Seventeen years ago today, Americans learned all too tragically that, as the 9/11 Commission later put it, “the system was blinking red” for a reason. Our country, we came to realize, had been facing grave terrorist threats for which our leadership had suffered “a failure of imagination,” in the words of the Commission’s co-chair. The consequences were terrible to behold.
Today, we are told by Director of National Intelligence Dan Coats that “the warning lights are blinking red again”—this time to alert us to the threat of cyberattacks. As former senior counterterrorism officials, we believe that 17 years of lessons learned from addressing terrorist threats can help us to tackle today’s ever-growing array of cyber threats. At the same time, we worry that talking about “blinking red” warnings in advance of a potential “cyber 9/11” may misapprehend the nature of the cyber threats we face. Cyberattacks don’t produce the unmistakable, crystallizing violence that our nation experienced on 9/11. Instead, they unfold more insidiously. And, in that sense, we’re not still waiting for a cyber 9/11. It’s already here.
The vulnerabilities that left us susceptible to the terrorist attacks of 9/11 have distinct similarities to the ones that now leave us open to cyberattacks. First, the targets of terrorism are overwhelmingly non-government infrastructure. Think of the World Trade Center itself, and of the cockpits of private companies’ airplanes: These were key weaknesses the 9/11 attackers exploited. Only after 9/11 did our government fully embrace a responsibility to protect from terrorists critical infrastructure that’s in private hands as a national security priority. That’s where we need to go with protections from cyberattacks: Hostile actors are registering damage on a level that threatens our national security by targeting private infrastructure—our electrical grid, our financial institutions, the infrastructure of our constitutional democracy. As with counterterrorism, improving our response to cyberattacks will rely on extensive collaboration with the private sector, from sharing information on threats to developing and refining industry security standards to adjusting risk calculations across government, infrastructure owners, and insurance providers.
That leads to a second cyber vulnerability reminiscent of our pre-9/11 weaknesses: information silos. The 9/11 Commission documented how misunderstandings of the law, bureaucratic rivalries, and poor data management contributed to information not getting shared among different parts of the government that, if brought together in the right hands, could have prevented 9/11. We’ve seen firsthand that information on terrorist threats now travels rapidly across the parts of the federal government that analyze and address such threats—indeed, we’ve chaired the meetings where that happens on a regular basis—or at least it did so on our watch. For today’s cyber threats, we must avoid information silos of a different kind: between the government as a whole and the public, including the private sector. Great strides have been made over the past decade in this regard, but much more remains to be done to enable real-time automated sharing of critical threat data. In particular, our government must figure out how to share more information on cyber threats in as much detail as possible, as quickly as possible. Only that way can social media companies understand Russia’s latest election interference techniques, financial firms anticipate disruptions to our banking system of the type we’ve seen from Iran, and intellectual property holders guard against persistent economic espionage perpetrated by Beijing.
And, just as after 9/11, we need to improve the organization of our own government to deal with the cyber threat. Under Secretary for Homeland Security Chris Krebs is making real progress, recently establishing a new National Risk Management Center to facilitate cross-sector risk management efforts to protect more effectively critical infrastructure, and Army Gen. Paul Nakasone has articulated an impressive agenda at U.S. Cyber Command, but cyber is now a whole-of-government challenge that requires still greater synchronization. The White House should start by filling its vacant cyber coordinator role, and serious consideration should be given to more ambitious proposals, such as retired Gen. David Petraeus’s recommendation to create a national cyber agency.
There’s a third parallel: the need for investment in and optimization of technology. Only after 9/11 did America put to full use critical, if controversial, technologies to keep us safe from terrorism, including armed drones to target key terrorists, enhanced border and airport screening, and digital communication collection and analysis to determine who might be here in the United States and in contact with terrorists abroad. Today, we’re refining our use of capabilities like deep learning, big data analytics, and blockchain technology to protect our data and detect cyber intrusions. However, we should be investing much more as a nation in technologies like artificial intelligence, as recently called for by Henry Kissinger and reportedly echoed by Defense Secretary Jim Mattis, who apparently argued in a recent memo that the United States was not keeping pace with the ambitious plans of nations like China.
Finally, there’s a fourth parallel to 9/11 vulnerabilities: resilience. America’s financial and cognitive infrastructure was wholly unprepared for the shock of 9/11. Our stock markets quickly crashed, while many Americans urged political leaders toward disproportionate and inapt responses (and some of those leaders indulged and even invited those calls). Our nation’s infrastructure and critical systems are now better postured to recover from terrorist attacks; and, thanks partly to the deliberate efforts of Presidents George W. Bush and Barack Obama to put terrorist threats in perspective, Americans are now more resilient to even horrific attacks (though the full depth of that resilience has not been tested by another attack on the scale of 9/11). Our cyber infrastructure must be similarly resilient. We need Americans—of all ages—to be savvier online actors who consider sound cyber security just as important as personal safety practices. Government can play a critical role in what’s essentially a public education challenge; but so can civil society and educators themselves.
Director Coats is right to warn of today’s serious cyber threats, but the horrific attacks of 9/11 may be the wrong frame for how to think about cyber. While we can conjure up hypothetical images of a visually dramatic “Cyber 9/11” or “Cyber Pearl Harbor,” the real cyberattacks we will confront—and indeed are confronting—don’t produce the dramatic video footage we all remember so well from 17 ago today. Instead, they happen stealthily, quietly stealing government secrets, sapping economic value from American companies by snatching their intellectual property and users’ data, and infecting American political discourse. And, in that sense, we’re not still waiting for a Cyber 9/11: It’s already unfolding. Now, let’s put to use 17 years of lessons learned from counterterrorism to protect our nation from suffering another failure of imagination.