In today’s increasingly interconnected world, a person with a laptop computer can sit at a coffee shop in London and trade stocks listed on the New York Stock Exchange, transfer funds from a bank account in Zurich to an account in Tokyo, chat on an Internet phone call with a friend in Estonia, check in on his child’s daycare center through a live video feed, upload a video clip of his brother’s stand-up comedy performance onto YouTube, and place a bet with an online casino in Costa Rica. Such are the conveniences of today’s communications technology.

But if that same person were more maliciously inclined, he might hack into the stock exchange and alter share price information to send a target company into a downward spiral, use a stolen identity to pilfer funds from a victim’s savings account, use a pseudonymous email address and encryption technology to send secret information to his spy handler, or upload to a jihadi website a video of Osama Bin Laden calling for a new wave of attacks against the United States. The only constraints on his capacity to do harm are his level of technological sophistication, the defenses put in place by his intended targets, and governments’ capabilities to learn about his activities and stop them.

A New Weapon

A decade ago, when the World Wide Web was still in its infancy, the scenarios just posited would have been derided as alarmist. If it was a person from the information technology industry speaking, he would have been accused of scaring people into buying new security tools. If it was a policy wonk, he would have been accused of not understanding the robust and resilient nature of Internet technology. And if it was a government official, he would have been accused of searching for a new mission—or new reasons for government funding—in the post-Cold War world.

Today skepticism about the cyber threat is more difficult to find. Government agencies, companies, and individuals are all too aware of the harm that computer viruses and hackers can cause. The problem now is not so much recognizing vulnerability to computer-based threats as understanding just what those threats are and what should be done to stop them. One year the main concern seems to be teenage hackers defacing websites or breaking into computer networks for the thrill of causing a disruption; the next year the primary concern is fast-spreading viruses that shut down corporate networks for a few hours or even days; and the next it is international criminal groups stealing and selling credit card and social security numbers.

While the public face of the cyber threat changes frequently, there is an abiding spectrum of threats that is far broader, and far more dangerous, than is typically appreciated. While citizens today are fearful of identity theft and the US government is focused on preventing a full-scale civil war in Iraq and avoiding another Hurricane Katrina catastrophe, the United States’ current and potential adversaries—whether radical Islamic terrorists, Iran, or China—are looking for the weaknesses in the US information infrastructure and mapping out where and how they would mount a cyber attack.

Re-learning the Lessons of September 11

The terrorist attacks of September 11, 2001, demonstrated all too clearly the vulnerability of the United States to foreign attack. Once comfortable with its physical distance from the ancient quarrels that plague the rest of the world, the United States became aware that its relatively open borders, democratic liberties, and modern technology could be turned against it to devastating effect. Since September 11, the US government has focused on measures to prevent similar attacks—strengthening airport security, hardening cockpit doors, and putting air marshals on commercial flights.

Far less attention has been devoted to other forms of attack, some of which could be even more destructive than the September 11 attacks. These include attacks using nuclear, radiological, chemical, and biological weapons. They also include physical attacks on soft targets such as subways and railroads, chemical plants, or hotels and office buildings. In addition, the United States remains highly vulnerable to cyber attacks against computer networks that are critical to its national and economic security.

Cyber attacks generally consist of directed intrusions into computer networks to steal or alter information or damage the system; malicious code, known as viruses or worms, that propagates from computer to computer and disrupts their functionality; or denial of service attacks that bombard networks with bogus communications so that they cannot function properly.

Using these methods, cyber attackers could target financial institutions, communication systems, energy infrastructures, government operations, hospitals, and many other entities that rely on computer networks for their basic operation. Cyber attacks are no longer a mere nuisance that concerns only computer geeks. Attackers could disrupt the basic engines of the US economy, affecting individuals across the country and national security as a whole. The international ripple effects of such a disruption would be serious and wide-ranging.

The growing complexity and interconnectedness of these infrastructure systems, and their reliance on computers, not only makes them more vulnerable to attack but also increases the potential scope of an attack’s effects. An attack that disables electrical power or telecommunications, for instance, would have cascading effects on banks, hospitals, and government operations. While many organizations have developed redundant or alternative systems, such as power generators or back-up communications systems, many have not. Further, the alternative systems typically provide only limited capabilities.

The majority of critical infrastructures in the United States are owned by private industries. As a result, the US government alone cannot defend the infrastructures from attack but needs the cooperation of the private sector. A central question is how to obtain that cooperation and avoid the inevitable free-rider problem. The CEO of a bank, for example, may ensure that her bank takes steps to prevent the common sorts of cyber crime aimed at stealing funds from account holders. She might question, however, why she should pay for additional measures that might be necessary to prevent a catastrophic attack that could have effects that spread beyond her company to other financial institutions and other parts of the economy. This is particularly true if the bank’s competitors, or service providers, are not taking such measures.