* Forthcoming Scholarship
“The New Vulnerability” (reviewing Richard Clarke and Robert Knacke, Cyber War: The Next Threat to National Security and What to Do About It)
Jack Goldsmith (Harvard Law)
The New Republic (June 7, 2010)
From the conclusion:
Neither the known causes of cyber insecurity nor extensive worries about the cyber threat are new. The wake-up call came in 1988, when Robert Tappan Morris, a graduate student at Cornell, introduced a “worm”–a self-replicating computer program–on the Internet that was designed to determine the Net’s size but that inadvertently shut down about 10 percent of the sixty thousand computers then connected to it. This event startled the Defense Advanced Research Projects Agency, the futuristic Department of Defense research wing. DARPA had developed what became the Internet to ensure that the command-and-control communications of the American military could withstand nuclear attack, but suddenly its young creation seemed vulnerable from within. DARPA immediately funded a Computer Emergency Response Team, which is still located at the Carnegie Mellon Institute, to coordinate and respond to Internet related computer security concerns.
It also asked the National Research Council to study “the security and trustworthiness” of American computing and communications systems. “We are at risk,” began the subsequent NRC report, which was released in 1991. In terms remarkably similar to Clarke’s, the report noted that America increasingly “depends on computers [for] power delivery, communications, aviation, and financial services,” described these systems as “vulnerable … to deliberate attack,” and declared that only luck had prevented their subversion. “The modern thief can steal more with a computer than with a gun,” it said, adding that “tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.” The report warned that the instability of the international system, and the rapid rise in both reliance on computer systems and the sophistication of computer attacks, meant that the United States was on the cusp of a cyber-security crisis. Cyber threats, it concluded, “are changing qualitatively; they are more likely to be catastrophic in impact.”
The NRC report makes for sober reading today. Its basic analysis of computer-system vulnerabilities would be repeated with slight elaborations over the next two decades in a dozen subsequent NRC reports and a half-dozen high-level executive branch studies. So, too, would its warnings, which are nearly identical to contemporary cries about the cyber threat. Yet no catastrophic cyber event has occurred in the intervening twenty years, despite deeper and deeper integration of computer systems and significantly greater reliance on them in all sectors of society. This has led some to think that the cyber menace is exaggerated. But experts such as Richard Clarke continue to insist that we are on the cusp of a national security crisis related to our dependence on computer systems. “Sometimes the boy who cries wolf can see the wolf coming from a lot further than everyone else,” says the man who before September 11 raised hell inside the government, to little avail, about the looming terror threat to the homeland. Let us hope that the wolf is still far away.