During his confirmation hearings this past June, U.S. Defense Secretary Leon Panetta warned the Senate, "The next Pearl Harbor we confront could very well be a cyber attack that cripples our grid, our security systems, our financial systems, our governmental systems." It was powerful imagery: a mighty fleet reduced to smoking ruin, an expansionist Asian power at the nation's doorstep.
But is "cyber war" really a threat? Can cyber war actually "cripple" the U.S., and who might these computer terrorists be? Or is the language just sturm und drang spun up by a coalition of major arms manufacturers, the Pentagon, and Internet security firms, allied with China bashers aimed at launching a new Cold War in Asia?
The language is sobering. Former White House Security Aide Richard Clarke, author of "Cyberwar", conjures up an apocalyptic future of paralyzed U.S. cities, subways crashing, planes "literally falling out of the sky," and thousands dead. Retired Admiral and Bush administration National Intelligence Director, Mike McConnell grimly warns "The United States is fighting a cyber war today and we are losing."
Much of this rhetoric is aimed at China. According to U.S. Rep. Mike Rogers, R-Mich., chair of the House Intelligence Committee, the Chinese government has launched a "predatory" campaign of "cyber theft" that has reached an "intolerable level." U.S. Sen. Dianne Feinstein, D-Calif., charges that a "significant portion" of "cyber attacks" on U.S. companies "emanate from China." Former CIA and National Security Agency director Michael Hayden told Congress, "I stand back in awe of the breadth, depth, sophistication, and persistence of the Chinese espionage effort against the United States of America."
China has been accused of hacking into the Pentagon, the International Monetary Fund, the French government, the CIA, and stealing information from major U.S. arms maker Boeing, and the Japanese firm Mitsubishi. The latter builds the American high performance fighter, the F-15.
The Pentagon has even developed a policy strategy that considers major cyber attacks to be acts of war, triggering what could be a military response. "If you shut down our power grid," one Defense official told the Wall Street Journal, "maybe we will put a missile down one of your smokestacks."
But consider the sources for all this scare talk: Clarke is the chair of a firm that consults on cyber security, and McConnell is the executive vice-president of defense contractor Booz Allen Hamilton. Both are currently doing business with the Pentagon.
Arms giants like Lockheed Martin, Raytheon, Northrop Grumman, Boeing, and other munitions manufactures are moving heavily into the cyber security market. In 2010, Boeing snapped up Argon ST and Narus, two cyber security firms with an estimated value of $2.4 billion. Raytheon bought Applied Signal Technology, General Dynamics absorbed Network Connectivity Solutions, and Britain's major arms firm, BAE, purchased Norkom and ETI.
"There is a feeding frenzy right now to provide products and services to meet the demands of governments, law enforcement and the military," says Ron Deibert, director of the Canada Center for Global Security Studies.
There are big bucks at stake. Between the Defense Department and Homeland Security, the U.S. will spend some $10.5 billion for cyber security by 2015. The Pentagon's new Cyber Command is slated to have a staff of 10,000, and according to Northrop executive Kent Schneider, the market for cyber arms and security in the U.S. is $100 billion.
But is cyber war everything it is cracked up to be, and is the U.S. really way behind the curve in the scramble to develop cyber weapons?
According to investigative journalist Seymour Hersh, in his New Yorker article "The Online Threat," the potential for cyber mayhem has "been exaggerated" and the Defense Department and cyber security firms have blurred the line between cyber espionage and cyber war. The former is the kind of thing that goes on, day in and day out, between governments and industry, except its medium is the Internet. The latter is an attack on another country's ability to wage war, defend itself, or run its basic infrastructure.
Most experts say the end-of-the-world scenarios drawn up by people like Clarke are largely fiction. How could an enemy shut down the U.S. national power grid when there is no such thing? A cyber attack would have to disrupt more than 100 separate power systems throughout the nation to crash the U.S. grid.
Most financial institutions are also protected. The one example of a successful cyber attack in that area was an apparent North Korean cyber assault this past march on the South Korean bank Nonghyup that crashed the institution's computers. But an investigation found that the bank had been extremely remiss in changing passwords or controlling access to its computers. According to Peter Sommer, author of "Reducing Systems Cybersecurity Risk," the cyber threat to banks "is a bit of nonsense."
However, given that many Americans rely on computers, cell phones, I-Pads, smart phones and the like, any hint that an "enemy" could disrupt access to those devices is likely to get attention. Throw in some scary scenarios and a cunning enemy-China-and it's pretty easy to make people nervous.
But contrary to McConnell's statement, the U.S. is more advanced in computers than other countries in the world, and the charge that the U.S. is behind the curve sounds suspiciously like the "bomber gap" with the Russians in the '50s and the "missile gap" in the 1960s. Both were illusions that had more to do with U.S. presidential elections and arms industry lobbying than anything in the real world.
The focus on the China threat certainly fits the Obama administration's recent "strategic pivot" toward Africa and Asia. China draws significant resources from Africa, including oil, gas, copper, and iron ore, and Beijing is beginning to reassert itself in south and east Asia. The U.S. now has a separate military command for Africa-Africom-and the White House recently excluded U.S. military forces in the Asia theatre from any cutbacks. Washington is also deploying U.S. Marines in Australia. As U.S. Secretary of State Hillary Clinton told the National Defense University this past August, "We know we face some long-term challenges about how we are going to cope with what the rise of China means."
But James Lewis, an expert on Chinese cyber espionage, told Hersh that the Chinese have no intention of attacking U.S. financial services since they own a considerable portion of them. According to Lewis, "current Chinese officials" told him "a cyber-war attack would do as much economic harm to us as to you." The U.S. is China's largest trading partner and Beijing holds over a trillion dollars in U.S. securities.
There is also a certain irony to the accusations aimed at China. According to the New York Times, the U.S.-and Israel-designed the "Stuxnet" virus that has infected some 30,000 computers in Iran and set back Teheran's nuclear program. The virus has also turned up in China, Pakistan, and Indonesia. In terms of cyber war, the U.S. is ahead of the curve, not behind.
What all this scare talk has done is allow the U.S. military to muscle its way into cyber security in a way that could potentially allow it to monitor virtually everything on the Internet, including personal computers and email. In fact, the military has resisted a push to insure cyber security through the use of encryption because that would prevent the Pentagon from tapping into Internet traffic.
Does China really pose a threat to the U.S.? There is no question that China-based computers have hacked into a variety of governmental agencies and private companies (as have Russians, Israelis, Americans, French, Taiwanese, South Koreans, etc.-in short everyone spies on everyone), but few observers think that China has any intention of going to war with the much more powerful U.S.
However, Beijing makes a handy bug-a-boo. One four-star admiral told Hersh that in arguing against budget cuts, the military "needs an enemy and it's settled on China." It would not be the first time that ploy was used.
If the Pentagon's push is successful, it could result in an almost total loss of privacy for most Americans, as well as the creation of a vast and expensive new security bureaucracy. Give a government the power to monitor the Internet, says Sommers, and it will do it. In this electronic field of dreams, if we build it, they will use it.
This article originally appeared in Conn Hallinan's blog, Dispatches from the Edge.