October 01, 2012

Forget Revolution

Government officials sometimes describe a kind of Hieronymus Bosch landscape when warning of the possibility of a cyber attack on the electric grid. Imagine, if you will, that the United States is blindsided by an epic hack that interrupts power for much of the Midwest and mid-Atlantic for more than a week, switching off the lights, traffic signals, computers, water pumps, and air conditioners in millions of homes, businesses, and government offices. Americans swelter in the dark. Chaos reigns!

Here's another nightmare scenario: An electric grid that serves two-thirds of a billion people suddenly fails in a developing, nuclear-armed country with a rich history of ethnic and religious conflict. Rail transportation is shut down, cutting off travel to large swathes of the country, while many miners are trapped underground. 

Blackouts on this scale conjure images of civil unrest, overwhelmed police, crippled hospitals, darkened military bases, the gravely injured in the back of ambulances stuck in traffic jams.

The specter of what Defense Secretary Leon Panetta has called a "digital Pearl Harbor" led to the creation of U.S. Cyber Command, which is tasked with developing both offensive and defensive cyber warfare capabilities, and prompted FBI Director Robert Mueller to warn in March that cyber attacks would soon be "the number one threat to our country." Similar concerns inspired both the Democrats and Republicans to sound the alarm about the cyber threat in their party platforms.

But are cyber attacks really a clear and present danger to society's critical life support systems, capable of inflicting thousands of casualties? Or has fear of full-blown cybergeddon at the hands of America's enemies become just another feverish national obsession -- another of the long, dark shadows of the 9/11 attacks?

Worries about a large-scale, devastating cyber attack on the United States date back several decades, but escalatedfollowing attacks on Estonian government and media websites during a diplomatic conflict with Russia in 2007. That digital ambush was followed by a cyber attack on Georgian websites a year later in the run-up to the brief shooting war between Tbilisi and Moscow, as well as allegations of a colossal, ongoing cyber espionage campaign against the United States by hackers linked to the Chinese army.

Much of the concern has focused on potential attacks on the U.S. electrical grid. "If I were an attacker and I wanted to do strategic damage to the United States...I probably would sack electric power on the U.S. East Coast, maybe the West Coast, and attempt to cause a cascading effect," retired Admiral Mike McConnell said in a 2010 interview with CBS's 60 Minutes.

But the scenarios sketched out above are not solely the realm of fantasy. This summer, the United States and India were hit by two massive electrical outages -- caused not by ninja cyber assault teams but by force majeure. And, for most people anyway, the results were less terrifying than imagined.

First, the freak "derecho" storm that barreled across a heavily-populated swath of the eastern United States on the afternoon of June 29 knocked down trees that crushed cars, bashed holes in roofs, blocked roads, and sliced through power lines.


According to an August report by the U.S. Department of Energy, 4.2 million homes and businesses lost power as a result of the storm, with the blackout stretching across 11 states and the District of Columbia. More than 1 million customers were still without power five days later, and in some areas power wasn't restored for 10 days. Reuters put the death tollat 23 people as of July 5, all killed by storms or heat stroke.

The second incident occurred in late July, when 670 million people in northern India, or about 10 percent of the world's population, lost power in the largest blackout in history. The failure of this huge chunk of India's electric grid was attributed to higher-than-normal demand due to late monsoon rains, which led farmers to use more electricity in order to draw water from wells. Indian officials told the media there were no reports of deaths directly linked to the blackouts.

But this cataclysmic event didn't cause widespread chaos in India -- indeed, for some, it didn't even interrupt their daily routine. "[M]any people in major cities barely noticed the disruption because localized blackouts are so common that many businesses, hospitals, offices and middle-class homes have backup diesel generators," the New York Timesreported.

The most important thing about both events is what didn't happen. Planes didn't fall out of the sky. Governments didn't collapse. Thousands of people weren't killed. Despite disruption and delay, harried public officials, emergency workers, and beleaguered publics mostly muddled through.

The summer's blackouts strongly suggest that a cyber weapon that took down an electric grid even for several days could turn out to be little more than a weapon of mass inconvenience.

"Reasonable people would have expected a lot of bad things to happen" in the storm's aftermath, said Neal A. Pollard, a terrorism expert who teaches at Georgetown University and has served on the United Nation's Expert Working Group on the use of the Internet for terrorist purposes. However, he said, emergency services, hospitals, and air traffic control towers have backup systems to handle short-term disruptions in power supplies. After the derecho, Pollard noted, a generator truck even showed up in the parking lot of his supermarket.

The response wasn't perfect, judging by the heat-related deaths and lengthy delays in the United States in restoring power. But nor were the people without power as helpless or clueless as is sometimes assumed.


That doesn't mean the United States can relax. James Lewis, director of the technology program at the Center for Strategic and International Studies, believes that hackers threaten the security of U.S. utilities and industries, and recentlypenned an op-ed for the New York Times calling the United States "defenseless" to a cyber-assault. But he told Foreign Policy the recent derecho showed that even a large-scale blackout would not necessarily have catastrophic consequences.

"That's a good example of what some kind of attacks would be like," he said. "You don't want to overestimate the risks. You don't want somebody to be able to do this whenever they felt like it, which is the situation now. But this is not the end of the world."

The question of how seriously to take the threat of a cyber attack on critical infrastructure surfaced recently, after Congress rejected a White House measure to require businesses to adopt stringent­ new regulations to protect their computer networks from intrusions. The bill would have required industries to report cyber security breaches, toughen criminal penalties against hacking and granted legal immunity to companies cooperating with government investigations.

Critics worried about regulatory overreach. But the potential cost to industry also seems to be a major factor in the bill's rejection. A January study by Bloomberg reported that banks, utilities, and phone carriers would have to increase their spending on cyber security by a factor of nine, to $45.3 billion a year, in order to protect themselves against 95 percent of cyber intrusions.

Likewise, some of the bill's advocates suspect that in the aftermath of a truly successful cyber attack, the government would have to bail the utilities out anyway. Joe Weiss, a cyber security professional and an authority on industrial control systems like those used in the electric grid, argued that a well-prepared, sophisticated cyber attack could have far more serious consequences than this summer's blackouts. "The reason we are so concerned is that cyber could take out the grid for nine to 18 months," he said. "This isn't a one to five day outage. We're prepared for that. We can handle that."

But pulling off a cyber assault on that scale is no easy feat. Weiss agreed that hackers intent on inflicting this kind of long-term interruption of power would need to use a tool capable of inflicting physical damage. And so far, the world has seen only one such weapon: Stuxnet, which is believed to have been a joint military project of Israel and the United States. 

Ralph Langner, a German expert on industrial-control system security, was among the first to discover that Stuxnet was specifically designed to attack the Supervisory Control and Data Acquisition system (SCADA) at a single site: Iran's Natanz uranium-enrichment plant. The computer worm's sophisticated programs, which infected the plant in 2009, causedabout 1,000 of Natanz's 5,000 uranium-enrichment centrifuges to self-destruct by accelerating their precision rotors beyond the speeds at which they were designed to operate.


Professionals like Weiss and others warned that Stuxnet was opening a Pandora's Box: Once it was unleashed on the world, they feared, it would become available to hostile states, criminals, and terrorists who could adapt the code for their own nefarious purposes. But two years after the discovery of Stuxnet, there are no reports of similar attacks against the United States. What has prevented the emergence of such copycat viruses?

A 2009 paper published by the University of California, Berkeley, may offer the answer. The report, which was released a year before Stuxnet surfaced, found that in order to create a cyber weapon capable of crippling a specific control system ­­-- like the ones operating the U.S. electric grid -- six coders might have to work for up to six months to reverse engineer the targeted center's SCADA system.

Even then, the report says, hackers likely would need the help of someone with inside knowledge of how the network's machines were wired together to plan an effective attack. "Every SCADA control center is configured differently, with different devices, running different software/protocols," wrote Rose Tsang, the report's author.

Professional hackers are in it for the money -- and it's a lot more cost-efficient to search out vulnerabilities in widely-used computer programs like the Windows operating system, used by banks and other affluent targets, than in one-of-a-kind SCADA systems linked to generators and switches.

According to Pollard, only the world's industrial nations have the means to use the Internet to attack utilities and major industries. But given the integrated global economy, there is little incentive, short of armed conflict, for them to do so. "If you're a state that has a number of U.S. T-bills in your treasury, you have an economic interest in the United States," he said. "You're not going to have an interest in mucking about with our infrastructure."

There is also the threat of retaliation. Last year, the U.S. government reportedly issued a classified report on cyber strategy that said it could respond to a devastating digital assault with traditional military force. The idea was that if a cyber attack caused death and destruction on the scale of a military assault, the United States would reserve the right to respond with what the Pentagon likes to call "kinetic" weapons: missiles, bombs, and bullets.

An unnamed Pentagon official, speaking to the Wall Street Journal, summed up the policy in less diplomatic terms: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks."

Deterrence is sometimes dismissed as a toothless strategy against cyber attacks because hackers have such an easy time hiding in the anonymity of the Web. But investigators typically come up with key suspects, if not smoking guns, following cyber intrusions and assaults -- the way suspicions quickly focused on the United States and Israel after Stuxnet was discovered. And with the U.S. military's global reach, even terror groups have to factor in potential retaliation when planning their operations.

None of these considerations is an argument for dismissing the risk of cyber attacks. However, they do suggest the need to keep the degree of risk in perspective. In an op-ed last year in The Hill, the Center for a New American Security's Kristin M. Lord and Travis Sharp warned the United States to avoid "billion dollar solutions to million dollar problems."

"A collective sense of urgency is needed about the growing threats in cyber space," they wrote. "But so too is pragmatic levelheadedness expressed through a U.S. cyber security strategy that prioritizes intelligently. Such a strategy will enable the U.S. government to craft policies that ensure safe access to the Internet without breaking the bank."

Strengthening U.S. cyber security is common sense, like locking your door at night. But it's one thing to turn the lock -- and another to spend the night hunched in your living room with a shotgun.