"If you shut down our power grid, maybe we will put a missile down one of your smokestacks."1
When I first read the report, I thought the U.S. General Accountability Office (GAO) must have made a mistake. In a May 20, 2011, report,2 the GAO states that the U.S. military's communications networks—its Global Information Grid—are potentially jeopardized by the millions of denial-of-service attacks, hacking, malware, viruses, and other intrusions that occur on a daily basis.
With my curiosity piqued, I wondered if any hacker attacks had ever actually done damage to our military networks. It didn't take long to find the answer. In February 2011, the U.S. Deputy Secretary of Defense said that more than 100 foreign intelligence agencies have tried to breach the Department of Defense's computer networks and that one was successful in breaching networks containing classified information.3 And, if that were not enough, some hackers (thought to be either Chinese or Russian) were able to loot more than 24,000 classified files on our nation's most sophisticated planes, satellites, fighters, and an advanced weapons system nearing completion.
Cyber threats are real, and it is not just our military that is under attack. In July 2011, in his hearing for the nomination as Secretary of Defense, Leon E. Panetta testified:
I have often said that there is a strong likelihood that the next Pearl Harbor that we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems. This is a real possibility in today's world. And as a result, I think we have to aggressively be able to counter that. It is going to take both defensive measures as well as aggressive measures to deal with that.4
Our allies are also under attack. In the United Kingdom, for example, the British government's Strategic Defense and Security Review describes how the threat to Britain's national security and prosperity has increased exponentially over the past decade. Indeed, so serious is the situation that the British government now ranks the threat of cyber attacks as one of the top four Tier One risks facing the nation (terrorism, cyber security, and civil emergencies in the form of natural hazards or accidents).
British Foreign Secretary William Hague recently stated that the world is currently in the grip of a new and financially crippling "arms race in cyber space."5 The foreign secretary warned that Britain could not guarantee that it could repel a major cyber assault on the nation's essential infrastructure—including waterworks, power plants, and the air traffic control system. Mr. Hague sees a critical threat to Britain's entire commercial and economic system. To protect his country's economic system, Mr. Hague stated that Britain is prepared to strike first to prevent a successful cyber attack. And on this side of the Atlantic, the U.S. cyber command is moving in the same direction.6
Where's the Enemy?
It's fine to threaten a preemptive attack, but attack whom? Malware makers and hackers are notorious for being able to hide their tracks using spoofing, virtual private networks, proxy services, and other means to hide where attacks are coming from. One cyber expert recently told me that if he were going to attack the United States or a U.S. business, he could easily route the attack traffic through Venezuela or other potentially nonfriendly countries while he relaxed on the beaches in the Bahamas.
A virus expert from the security firm Symantec put it this way:
You need evidence about who is behind an attack before you can strike preemptively, but you can never be sure—you can't attack infrastructure, or even send in a stealth bomber, because any information about a location could be a red herring.7
If the U.S. government and our allies cannot identify the cyber attackers, how can they retaliate or even strike first? If the government cannot identify the attackers, how does private industry analyze threats or risks or even determine appropriate responses?
The U.S. government knows only too well the problems responding to a sophisticated cyber attack aimed at paralyzing the nation's power grids, communications systems, or financial networks. According to The New York Times, in January 2010, top Pentagon officials gathered to simulate how they would respond to such an attack. The New York Times reported:
The results were dispiriting. The enemy had all of the advantages: stealth, anonymity, and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What's more, the military commanders noted that they even lacked the legal authority to respond—especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to conventional war.8
It's Not If; It's a Matter of When
For U.S. businesses, it is not a matter of whether they will be involved in a breach of their systems; it is a matter of when.9 Terrorists, unfriendly governments, rogue groups, and criminal cyber attacks are becoming more sophisticated—and more threatening to the U.S. economy. Cyber war experts predict that a cyber attack on the United States will not differentiate between government targets and civilian targets. This is due in part to the fact that most of the U.S. critical infrastructure is owned by private sector businesses. Based upon recent history, it is likely that cyber attacks will focus on civilian targets, particularly those involved in financial services, energy, and critical infrastructure.
Recognizing this growing threat, the National Security Agency recently reached an agreement with the Department of Homeland Security to provide cyber experts to other government agencies and certain private companies that provide financial services, energy, and critical infrastructure, or that provide the government with essential services.
Who Is Going To Pay?
Even if private companies carefully secure their networks and equipment, they should expect to suffer substantial damages in a cyber war, particularly where critical infrastructure is attacked. It is also likely that companies will sustain losses from the cyber theft of intellectual property. Can they recoup their losses and, if so, from whom? There are four potential sources:
Insurers: Most insurance policies exclude losses resulting from civil unrest or acts of war because the potential claims could be catastrophic.10 The insurance industry is in the early stages of designing and offering cyber attack policies because the statistical information is just not available to allow actuaries to calculate premiums.11
Belligerents: For a variety of reasons, it is unlikely that civilians will be able to recover losses from the countries that started a cyber war. First of all, a number of legal doctrines protect countries such as sovereign immunity and comity. Even if those legal doctrines could be overcome, a civilian litigant would face serious difficulties trying to identify the source of the attack and then demonstrating a causal connection between the attack and the harm.12
Contributors: Plaintiffs will almost certainly try to recover losses from companies that failed to take reasonable efforts to protect their networks, products, or services such as energy companies that provide electricity. It is unlikely that plaintiffs will be able to shift their losses to such third parties because the claims will almost certainly be limited by contractual disclaimers, waivers, and limitations.
State and Local Governments: In the instances where the federal government has made payments for natural disasters or to protect financial institutions against bad investments, there has been congressional legislation authorized by Congress. Currently, there is no similar legislation providing for the state or federal government to cover losses sustained in a cyber war.
In situations where civilians sustain loss or destruction due to government actions (such as preemptive cyber attacks), it may be possible to bring an action for an unauthorized "taking" under the Fifth Amendment of the Constitution.13 The likelihood of success for such a claim is, however, slim.
One other possible solution should be discussed: self-help. Does the Second Amendment14 of the Constitution give private citizens and private companies the right to bear cyber-arms, and if they are attacked, do they have the right to return cyber fire in self-defense? These are two really interesting questions. Unfortunately, the answers are unclear. These questions will have to be resolved by the courts and/or Congress.
In the interim, while the issues are debated, private businesses will make their own decisions based on their understanding of what is best for the company and its shareholders. It has been reported that at least one company has decided not to wait for the government and has returned cyber fire.15 This is a slippery slope, and businesses should be wary of acting alone—particularly since the legality of such attacks is questionable.
As the U.S. government and its allies step up preparations to protect against catastrophic cyber attacks, private industry should pay close attention to its IT security. Executives of private companies have fiduciary duties to take appropriate measures to protect a company's assets while employing traditional risk management principles. Companies may be able to protect themselves against claims by customers through the use of appropriate contractual provisions and ensuring that proper security measures have been taken and are kept up to date. It is, however, unlikely that private companies will be able to pass losses to third parties. It is also unlikely that businesses will be able to protect their assets and brands by engaging in self-help. This leaves businesses in the difficult position of having few protections while confronting cyber attacks that could cripple our power systems, grid, security systems, financial systems, and even governmental systems.
If you are interested in further reading on this topic, listed below are a few additional sources.
Baker, Stewart, Natalia Filipiak, and Katrina Timlin. "In the Dark: Crucial Industries Confront Cyberattacks." Center for International Studies, McAfee. 2011.
Brenner, Susan W. and Leo L. Clarke. "Civilians in Cyberwarfare: Conscripts." Vanderbilt Journal of Transnational Law 43 (2010).
Brenner, Susan W. and Leo L. Clarke. "Civilians in Cyberwarfare: Casualties." SMU Science & Technology Law Review 13 (2010).
United States, Executive Office of the President. "Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure" (2009).
Council on Foreign Relations. "Cybertheft and the U.S. Economy." (August 11, 2011.)
Coleman, Kevin G. "The Cyber Arms Race Has Begun." CSO Online (January 28, 2008).
Clayton, Gary E. and Kevin Coleman. "The Right to Bear Cyber Arms." Technolytics (June 20, 2010).
Clayton, Gary E. and Kevin Coleman. "Cyber Conflict: the Modern Gold Rush." CIO Magazine (June 6, 2009).
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
3 Deputy Secretary of Defense William J. Lynn, III, Remarks on Cyber at the RSA Conference, February 15, 2011. The classified network is not connected to the Internet, and it has not been publicly stated how such attacks took place.