Five factors distinguish the digital Pearl Harbor from the virus attacks we’ve suffered to date.

First, it disrupts backup systems. Fragile networks heretofore have been mitigated largely with backup. Disrupt that and badness follows.

Second, it leads to cascading failures. All of those massively inconvenient attacks people previously referred to as Pearl Harbors pile up. Due to the loss of backup, corporate earnings data is irretrievably lost. This panics Wall Street and destabilizes the financial sector. People run to their banks, but the banks cannot disburse funds; their networks are down. As are the credit card networks and the ATMs .

If you don’t have cash, you go hungry.

Then the lights wink out. Everywhere.

And it begins to get cold.

Panic is a key part of a digital Pearl Harbor. "If you can disrupt the flow of money and resources, that’s where I’d look for incidents to become bigger than what we’ve experienced so far," says Michael Hershman, an international security expert who has worked in military intelligence, and who was a senior staff investigator on the Senate Watergate Committee. Hershman now runs Civitas Group, a security consultancy, with Sandy Berger, the former national security adviser to President Clinton, and Richard Clarke. "Where you see panic and money, that’s where I’d look for a digital Pearl Harbor."

Third, though the attack is instantaneous, its aftereffects linger for weeks. People are hungry. Freezing. The old and the young begin to die. The strong turn against each other.

Fourth, after it’s over, the attack’s origin is pinpointed and the vulnerability it exploited is determined. That’s another element that’s been missing from most recent security events, especially virus outbreaks, and most notably in the August 2003 blackout. Blame has not been assigned; no heads have rolled. No one has even called for heads to roll. No heads can be found to roll.

Last, and perhaps most important, once the source of the event is determined, it’s revealed that the loss of property and life was completely and absolutely and tragically avoidable.


2009: Recrimination, Reconstruction, Reformation
That moment?the exposure of negligence to the public?is when security will start to get better. The senselessness of the incident and the profound losses it leads to will generate outrage.

The first response is litigation. Lawyers will prosecute vendors, ISPs and others based on downstream liability; that is, they will follow the chain of negligence and hold people accountable all along it. Hackers, whether their intent was malicious or not, will be arrested and prosecuted. If the event’s nexus is overseas, foreign governments will cooperate to bring the miscreants to justice.