kennedy’s 1961 challenge that America should land on the Moon within a decade? I think it is this: to bring together our best public and private minds, our best companies and not-for-profit organizations, our best innovators and entrepreneurs, and find a way to ensure that the technology lifting our economy and our world to new heights today doesn’t also become the means and tools of our destruction.
I’ve lived through one Pearl Harbor in my lifetime. We can’t afford another one.