Here’s a chilling story (“In Digital Combat, U.S. Finds No Easy Deterrent”) about the U.S.’s vulnerability “to a sophisticated cyberattack aimed at paralyzing the nation’s power grids, its communications systems or its financial networks.” The –Pentagon war game, modeled on recent attacks on Google and other companies, left its participants “dispirit[ed]–
The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.
Among many sobering post-game realizations was this: a cyberattack could target private institutions and “cripple a country . . . without ever taking aim at a government installation or a military network.” A participating deputy defense secretary compared the current Internet security measures protecting major institutions to the Maginot Line:
A fortress mentality will not work in cyber . . . We cannot retreat behind a Maginot Line of firewalls. We must also keep maneuvering. If we stand still for a minute, our adversaries will overtake us.
Lest you think the underwear bomber reference gratuitous, it’s prompted by Bruce Schneier’s criticism of airport security theatre in the wake of the attempted Christmas Day attack:
[T]he proposed fixes focus on the details of the plot rather than the broad threat . . . The problem with all these measures is that they’re only effective if we guess the plot correctly. Defending against a particular tactic or target makes sense if tactics and targets are few. But there are hundreds of tactics and millions of targets, so all these measures will do is force the terrorists to make a minor modification to their plot.
As I said, it’s chilling.