EVEN as anxiety about jihadi terrorist threats has eased, thanks to the efforts of intelligence agencies and drone attacks’ disruption of the militants’ sanctuaries, fears over Western societies’ vulnerability to cyber-assaults have grown. Political and military leaders miss no chance to declare that cyberwar is already upon us. America’s defence secretary, Leon Panetta, talks of a “cyber-Pearl Harbour”. A senior official says privately that a cyber-attack on America that “would make 9/11 look like a tea party” is only a matter of time.
The nightmares are of mouseclicks exploding fuel refineries, frying power grids or blinding air-traffic controllers. The reality is already of countless anonymous attacks on governments and businesses. These seek to disrupt out of malice, or to steal swathes of valuable commercial or security-related data. Some experts believe that such thefts have cost hundreds of billions of dollars in stolen R&D.
Many of these attacks are purely criminal. But the most sophisticated are more often the work of states, carried out either directly or by proxies. Attribution—detecting an enemy’s fingerprints on a cyber-attack—is still tricky, so officials are reluctant to point the finger of blame publicly. But China is by far the most active transgressor. It employs thousands of gifted software engineers who systematically target technically advanced Fortune 100 companies. The other biggest offenders are Russia and, recently, Iran (the suspected source of the Shamoon virus that crippled thousands of computers at Saudi Arabia’s Aramco and Qatar’s RasGas in August).
America and its allies are by no means passive victims. Either America, Israel or the two working together almost certainly hatched the Stuxnet worm, found in 2010, that was designed to paralyse centrifuges at Iran’s Natanz uranium-enrichment plant. The Flame virus, identified by Russian and Hungarian experts this year, apparently came from the same source. It was designed to strike at Iran by infecting computers in its oil ministry and at targets in the West Bank, Syria and Sudan.
Boring, not lurid
For all the hype, policies on cyber-warfare remain confused and secretive. The American government is bringing in new rules and a clearer strategy for dealing with cyber-threats. Barack Obama is said to have signed in October a still-secret directive containing new guidelines for federal agencies carrying out cyber-operations. It sets out how they should help private firms, particularly those responsible for critical national infrastructure, to defend themselves against cyber-threats by sharing information and setting standards.
The directive is partly a response to the stalling of cyber-legislation in the Senate. Republican senators argue that it imposes too great a regulatory burden on industry, which is already obliged to disclose when it is subject to a cyber-attack. It is also meant to govern how far such bodies as the Department of Homeland Security can go in their defence of domestic networks against malware attacks.
The Pentagon is also working on more permissive rules of engagement for offensive cyber-warfare, for example to close down a foreign server from which an attack was thought to be emanating. General Keith Alexander heads both Cyber Command (which has a budget of $3.4 billion for next year) and the National Security Agency. He has often called for greater flexibility in taking the attack to the “enemy”. The emergence of new cyber-warfare doctrines in America is being watched closely by allies who may follow where America leads—as well as by potential adversaries.
However, Jarno Limnell of Stonesoft, a big computer security firm, says that all levels of government in the West lack strategic understanding on cyber-warfare. So, although questions abound, answers are few. For example, it is not clear how much sensitive information about threats or vulnerabilities government agencies should share even…