Abraham Kaplan wasn’t addressing national security, but what he wrote in 1964 is broadly applicable and still fresh today:
I call it the law of the instrument, and it may be formulated as follows: Give a small boy a hammer, and he will find that everything he encounters needs pounding.
Transposed to adulthood, that principle might go some distance toward explaining certain mysteries in the story reported by John Markoff, David E. Sanger and Thom Shanker in Tuesday’s New York Times, titled, “In Digital Combat, U.S. Finds No Easy Deterrent.”
The story describes a recent exercise involving “top Pentagon leaders” that simulated their response to “a sophisticated cyberattack aimed at paralyzing the nation’s power grids, its communications systems or its financial networks” — with “dispiriting” results:
The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.
Thus, we are told, the pursuit of cyber-deterrence has yet to bear fruit.
But Why Deterrence?
A number of points are left unexplained, but let’s consider just two. First, are intrusions into computer systems really capable of shutting down a wide variety of critical physical systems? And second, if this is so, why is a deterrence strategy the preferred response?
If hackers could bring the nation to its knees at any time, one wonders why it hasn’t happened. It’s not as if America wants for unscrupulous, highly motivated, and fairly computer-savvy enemies. We shouldn’t dismiss the idea, since there has long been concern about the potential vulnerabilities of SCADA systems, although this seems more like an “insider” than a “hacker” problem. Regardless, let’s assume for the sake of argument that this is a serious ongoing problem.
So why would the threat of retaliation be the preferred form of protection for the national infrastructure? Even if an attack on the electrical grid could be attributed with high confidence — and the chances of that sound pretty dim — what if the the hacker turned out to be a terrorist, a criminal for hire, or perhaps an amateur bent on mischief on a grand scale? Do we respond by turning out the lights in the perpetrator’s country of residence? I’m guessing not, especially if it’s Canada — or America, for that matter.
But even more basically, if you were a government official, and your best experts told you that a serious national vulnerability existed, wouldn’t your first thought be, “How do we fix that?” If a serious threat exists to computerized control systems linked to critical infrastructure, then some equally serious effort ought to go into securing them, even if that means isolating them from the Internet, just to be safe. Even if that means seeking a new grant of regulatory power. This is a national security matter, right?
Don’t get me wrong; I’m not averse to the idea of deterrence! But hammers are for driving nails, and this problem looks like a bunch of bolts, nuts, and washers.
For further reading: why the “cyber threat” mostly involves espionage — and poisoning relations between major powers.