Ask CFR Experts

PrintPrint CiteCite
Style: MLAAPAChicago Close


Is the threat of a "cyber Pearl Harbor" as potent as some have suggested?

Question submitted by James Bingham, from King's College, London, January 3, 2016

Answered by: Adam Segal, Ira A. Lipman Chair in Emerging Technologies and National Security and Director of the Digital and Cyberspace Policy Program


The phrase "cyber Pearl Harbor" received attention when it was mentioned by former defense secretary Leon E. Panetta in a speech about U.S. vulnerability to cyberwarfare threats. It is best understood as an effort to shape the domestic political debate and as a description of a potential future scenario, rather than as an accurate description of the cybersecurity threat.

The most pressing cyber threat is not likely to be a single, sudden attack that cripples the United States. Such attacks are probably limited to sophisticated state actors; they involve elaborate intelligence preparation, great uncertainty for the attacker, and are subject to some deterrence. Director of National Intelligence James R. Clapper Jr. testified that there was only a "remote chance" of "a major cyberattack against U.S. critical infrastructure systems during the next two years that would result in long-term, wide-scale disruption of services."

The greater threats are attacks that steal strategically valuable data and destroy confidence in the safety of the Internet. These low intensity but disruptive attacks are increasing and can damage banking, transport, and communications systems. Over time, future attacks could become even more destructive as cyber weapons and capacities proliferate and as electricity, power, transport, and communications infrastructures become increasingly dependent on the Internet. There is a growing market in sophisticated malicious software, which could end up in the hands of states, extremists, criminal entities, and other nonstate actors that may be harder to deter.

Officials have used the phrase "cyber Pearl Harbor" in part to raise attention to potential threats. They also hope to build support for legislation that will make it easier for the government and the private sector to share threat information and to define cybersecurity standards for industry. The use of the analogy could backfire, should the public focus on the wrong types of threat or believe the government is hyping all forms of cybersecurity risk.