In remarks during his nomination hearing before the Senate Armed Services Committee last year, Secretary of Defense Leon Panetta stated that “next Pearl Harbor that we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.” Since then, a number of folks have resurrected the “digital Pearl Harbor” metaphor despite the fact that (a) the phrase doesn’t carry the shock value that it once did and (b) many very notable people in the cybersecurity industry insist that the bigger concern is “death by a thousand cuts.” Why the resurgence in talk of a digital Pearl Harbor? Part of the answer lies in the fact that within a span of less than two weeks, two reports were released that were both very critical of cybersecurity efforts related to the power grid (and one of them actually talked about a “digital Pearl Harbor”).
First, a report was released by the Office of the Inspector General (OIG) within the Department of Energy (DOE) detailing the results of an audit that was performed related to the Smart Grid Investment Grant (SGIG) program. The report attacked the cybersecurity plans submitted by applicants for grants from the SGIG program. The DOE report stated that “ensuring that the Nation’s power grid is adequately protected from malicious cyber attacks…continues to be an area of concern in both the public and private sectors.” It further noted that prior DOE reports disclosed weak cyber security implementations.
Some of the specific findings from the audit included the fact that “cyber security plans developed by recipients [of grants from the Smart Grid Investment Grant Program] were not always complete and did not sufficiently describe security controls.” In addition, the audit performed by two tiers of subject matter experts revealed that 36% of the grant recipients had one or more required elements missing from their cybersecurity plans.
Second, Bloomberg released a report on January 31, 2012 that resulted from a survey of technology executives conducted by the Ponemon Institute. According to Bloomberg’s coverage, the report found that on average, companies would need to spend “nine times more on cybersecurity to prevent a digital Pearl Harbor from plunging millions into darkness.” For the utilities and energy companies involved in the study, that would translate to an increase from the current $45.8M in average security spending per company to $344.6M per company. And by the way, that increase in expenditures would only get those companies to a hypothetical level of 95% protected against cyber attacks (which is thought to be the highest attainable level according to the Bloomberg report).
Could a digital Pearl Harbor actually occur? Most certainly. That fact, however, should not distract from the efforts needed to prevent the more insidious type of cyber attack – the targeted attack on any particular company or industry. After all, a digital Pearl Harbor probably has a much smaller likelihood of occurring than the much higher likelihood of any particular company getting hit.