Former Secretary of Defense Leon Panetta recently renewed his warnings about a looming “cyber Pearl Harbor.” Such a scenario, he said, could involve cyberattacks on critical infrastructure “cost[ing] lives” and “paralyz[ing] our country.” It is a warning he has trumpeted since at least 2012.
Others have foretold of an impending cyber Pearl Harbor for more than two decades. These warnings underscore that the Pearl Harbor metaphor continues to have great purchase in the U.S. cybersecurity debate. Certainly, improving critical infrastructure cybersecurity is an important priority. Nonetheless, continued framing of cybersecurity challenges in terms of cyber Pearl Harbor-like doom scenarios is a dangerous distraction.
"In a recent study, we examined uses of the Pearl Harbor metaphor in the United States cybersecurity debate from its earliest appearance in 1991 until just before the Russian cyberattack on the 2016 U.S. presidential election.” Over time, cyber Pearl Harbor has had a largely stable meaning focused on catastrophic physical impacts from cyberattacks on critical infrastructure. Though academic and industry experts have criticized this framing, government officials have continued to warn of a cyber Pearl Harbor and news media have uncritically circulated their claims. This is despite the fact that these claims are often ambiguous and lack evidence about who might carry out such an attack. Just months before the 2016 Russian cyber attacks, even Director of National Intelligence James Clapper told Congress that “cyber Armageddon”-like scenarios were not the real threat.
He was right. The 2016 Russian operations looked nothing like the apocalyptic cyber Pearl Harbor that has framed 25 years of cybersecurity debate in the United States.
So why does the obsession with such scenarios persist? The first reason is that critical infrastructure cybersecurity is, in fact, a real concern. But the second reason is that politicians and advocates find it difficult to resist the allure of appeals to fear when trying to raise awareness and motivate a response to social problems. In deploying fear, they often succumb to the assumption that if a little fear is good, then more must be better.
As a result, cyber Pearl Harbor-like doom scenarios become a perennial feature of our public policy debate. But as the 2016 Russian operations made painfully clear, such scenarios are not the only, or perhaps even primary, cyberthreats we face. We should be concerned, therefore, that continued reliance on cyber Pearl Harbor rhetoric could undermine our ability to identify and respond effectively to cyberthreats.
Scholars have long recognized the importance of language, including metaphors, for effectively framing and responding to problems. Military professionals have incorporated this thinking into their efforts to frame and respond to national security threats.
In 2009, for example, Cyber Command released “The Cyber Warfare Lexicon,” which observed, “Language is only secondarily the means by which we communicate, it is primarily the means by which we think.” This gave rise to the 2012 Cyber Analogies Project with the mission “to assist U.S. Cyber Command in identifying and developing relevant [...] metaphors that could be used to enrich the discourse about cyber strategy, doctrine, and policy.” The final report argued that appropriate “analogies, metaphors, and parables” are necessary to facilitate understanding of and responses to cyber threats.
Continued reliance on cyber Pearl Harbor-like doom scenarios to frame our thinking has had real, negative impacts. Constant worry about such doomsday scenarios has clouded our ability to perceive actual threats. There is a growing chorus of experts who claim that this is precisely what occurred in the run-up to Russia’s 2016 attacks. For example, James A. Lewis of the Center for Strategic and International Studies argued, “By focusing our defense on critical infrastructure as the target for cyberattack, we have created a cyber Maginot Line that our opponents easily move around.” Even before 2016, officials and experts repeatedly warned of imminent cyber doom, or even ranked cyberthreats higher than threats of terrorism or weapons of mass destruction, all while the real world continued to defy their predictions.
Pearl Harbor has exceeded its service life as a useful cybersecurity metaphor. Abandoning cyber Pearl Harbor would open space to explore potentially more appropriate metaphors. Other forms of conflict like piracy, counterinsurgency, political warfare, biological warfare, or even non-war analogies to immune systems, public health, or complex adaptive systems offer potentially productive alternatives.
The importance of language and rhetoric for appropriately framing and responding to problems is embraced by military professionals and academics alike. Hyperbolic analogies like cyber Pearl Harbor are not only inadequate, but may actually be harmful to our ability to engage with the cyber threats we face today. "If the 2016 Russian election interference can teach the cybersecurity community anything, it is that, as Investor’s Business Daily noted in 2013, the next cyberattack will likely “not begin with an ominous ‘Tora, Tora, Tora,’ but with the innocent sounding, ‘You’ve got mail.’” What comes after that will likely differ from what years of cyber Pearl Harbor scenarios have led us to expect.
To learn more about the ways Cyber Command has evolved over the last decade, download our series of essays that reflect on the origins and future of defend forward and hybrid warfare.
Sean Lawson is an associate professor of communication at the University of Utah and author of the forthcoming book, The Politics of Cybersecurity Threats: Beyond Cyber-Doom Rhetoric (Routledge, 2020).
Michael K. Middleton is an associate professor of argumentation and public discourse and director of the John R. Park Debate Society at the University of Utah.