Lack of Exploitation Does Not Indicate Nonvulnerability
Skeptics have often asked the following question: If information technology is so vulnerable, why hasn’t there been a “digital Pearl Harbor” yet? The rhetorical logic is that since a digital Pearl Harbor hasn’t happened yet, the nation’s cybersecurity posture must not be as bad as is claimed. In the view of the Committee on Improving Cybersecurity Research in the United States, the premise could reasonably be questioned, but stipulating the premise for the moment, such rhetoric does raise an interesting question: How might an observer distinguish which of the following statements is true: “There are no serious vulnerabilities in today’s information technology” or “There are serious but unseen vulnerabilities”?
A story from the early days of computer security is a good place to begin. An experimental time-sharing system at a major university, to which users could connect using dial-up modems, was subject to attack by hackers who would try to bring the system down. Using these dial-up connections, the hackers were successful from time to time. The system administrators responded to this threat by changing the system command structure. In particular, they added a command, called CRASH, that any user could invoke. The command was documented as follows: “If you use this command, you will crash the system. Everyone will lose their work, and be really mad at you. Please don’t do this.” This security innovation turned out to be successful, because the existence of the CRASH command took all the intellectual challenge out of crashing the system, and the system administrators—themselves of a hacker mind-set—understood the motivations of their adversaries very, very well.
Obviously, such an approach would not work today. But this story illustrates the point that nondisaster does not necessarily mean that no vulnerabilities are present. Given the existence of systemic vulnerabilities and the capability to exploit them, which essentially every cybersecurity expert recognizes, the question neces-