Thanks to the warnings of senior lawmakers and Obama admiistration officials, Americans are growing more aware of online vulnerabilities that could lead to a “cyber Pearl Harbor” attack. By definition, such a catastrophe would be extraordinarily rare, its chances perhaps no more than one in a ... what, exactly?
It’s hard to talk about odds when the pool of minor cyberincidents is growing larger every day. Depending on when it arrives, the first major cybervent against the United States could be a one-in-2 million incident or a one-in-10-trillion incident. But noise from garden-variety hacks shouldn't just be ignored in a broader search for the next 9/11. Understanding those day-to-day online skirmishes can help reveal the scale of the broader problem.
The Homeland Security Department runs a national clearinghouse of cyberthreat information known as the U.S. Computer Emergency Readiness Team, or US-CERT. Part of its job is to track cyberincidents, which DHS defines as violations of an organization’s security policy. That could include unauthorized attempts to access a network, DDoS attacks, or other nasty behavior.
In 2007 -- the year that Twitter was founded -- US-CERT received almost 12,000 cyberincident reports. That number had more than doubled by 2009, according to new statistics from the Government Accountability Office (PDF), and it had quadrupled by 2012. We're learning of more attacks, more often. From a certain point of view, this is a good thing: Growing awareness means improved detection.
Here’s another chart that breaks down the federal government’s own cyberincidents from last year:
More than two-fifths of the cyberincidents reported by federal agencies last year were attempts to access U.S. networks or propagate malicious code. And here’s something else: The incidence of denial-of-service attacks that disable a website with bogus traffic was hardly worth mentioning. Remember when hackers from Anonymous managed to take down the CIA’s website last February? Despite the breathless news coverage of that event, it was dwarfed by the number of other incidents the government recorded. And these are just the ones the government knows about.
All of which is to say that the universe of cyberincidents is gigantic, and that by focusing so closely on The Next Big Attack, the United States risks failing to connect the dots -- again.
I’ll leave you with some additional recent numbers on cyberintrusions, as reported by various actors:
The energy company BP says it suffers 50,000 attempts cyberintrusion a day.
The Pentagon reports getting 10 million attempts a day.
The National Nuclear Security Administration, an arm of the Energy Department, also records 10 million hacks a day.
The United Kingdom reports 120,000 cyberincidents a day.
That’s almost as many as the state of Michigan deals with.
Utah says it faces 20 million attempts a day -- up from 1 million a day two years ago.
How these groups define and count their cyberincidents could be fairly diverse; it stretches credibility to think that Utah would be a bigger target than the Defense Department, for example. But, altogether, the numbers provide a necessary sense of scale.