Here’s what’s been going on in the cyber universe. In Saudi Arabia, a country for which the Iranian regime has little use, cyber attacks erased files in more than 30,000 computers owned by Aramco, the oil company. That was in August. Then cyber attacks hit JP Morgan Chase, Bank of America, and more than likely Wells Fargo.
But it didn’t stop there. Last week, cyber attacks affected Capital One Financial Corporation and the BB&T Corporation, and all these banks, with their usual respect for frankness, honesty, and clarity about their inner workings attributed the messes that ensued either to “a large volume of traffic going to the web site,” which is certainly a delicate way of describing foreign-induced chaos, or “a denial of service event,” which could mean … absolutely anything you want it to mean. Why the banks bothered with these obfuscations is anyone’s guess, since within hours a group called Qassam Cyber Fighters claimed it was behind the attacks—all of them—and US officials said, well yes, that’s one interesting attack group that’s presumed to be backed by Iran.
The next thing you knew, PNC Financial was coming clean on CNBC: “We had the longest attack of all the banks.” The hackers, said CEO James Rohr, “just pummeled us.”
Now let’s look at recent history. In 2011, David Sanger, author of Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, revealed in detail the fairly dramatic saga of the creation and deployment of the Stuxnet worm. So much detail, in fact, and from so many knowledgeable sources, that it was only possible to conclude that top US administration officials as well as their Israeli intelligence counterparts were actually boasting to the author about the devastating computer worm they developed and its efficacy in wrecking Iranian nuclear centrifuge equipment and delaying Iranian nuclear capability—for a time, anyway. (The question of how much time is, of course, now a source of bitter dispute between the worm’s two creators.)
The point is that it became pretty obvious after the New York Times began publishing excerpts from the Sanger book that certain elements in the US government wanted the Iranian regime to know just how seriously it took the Iranian nuclear build-up, and just how cyber-muscled the US had become. Not President Obama, however. Sanger writes that he “repeatedly expressed concerns that any American acknowledgement that it was using cyber weapons—even under the most careful and limited circumstances—could enable other countries, terrorist, or hackers to justify their own attacks.” But Sanger’s national security sources, evidently desiring a certain measure of acclaim, clearly used the author to send a worldwide message.
So what does the US—what does any powerful nation that has gone out of its way to provoke Iran in cyberspace—expect these days? US Defense Secretary Leon Panetta can warn of a “pre-9/11 moment,” an impending “cyber-Pearl Harbor,” pointing out that “an aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches.” But guess what, Leon? They already have.
True, no one has yet derailed passenger trains or contaminated the water supply or shut down a power grid—other possibilities that Panetta outlined. But that most likely is just a matter of time. Not will, not technological capability, not nerve—time.
Live by cyber attacks, in other words, and you can so very easily die by cyber attacks.