Politicians, military officials, and business leaders have spent the past three decades bracing for a “cyber Pearl Harbor:” a single, disastrous hack that would finally awaken the world to the true threat of cyberattacks. Some have envisioned deadly attacks in which hackers blow up power plants or poison water mains.
Most recently, the lead article of the US Army’s Cyber Defense Review argued that “Cybersecurity’s Pearl Harbor Moment” has finally arrived, courtesy of the May ransomware attack that shut down Colonial Pipeline and disrupted US fuel supplies.
As cybersecurity professionals have been pointing out for about as long as the “Pearl Harbor” metaphor has existed, the World War II bombardment of the US Navy’s Pacific Fleet in Hawaii is not really an apt comparison for the threat of hacks. It misleadingly primes us to expect one catastrophic attack that immediately creates widespread physical damage and catalyzes a massive mobilization.
In reality, the damage of cyberattacks comes from a series of piecemeal hacks that are often hidden from public view and don’t always lead to immediate, tangible harm. The actual threat looks less like a barrage of bombs and more like a spy slipping a gloved hand into a filing cabinet or a mobster strolling into a shop to collect a “protection” payment.
Designing defenses against a far-off cyber doomsday won’t protect businesses against the more insidious threat of day-to-day hacks. If organizations want to protect themselves, they should toss out the idea of a looming “cyber Pearl Harbor” and take the small, simple steps that are within reach to manage their cyber risk right now.
“Still waiting for ‘cyber Pearl Harbor'”
Predictions of a deadly cyber-attack have been circulating since at least 1991, but the best-known formulation comes from former US defense secretary Leon Panetta in 2012 when he warned of a foreign adversary derailing passenger trains, spilling lethal chemicals, spiking water supplies, or shutting off the power grid. In short, he said, the US was vulnerable to a “cyber Pearl Harbor that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation.”
That’s possible, but ignores the vast majority of truly harmful hacks, which don’t cause casualties or extensive physical damage. Most are intelligence operations targeting sensitive data or criminal enterprises intent on extracting money. Even Panetta later acknowledged the Pearl Harbor metaphor is overwrought. “Using that language is basically, you know, a club across the head when you’re dealing with that jackass who won’t pay attention,” he told CyberScoop in April.
Cyberattacks require a different response than warfare
Whether or not a cyber Pearl Harbor is imminent, businesses face a very real threat of ransomware and data theft every day (30,000 hack attempts per day, by some estimates). Those attacks present a real danger to businesses’ ability to operate, even if they don’t individually “paralyze and shock the nation,” as Panetta warned.
Businesses can manage the risk they face from this constant stream of small-scale cyberthreats. Governments and nonprofits have pulled together lists of basic best practices for companies looking to protect their IT systems—including this tipsheet from the US Cybersecurity and Infrastructure Security Agency and the UK’s Minimum Cyber Security Standard.
They boil down to a handful of commonsense strategies that aren’t always expensive to implement. Some of the low-hanging fruit includes:
- Keep up with security patches. The vast majority of hacks take advantage of known software vulnerabilities. You can prevent them by quickly downloading updates from the manufacturer—and getting rid of any device or software that’s so old it doesn’t get updated regularly anymore.
- Use multifactor authentication. Make it harder for a hacker who has stolen or cloned an employee’s device to get into your network.
- Keep track of the people who have access to your networks. If an employee leaves the company, make sure to deactivate their old account.
- Keep track of the devices that have access to your networks. Regularly cull the list of laptops, mobile devices, and other machines that have trusted access to your system.