A New York Times article this week once again raised the issue of the growing threat of cyber attacks against the US. The article specifically focused on the growing number of cyber attacks from the Chinese Army against all sectors of the US computer infrastructure – from national defense to Coca Cola.
Although the Chinese have been aggressive in their attacks, it still appears that it is less cyber attacks than “cyber probing;” discovering weaknesses in government and industry computer networks for later use. Much of it has been attempts to install malware to allow China later access to sensitive computer systems.
The probes aren’t limited to government computers. In many cases, the Chinese have gone after manufacturers and vendors who supply computers to the government and other critical industries. As was discovered with the Stuxnet malware used against Iran’s nuclear infrastructure, the vendor’s software is often the soft underbelly of critical computer networks.
How good are America’s defenses against cyber attack? The answer from the experts is discouraging. And, there is little being done to make it better. Obama’s new executive order—with its focus on voluntary standards and information sharing—is unlikely to provide much protection. The executive order requires that new information-sharing, standards-setting, and R&D. The executive order—announced during Obama’s State of the Union address—won’t force companies to introduce measures that would protect infrastructure like the power grid.
So, what could happen if the US were hit with a “cyber Pearl Harbor?” America’s infrastructure is aging and much of it is privately owned, which prevents the government from mandating effective countermeasures.
There have been several incidents that worry IT experts. In 2011 U.S. officials investigated whether a foreign cyber attack may have caused a failure of a water pump at a public water district in Illinois. Around that same time, a hacker appeared to successfully infiltrate a South Houston water utility in 2011, displaying screenshots of critical instruments to prove the attack. And, although there have been no admitted attacks against the electric power grid, published reports have blamed cyber attacks for a number of high-profile power outages in Brazil between 2005 and 2007 that left tens of thousands in the dark.
Much of the concern centers on Supervisory Control and Data Acquisition, or SCADA, an archaic type of industrial control system that is used in many critical infrastructure areas like pipelines, electric grids and factories. Manufactured by the likes of General Electric and Siemens, these systems were thought to be very secure but have since become more connected to the dangerous world of the Internet. In fact, it was Siemens equipment that was attacked by the Stuxnet malware in Iran.
The potential of a cyber Pearl Harbor
As devastating as the Japanese attack on Pearl Harbor on December 7, 1941, a cyber Pearl Harbor could be more devastating to the US. Although the Pearl Harbor attack devastated the US Navy’s surface fleet, especially the battleships, America’s economic and war equipment infrastructure was intact. In addition, America’s population was untouched.
A cyber Pearl Harbor would seriously impact America’s economic infrastructure and civilian population. The most vulnerable areas would be the urban centers, especially on the East and West coasts.
The modern urban environment is dependent on constant electricity supplies and instant communications. While a loss of power may not necessarily generate panic, a sustained blackout in telecommunications could before long lead to widespread fear, as the public would not know how long the loss of electricity and communications would last.
A cyber attack against the electricity grid of a major city would create immediate problems, as people would lose the use of lighting and power in the first instance, and with it, experience the loss of data. Water supplies would be also disrupted, because electricity is used to pump water. Traffic lights would shut down – requiring motorists to drive slowly and force police into traffic control duties rather than law enforcement. Mass transit systems would stop, which would put more pressure on roads. Businesses would lose the ability to conduct electronic transactions, gas stations couldn’t pump gasoline, and shops and restaurants would stand to lose perishable goods through the loss of refrigeration. An attack during the winter could also lead to thousands of deaths from cold.
A coordinated cyber attack could be devastating. Imagine several major terrorist attacks combined with a multifaceted cyber attack.
Assume several terrorist attacks in several major US cities – either using hijacked aircraft like 9-11, large car bombs, or terrorist attacks on hotels like Mumbai, India. Soon after the attacks, power and communications systems of these and other major cities would be cyber attacked. Inside the cities, the breakdown would hamper response and rescue attempts. Outside the cities, the rest of America would only know that attacks were taking place throughout the country, but not know the extent of the attacks. Each city experiencing power and communications failures would be assumed to be the victim of a terrorist attack.
Secondary attacks against banks would further hamper the nation as it would prevent customers from getting cash from banks or ATMs to make purchases. Cyber attacks against gas and oil pipelines would hamper transportation and even the heating in houses with gas furnaces.
If infrastructure and government entities were unable to quickly restore order, civil unrest could quickly spread in the urban areas, where people would be unable to acquire food or water. Army and National Guard units would be mobilized to control the unrest, leaving the nation unprepared for other dangers.
This isn’t a worst case scenario. Although many urban areas like the North East and Southern California would be heavily hit, rural areas, which are less dependent on complex logistics systems would remain in relatively good shape. Food production would continue, although getting it to urban areas would be hampered. The ability to control civil unrest in urban areas and restore power, water and food supplies would determine the long term impact of such an attack.
Unfortunately, given the emergency response to the recent hurricane Sandy in the Northeast, there is some question about the ability of the government to respond. The hurricane was foreseen and the damage limited to areas near the coast, but many suffered infrastructure failure lasting days and weeks. Clearly the government would be hard pressed to handle a larger geographic area.
Clearly the US is vulnerable to cyber attack. Defense against such a cyber Pearl Harbor depends on the companies who provide infrastructure services, to harden their computers against such an attack. The second line of defense is the emergency response ability of the federal, state, and local governments to limit any disruption once it occurs, and bring systems back to normal conditions within the shortest time possible. Both are questionable capabilities at this point.