Lack of Exploitation Does Not Indicate Nonvulnerability
Skeptics have often asked the following question: If information technology is so vulnerable, why hasn’t there been a “digital Pearl Harbor” yet? The rhetorical logic is that since a digital Pearl Harbor hasn’t happened yet, the nation’s cybersecurity posture must not be as bad as is claimed. In the view of the Committee on Improving Cybersecurity Research in the United States, the premise could reasonably be questioned, but stipulating the premise for the moment, such rhetoric does raise an interesting question: How might an observer distinguish which of the following statements is true: “There are no serious vulnerabilities in today’s information technology” or “There are serious but unseen vulnerabilities”?
A story from the early days of computer security is a good place to begin. An experimental time-sharing system at a major university, to which users could connect using dial-up modems, was subject to attack by hackers who would try to bring the system down. Using these dial-up connections, the hackers were successful from time to time. The system administrators responded to this threat by changing the system command structure. In particular, they added a command, called CRASH, that any user could invoke. The command was documented as follows: “If you use this command, you will crash the system. Everyone will lose their work, and be really mad at you. Please don’t do this.” This security innovation turned out to be successful, because the existence of the CRASH command took all the intellectual challenge out of crashing the system, and the system administrators—themselves of a hacker mind-set—understood the motivations of their adversaries very, very well.
Obviously, such an approach would not work today. But this story illustrates the point that nondisaster does not necessarily mean that no vulnerabilities are present. Given the existence of systemic vulnerabilities and the capability to exploit them, which essentially every cybersecurity expert recognizes, the question neces-
from, the point of attack); interfering with timely responses to an attack (e.g., by disrupting the communications systems of first responders); or increasing terror in the population through misinformation (e.g., by providing false information about the nature of a threat). And, of course, it is possible for information technology controlling the operation of physical systems to cause physical damage to those systems.
Note also that the nation’s information technology might be either a target of an attacker or a weapon for an attacker to use. In the first case, an element of the IT infrastructure itself (e.g., the means for people to communicate or to engage in financial transactions) might be a target to be destroyed. In the second case, the target of an adversary might be another kind of critical infrastructure (e.g., the electric power grid), and the adversary could either launch or exacerbate the attack by exploiting the IT infrastructure.