Former cybersecurity policymakers told USA Today it’s only luck that “worst-case scenarios” haven’t happened yet.
The SolarWinds attack, Colonial Pipeline fuel outage and JBS meat-production shutdown have all thrust cybersecurity concerns into the mainstream. But experts also pointed to a foiled cyber-poisoning of a Florida town’s water supply, and a hack that nearly could’ve opened a New York dam.
In a recent Geneva summit, President Joe Biden gave Russian President Vladimir Putin a list of 16 “critical infrastructure sectors,” such as transit and drinking water, that should be off-limits for cyberattacks. Former Homeland Security official Tatyana Bolton told USA Today that cybersecurity in such areas has scarcely improved despite years of warnings.
Newsweek, citing former intelligence and cyber-security officials, reports that Russia-linked cyberattacks have come hauntingly close to provoking lethal real-life retaliation: like a “cyber Pearl Harbor.”
Indeed, NATO members, in a June 14 joint statement, noted that “the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack. A GovTech blogger called this acceptance that online attacks could result in guns and gombs “a very significant development.”
As The Economist notes, the recent attacks make it look like if the cybersecurity is supposed to be protecting customers from hacks, it isn’t doing a very good job. A research report last year compared the cybersecurity business to used-car sales. Ian Levy, technical director of Britain’s National Cyber Security Centre, is quoted as saying that much of the industry works like a witch in the Middle Ages: “Buy my magic amulet and you’ll be fine.”
Legal scholars worldwide are starting to work for new rules of the road about what types of cyberattacks could permissibly spark retaliation, as The Washington Post reports. Their efforts will lead to the first revision, since 2017, to NATO’s international cyber-conflict guidebook, called the “Tallinn Manual on the International Law Applicable to Cyber Operations.”
Michael Schmitt, director of the Tallinn Manual project and a law professor at the U.S. Naval War College, told the newspaper, “I get that the law will be violated... But at least having rules of the game would add some stability.”