Opinion: To hackers, we’re Bambi in the woods

If you’re worried about terrorism, here’s a bigger threat to lose sleep over: an all-out cyberattack.

Suddenly, the electricity goes out at the office. Cellphone networks and the internet have also gone black, along with subways and trains.

The roads are jammed because traffic lights aren’t working. Gas stations can’t pump gas.

People can’t reach loved ones. Phone systems are down, so 911 is useless. Looters roam the streets. Food and water soon run out in the cities.

And that’s just the first week.

Security experts have nightmares like that. Countries like Russia and China have implanted malicious software in the American electrical grid, nuclear power plants and water systems to have the capacity to mount such attacks — and we have done the same to them. Indeed, the U.S. prepared an extensive plan, Nitro Zeus, to unplug Iran through cyberattacks, but in the end we never implemented it.

These are some of the issues explored in an important — and deeply sobering — new book about cyberwarfare, “The Perfect Weapon,” by my Times colleague David Sanger. Sanger has spent decades exploring the intersections of technology and international security — and trying to alert us to our vulnerabilities.

The risks aren’t just of a cyber-Pearl Harbor but also of a full spectrum of attacks. The Russian hack of Democratic emails should have been a wake-up call. A senior FBI official told Sanger: “These DNC guys were like Bambi walking in the woods, surrounded by hunters. They had zero chance of surviving an attack. Zero.”

Even after the attacks we didn’t learn, and much of the U.S. is still like Bambi. The Russian hack of the U.S. elections in 2016 should have us on our toes for 2018, but the Trump administration has done little to prepare to fight off new hacking.

Cyber is the “perfect weapon,” in Sanger’s formulation, because attackers typically get off scot-free.

If North Korea had responded to the Sony Pictures movie “The Interview” by blowing up cinemas, it might have faced a strong response. Instead, it hacked into Sony’s system, destroyed computers and paralyzed the company. In both the Sony and Democratic Party attacks, the hackers enlisted the American news media to magnify the damage; we in the media were used, and we should reflect on that.

Later, North Korean hackers pilfered $81 million from the Bangladesh Central Bank (they might have gotten away with almost $1 billion, but someone misspelled “foundation”). For all this, North Korea faced no significant punishment.

We need to establish a cost to cyberattacks and help establish norms for cyber — a Geneva Convention for hacking. The problem is that the U.S. also uses cyberwarfare (to destroy Iranian centrifuges and, apparently, North Korean missiles), and we don’t want to constrain ourselves.

Meanwhile, we are becoming ever more vulnerable, partly because daily life is becoming more dependent on computers, and partly because cyberoffense is far ahead of cyberdefense. The U.S. started with a huge advantage, but Russia and China have nearly caught up, and Iran and North Korea don’t seem far behind.

In the 1990s, we were too complacent about the risks of terrorism; it took the twin towers collapsing to galvanize us. In the world of cyberspace, we’re still too complacent: Let’s stop playing Bambi!

X