At Dawn We Sleep

By Joseph I. Lieberman and Susan Collins
Op-Ed Contributors
Published: December 6, 2012

If you read the newspapers on the morning of Dec. 7, 1941, you would have been led to believe that Japan was poised to attack — but in Southeast Asia, not Pearl Harbor. Few experts believed that Japan was prepared to take on the United States; war, they believed, was not necessarily imminent.

“In view of the presence of new British naval strength at Singapore and powerful American squadrons in the rear of any southward Japanese expedition, it is believed there is no immediate likelihood of a large-scale invasion or bombing,” The Times quoted an Australian official as saying.

On this anniversary of the Pearl Harbor attack, it’s worth remembering that enemies will attack at a time of their choosing.

In fact, they rely on surprise.

A storm is surely gathering again, and we must resist the false sense of calm. The attack is not a matter of if, but when. It will not be launched from aircraft carriers, missile silos or massed armies. It will come through cyberspace and will strike our most vital computer systems, those that manage our electricity grids, oil and gas pipelines, telecommunications networks and financial markets.

We know that our digital networks are being tested, on a minute by minute basis, by would-be cyberterrorists, criminal gangs, rogue hackers and rival nations who look for unguarded digital back doors that would allow them to seize control of our most essential computers.

In invoking Pearl Harbor, we’re not trying to be alarmist — we’re borrowing an analogy the defense secretary, Leon E. Panetta, himself used in an Oct. 11 speech about what a catastrophic cyberattack might look like.

“An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” he said. “They could, for example, derail passenger trains or even more dangerous, derail trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shut down the power grid across large parts of the country. The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack on our country. Attackers could also seek to disable or degrade critical military systems and communication networks.”

Mr. Panetta added: “The collective result of these kinds of attacks could be a cyber-Pearl Harbor, an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation.”

The harsh reality is that such an attack does not require extensive computer skills. Earlier this year, The Washington Post reported on an overseas hacker who gained control of a small Texas water utility using Internet tools available to anyone. It took him just 10 minutes. The utility learned of the attack only when proof of it appeared online — the hacker’s warning of how susceptible the plant was.

Given these warnings and actual evidence of successful attacks, you would hope that Congress would be working urgently to strengthen the cyber defenses of our critical infrastructure — to make them well-defended forts, rather than undefended targets.

But twice this year the Senate failed to pass bipartisan cybersecurity legislation, with the United States Chamber of Commerce leading the opposition.

What made this so frustrating was that we — along with our Democratic co-sponsors, Senators Thomas R. Carper of Delaware, Dianne Feinstein of California and John D. Rockefeller IV of West Virginia — had already agreed to a major compromise to address the concerns of the chamber and its Senate allies by replacing mandatory cybersecurity requirements with voluntary, industry-developed standards that would also have protected from lawsuits companies that chose to implement the new standards.

Indeed, the concept of a voluntary, incentive-based system was proposed by the chamber and other industry groups in a March 2011 white paper and endorsed by a Republican-led House task force in October 2011.

Our willingness to compromise and adopt this reasonable, moderate approach was met with resistance — even after the chamber learned — thanks to the F.B.I. — that it had been the victim of Chinese cyberespionage.

One of the biggest mistakes that enabled the attack on Pearl Harbor was a belief that Japan lacked the capacity to mount devastating aerial bombing attacks so far from its borders.

For a modern-day equivalent, look at the recent attack against one of the world’s largest energy businesses, the Saudi oil business Aramco, which had 30,000 of its computers crippled in a cyberattack, wreaking havoc on the company’s operations. If that wasn’t a clear enough warning, the destroyed computers’ files were replaced with pictures of burning American flags.

Recently, the consumer banking sites of Bank of America, JPMorgan Chase, Wells Fargo, PNC and others came under the largest sustained denial of service attack in history. The attacks went on for weeks, knocking many of these sites off line or slowing them to a crawl.

These attacks did not have to be initiated from within the United States or even a few miles offshore. Cybersecurity experts believe Iran is the likely culprit in both attacks, and we fear this is just the beginning.

The headlines before the attack on Pearl Harbor turned out to be delusional. No one can reasonably entertain such a delusion about our adversaries’ capacity to attack us in cyberspace today.

Time has almost run out in this session of Congress, and President Obama will soon issue an executive order that will establish cybersecurity standards for critical infrastructure according to the statements of his top cabinet officials.

But the president’s powers are limited, and the issuance of an executive order is controversial even among some supporters of cybersecurity legislation. The new Congress must take up this issue, and pass comprehensive legislation to defend our nation against this gathering cyberthreat. If it doesn’t, the day on which those cyberweapons strike will be another “date which will live in infamy,” because we knew it was coming and didn’t come together to stop it.