On a Monday morning earlier this month, top Pentagon leaders gathered to simulate how they would respond to a sophisticated cyberattack aimed at paralysing the nations power grids, its communications systems or its financial networks.
The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. Whats more, the military commanders noted that they even lacked the legal authority to respondespecially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.
What some participants in the simulation knewand others did notwas that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Googles software engineers quickly tracked, the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland.
After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued on Monday, with Chinese assertions that critics were trying to denigrate China and that the United States was pursuing hegemonic domination in cyberspace.
These recent events demonstrate how quickly the nations escalating cyberbattles have outpaced the rush to find a deterrent, something equivalent to the Cold War-era strategy of threatening nuclear retaliation.
So far, despite millions of dollars spent on studies, that quest has failed. Last week, secretary of state Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyberattacks would not be ignored, drawing on the language of nuclear deterrence.
Inside the National Security Agency, which secretly scours overseas computer networks, officials have debated whether evidence of an imminent cyberattack on the US would justify a pre-emptive American cyberattack something the President would have to authorise. In an extreme caseevidence that an adversary was about to launch an attack intended to shut down power stations across Americasome officials argue that the right response might be a military strike.
We are now in the phase that we found ourselves in during the early 1950s, after the Soviets got the bomb, said Joseph Nye, a professor at the Kennedy School at Harvard.