U.S. defense secretary Leon Panetta recently spoke about the potential threat of a “cyber Pearl Harbor” that could cripple America’s digital and physical infrastructure. Computer worms and viruses are being unleashed against banks, energy companies and other businesses in various parts of the world. How can firms and nations protect themselves against these attacks? Israel Knowledge@Wharton discussed these questions and more with Amos Guiora, a former officer of the Israeli Defense Forces, who now serves on the faculty of the S.J. Quinney College of Law at the University of Utah. His advice: Don’t treat cyber terrorism lightly, because though it doesn’t leave a crater as a physical attack might, its consequences can be more devastating.
An edited version of the interview transcript appears below.
Israel Knowledge@Wharton: Amos Guiora, thank you for joining us today.
Amos Guiora: Thank you for having me.
Israel Knowledge@Wharton: On October 12, Leon Panetta, former head of the CIA and now the U.S. secretary of defense, spoke at a meeting in New York organized by Business Executives for National Security. He warned that the U.S. faces a pre-9/11 moment where cyber security is concerned. He spoke about the possibility of a “cyber Pearl Harbor” in which cyber actors could launch attacks on the country’s infrastructure in conjunction with physical attacks. Do you agree with this assessment? How vulnerable is the U.S. today to such a threat?
Guiora: Secretary Panetta was spot on in terms of highlighting the danger. As we were talking before we started the interview, I think cyber security has gone under the radar. If Secretary Panetta intended to make it a bold headline — “Pearl Harbor” — he was effective and successful in that. In terms of the threats posed by cyber-security, I don’t think there’s any doubt that the dangers and risks are enormous. If he intended this headline-grabbing moment, he was right to do that. The discussion subsequent to that has shown how important this issue is.
Israel Knowledge@Wharton: If such a cyber-attack were to happen, where might it come from, and who might the attackers be?
Guiora: First of all, those who are engaged in cyber terrorism are seriously smart, sophisticated people, so it’s a different kind of terrorist than say [those responsible for] 9/11. It requires a different skill set. An attack can come from within. It can come from without. It simply requires having a sophisticated understanding of technology, of how the systems work and ultimately how to impact them and, God forbid, how to shut them down. Whether the threat comes from within or without, I don’t think there’s any doubt that cyber terrorism poses an enormous threat.
Israel Knowledge@Wharton: Might a potential threat come from a nation state, or from groups of hackers like, say, Anonymous?
Guiora: I don’t know about Anonymous, but I think it would probably come from non-state actors rather than from state actors. And it would come from hackers, yes, but obviously really sophisticated hackers. The dangers they pose include shutting a system down, shutting cities down, impacting banking systems, impacting the water flow of a city…. I mean, it just goes on and on, because we are all totally computer-dependent. Think about airplanes in the air, right? It just goes on and on. In that sense the dangers are extraordinary. One thing that worries me is that I’m not sure to what extent we as a society fully understand the threat posed by cyber-attacks.
Israel Knowledge@Wharton: Depending on whether it was another nation state that was launching an attack or non-state actors, as you mentioned, what might the defense strategy be? How would it differ in each of those cases?
Guiora: If it’s a nation state that’s engaged in a cyber-attack –- not cyber terrorism because nation states don’t engage in terrorism, it would be a cyber-attack — that would be equivalent to an act of war. An act of war is an act of war. According to Article 51 of the U.N. Charter, that would certainly enable the attacked nation state to respond to the attacking nation state. If it’s a non-state actor, then it would be in the context of counter terrorism. The response, at least from a legal perspective as I advocate, would justify the nation state responding aggressively to non-state actors who are engaged in cyber terrorism, which is yet another form of terrorism.
Israel Knowledge@Wharton: To your mind, which are some of the most dramatic examples of cyber-attacks in recent times? What might be some of the lessons that one could draw from the way the situation played out?
Guiora: I’ll give you an example. A number of years ago I met with the senior vice president of one of America’s largest banks. The bank had been infiltrated and hacked by one guy who was able to wire an extraordinary amount of money after having set up approximately 400 fictitious accounts. The money that this guy was wiring through these 400 accounts was all going to support terrorism. So there’s a direct link between cyber security, cyber terrorism and the financing of terrorism. That is deeply troubling. It was very clear after the conversation that this huge bank in the United States was wholly unprepared and unequipped to respond to this. That for me was a sobering moment.
Israel Knowledge@Wharton: Your example is interesting because even in his speech, Leon Panetta mentioned that some U.S. financial institutions, major institutions, were recently targeted for cyber-attacks. Could you tell us about the damage such attacks can inflict upon an institution?
Guiora: First of all, setting up fictitious accounts and then wiring hundreds of millions of dollars to terrorist organizations obviously impacts all of us. But I think maybe more than that, it shows how vulnerable the systems are. If I go back to Secretary Panetta’s comments about Pearl Harbor, if you go back to think about Pearl Harbor itself, it showed how vulnerable the United States was in retrospect. Using the phrase “Pearl Harbor” is like a clarion call to understand our vulnerability and to begin baby steps to more effectively protect ourselves.
Israel Knowledge@Wharton: Unlike Ground Zero in the case of a physical attack, a cyber attack doesn’t leave a crater.
Israel Knowledge@Wharton: And even when the private sector firms, like the banks you mentioned, have their intellectual property stolen, often they are not even aware of the fact.
Israel Knowledge@Wharton: How can firms get around this problem, if at all?
Guiora: The first thing the private sector needs to do – and frankly also governments – is to recognize that cyber terrorism, even though it doesn’t leave a crater, maybe it leaves a larger crater. That would enable them more effectively to begin the process of protecting themselves and their assets against some really sophisticated hacking. It probably doesn’t have the extraordinary [effect] of a physical attack such as 9/11, when the twin towers collapsed. That is dramatic. A cyber security attack is not dramatic. There’s no real visual — and visuals are important. But if I were the CEO of a major American financial institution – such as the bank I mentioned — I would say to my relevant vice presidents that in many ways our vulnerability is no less our building than our intellectual property, our accounts and our money. And that we need to take a serious look at how well we are protecting ourselves with the understanding that perhaps the answer is we’re not protecting ourselves. Then we could begin the process of protecting ourselves from a cyber attack the same way we protect ourselves against physical attacks.
Israel Knowledge@Wharton: American firms are hardly alone in facing these attacks. For example, there have been reports of a virus called Shamoon that infected computer systems at Aramco, the Saudi oil company.
Israel Knowledge@Wharton: Similar attacks have also been observed against RasGas, a major energy producer in Qatar.
Israel Knowledge@Wharton: Which countries and companies do you think are the most vulnerable to such threats today?
Guiora: Well, if one believes the various media reports with respect to cyber-attacks against Iranian assets last year and the previous year — the Stuxnet — then it shows, as you correctly mentioned, that both states and enterprises are vulnerable. Iran raises obviously important questions because of the nuclear program and how to convince the Iranians not to go forward with it. Stuxnet showed they are vulnerable. I think they probably present a pretty compelling example of a nation state engaged in an act of creating a nuclear industry that, according to some countries, poses a threat to world security, world peace. Then the question becomes how do you convince them not to go forward. If the penetration of a virus through a cyber-attack is effective in dissuading them from going forward, I would say it shows their vulnerability, and maybe that shows the effectiveness of some kind of a cyber attack.
Israel Knowledge@Wharton: I’m glad you brought up Stuxnet, because I was just about to ask you about that. As you may have seen recently, there was an article in the New York Times about the fact that the U.S. and Israel had collaborated to create the computer worm with the goal of crippling the Iranian nuclear facility in Natanz. Under international law as it exists today, are such attacks by the U.S. and Israel legal?
Guiora: On the assumption that indeed the U.S. and/or Israel were involved it – or that’s going to be the assumption – then I think you can make a pretty viable argument in the context of self-defense that the introduction of this worm or virus would meet various standards of international law for the following reason.
Iran has been very clear about two things. One is creating a nuclear industry. And two, a pretty clear articulation of their desire to use that nascent bomb if it were to be developed against Israel. The question becomes how does Israel protect itself? What are the limits of a country protecting itself in the context of self-defense? So if there is this industry being created – a nuclear program – and these threats, then I would think that an introduction of a virus would meet this test of self-defense and of limited self-defense. And so from the perspective of international law, I think that meets those tests.
Israel Knowledge@Wharton: Stuxnet was detected when it “escaped from Iran and found its way to the West.” According to the New York Times, U.S. officials blamed Israel for this. But regardless of who was responsible and who’s at fault, what are the chances that digital bombs like Stuxnet can fall into the wrong hands and then end up being used against their creators? Is there anything that can be done to protect people against these things?
Guiora: That’s why we hope that those who create the worms or viruses are sophisticated enough to also introduce firewalls to make sure that they don’t bounce back and we don’t have a boomerang effect. And therefore you don’t have what’s good for the goose is good for the gander. That obviously is going to depend on the technical skills and competence of those who are creating the virus. There’s always a risk whenever you create some kind of an aggressive mechanism. If it falls into the wrong hands you never know where it’s going to potentially end up.
Israel Knowledge@Wharton: Countries like China and Russia are said to be actively developing their cyber capabilities. As cyber space becomes a war zone, is it realistic to believe that international regulations could be developed to bring about greater transparency? Given the global nature of cyber space and competing national interests, who would oversee compliance?
Guiora: That’s a great question and it goes to a larger issue. Let’s call it the changing nature of international law and to what extent international law is relevant to changing forms of technology and warfare.
No doubt the issues you’re raising here are probably going to require various international organizations to be more involved in terms of international conventions and treaties regulating the use of cyber space. Here we are in 2012 on the verge of 2013. We’re a long way off from fully understanding the dangers posed and the benefits, perhaps. It’s going to take scholars, academics, the international community, technical people, computer experts to work together to understand the limits and then to create some kind of regulatory mechanisms to insure that these new means are not used nefariously.
Israel Knowledge@Wharton: In the U.S., efforts are being made to deal with the legal issues through initiatives such as the Cyber Security Act of 2012, which was co-sponsored by Senators Lieberman, Collins, Rockefeller and Feinstein. Now the legislation has bi-partisan support, as far as I understand, but it has fallen victim to legislative and political grid-lock. Could you explain what some of the major hurdles are, and what the implications will be if the act becomes law?
Guiora: Well, first of all, let’s begin with the grid-lock. Here we are on Election Day, right? [Editors note – the interview was recorded on November 6.] There is something called politics in the United States. An issue like this, even though it needs bi-partisan support, there’s always a political end to it, a political aspect to it. A lot of it obviously, needless to say, is related to the politics of Washington at the moment. Two, going back to how we began our conversation, I think there’s still a question about to what extent we all understand the dangers posed.
I think also there are questions in terms of who’s going to control the regulatory mechanisms. At this stage, with a new Congress coming in on January 20, we’re unfortunately a long way away from understanding the benefits and the dangers. Even if there has been legislation introduced, unfortunately we’re more at a beginning stage than even at a middle stage in terms of understanding this. To that extent, the work ahead of all of us is extraordinarily complex but simultaneously extraordinarily critical.
Israel Knowledge@Wharton: What are the chances of a cyber-war between the East and West developing into a conventional war? What would it take to precipitate it?
Guiora: I don’t know about a war between East and West…. I think that paradigm hopefully came to a crashing end in December 1989 when the Berlin Wall came down. But I do think that cyber terrorism (state vs. non-state) and cyber war (state vs. state) is perhaps a more realistic option, certainly more than it had been five years ago. We need to be much more sensitive — and much more pro-active — with respect to establishing very sophisticated fire walls to protect ourselves.
There’s no doubt that — going back, I like your use of the term “crater” — the crater left by a cyber-attack in many ways is far more dangerous than a physical crater, because you don’t see it. There’s something very disconcerting about that. Shutting down cities, shutting down power and water systems, shutting down banks – the long-term ramifications of such actions are extraordinary. To what extent have we begun the process of adequately preparing ourselves? I think that’s an open question.