David Sanger writes: In March the White House invited all the members of the Senate to a classified simulation on Capitol Hill demonstrating what might happen if a dedicated hacker — or an enemy state — decided to turn off the lights in New York City. In the simulation, a worker for the power company clicked on what he thought was an e-mail from a friend; that “spear phishing” attack started a cascade of calamities in which the cyberinvader made his way into the computer systems that run New York’s electric grid. The city was plunged into darkness; no one could find the problem, much less fix it. Chaos, and deaths, followed.
The administration ran the demonstration — which was far more watered-down than the Pentagon’s own cyberwar games — to press Congress to pass a bill that would allow a degree of federal control over protecting the computer networks that run America’s most vulnerable infrastructure. The real lesson of the simulation was never discussed: cyberoffense has outpaced the search for a deterrent, something roughly equivalent to the cold-war-era concept of mutually assured destruction. There was something simple to that concept: If you take out New York, I take out Moscow.
But there is nothing so simple about cyberattacks. Usually it is unclear where they come from. That makes deterrence extraordinarily difficult. Moreover, a good deterrence “has to be credible,” said Joseph S. Nye, the Harvard strategist who has written the deepest analysis yet of what lessons from the atomic age apply to cyberwar. “If an attack from China gets inside the American government’s computer systems, we’re not likely to turn off the lights in Beijing.” Professor Nye calls for creating “a high cost” for an attacker, perhaps by naming and shaming.
Deterrence may also depend on how America chooses to use its cyberweapons in the future. Will it be more like the Predator, a tool the president has embraced? That would send a clear warning that the United States was ready and willing to act. But as President Obama warned his own aides during the secret debates over Olympic Games [the Stuxnet operation], it also invites retaliatory strikes, with cyberweapons that are already proliferating. In fact, one country recently announced that it was creating a new elite “Cybercorps” as part of its military. The announcement came from Tehran.
Since cyberdeterrence looks like a non-starter, the U.S. should perhaps focus instead on a home truth: those who live in cyber houses shouldn’t throw cyber stones.