Could We Survive a Cyberwar?

Post Reply New Topic

The event that would come to be known as “Cyber Harbor,” or “Cyber 11th,” started small. One morning, the “autopilot” mode on some Tesla cars started going haywire. First, dozens, then thousands of cars began veering into oncoming traffic all across the country. Emergency rooms were swamped with crash victims. Then, office workers in dozens of industries watched in shock as their computers began spontaneously deleting files. It took about 24 hours for officials to realize that these scattered problems were connected. The power grid was next: Blackouts began in California and soon rolled across most of the U.S. The Internet started crumbling as well. Routine communications became impossible.

It took only a few days for grocery-store shelves to go bare. Gas stations put out “No Fuel” signs. Even if supplies of food and gas were available, trucks couldn’t deliver them. The country’s banking system had collapsed; with credit cards and ATMs disabled, truckers had no way to buy diesel fuel. The backup generators powering hospitals, police stations, water-treatment plants, and other critical infrastructure eventually drained their fuel tanks and went silent.

In most cities, the looting tapered off after about two weeks. There was nothing left to steal. By then, armed gangs had begun roaming the suburbs, breaking into houses and ordering the terrified homeowners to surrender any hidden caches of food.

Russian leaders have raised the threat of nuclear weapons several times during this conflict. We need to take that threat seriously, especially if Putin concludes that his regime, and therefore his life, is at risk. But a full-blown cyberwar is far more likely than a nuclear exchange. And it could be just as devastating.

We usually think of cyberattacks as threats to things that exist in the nonmaterial world—assets such as personal data, bank accounts, or trade secrets. For example, the 2014 hack of Sony Pictures’ emails and other records nearly destroyed the company simply by exposing confidential information, including nasty cracks studio execs had made about various Hollywood players. Ransomware attacks routinely force businesses to pay up large sums to get back their critical files. But hackers can also wreak havoc in the physical world—the world of industrial facilities, power plants, and pipelines. That’s when things really get scary.

This isn’t a new worry, but it is a risk that’s growing, for several reasons. First, our vital infrastructure is more automated than ever before. Most big industries use some sort of SCADA system to operate remote equipment. The acronym stands for Supervisory Control And Data Acquisition, and that’s just what these systems do: They monitor conditions, such as the pressure in a particular tank, and they send instructions, say, a command to turn on a pump or close a valve. Today, SCADA systems are used to operate everything from oil refineries to stoplights. If hackers were to seize control of such networks, they could do enormous damage.

Second, there are more computers to hack: Not just smartphones and laptops, but the myriad devices that make up the Internet of Things—digital doorbells, smart speakers, thermostats, children’s toys, and more. These IoT devices are all connected to the Internet, and many are poorly protected from digital intruders. Hackers might be able to spy on you through your security cameras or disable your digital front-door lock. More likely, they’ll hijack your devices to serve in a “botnet army” they can use for other malicious activities such as Distributed Denial of Service (DDoS) attacks that overwhelm targeted websites with bogus traffic. “Everything is becoming vulnerable in this way, because everything is becoming a computer,” writes security expert Bruce Schneier in his genuinely terrifying book, Click Here to Kill Everybody.

That interconnectedness of all these previously disparate technologies is the third factor greasing the skids toward cyberwar. Not long ago, the only way to start your car was by using a small piece of precisely tooled metal—a key. Today, most cars can be started remotely, including from your smartphone. Modern vehicles contain 50 or more computer systems, and many receive automatic, over-the-air software updates. Once, a criminal who wanted access to your car would have had to jimmy the lock. Today, a few bits of malicious code could give a hacker entrée to all vehicles of a particular make and model. To put it another way, hackers trying to sow chaos on our highways wouldn’t need to target individual cars; they could target entire networks of cars. Now apply that same logic to other networks of crucial technology: gas pumps, ATMs, aircraft cockpits, hospital ICUs, and so on.

The SCADA networks that control critical infrastructure such as pipelines and power plants are pretty well protected. But in some ways, they are less secure than they once were. Two decades ago, most SCADA networks were hardwired, standalone systems. You couldn’t access them through the Internet.

Today, these systems typically use the Internet to communicate with their various components, such as, say, pumps on a pipeline. Those Internet links give hackers many more points of entry, or, in security jargon, a bigger “attack surface.”

Not surprisingly, hacking, viruses, and other threats to these networks are on the rise. Failures of SCADA and similar systems have knocked out signals along busy freight and passenger rail lines, simultaneously shut down 13 Chrysler manufacturing plants, and forced the Browns Ferry nuclear-power station offline. In 2016, the U.S. Justice Department revealed that the computerized control system for a small dam in Rye, New York, had been temporarily taken over by Iranian hackers.

Last year, the mysterious hacking collective Darkside infiltrated the SCADA system for Colonial Pipeline, the biggest artery that delivers gasoline and other fuels from Texas refineries to the East Coast. Rather than trying to damage the pipelines directly, the hackers simply encrypted crucial files on the computer network. They then demanded a huge ransom to un-encrypt them. Colonial had to shut down more than 5,000 miles of pipelines for nearly a week. Had the shutdown continued, the northeast’s supply of gasoline and jet fuel would have been cut almost in half.

Evidence suggests the hackers weren’t actually trying to close the pipeline; they were just after money. But, intentionally or not, the Darkside hack was a kind of proof of concept: It revealed just how easy it is to cripple U.S. energy infrastructure.

The electric power grid is another worry. Hackers routinely try to infiltrate U.S. power plants, control centers, and substations. As in the Darkside case, most intruders are after data and money, as opposed to trying to destroy the grid. But today’s freelance cybercriminals could easily be recruited by hostile governments to tackle more ambitious projects. In 2017, the U.S. Department of Energy and several states conducted a two-day simulation of a cyberattack on the East Coast power grid. The results were sobering. It would take roughly three weeks to restore power, the experts concluded, and the blackout would also disrupt supplies of gasoline and other necessities.

These threats aren’t merely theoretical. In 2015, suspected Russian hackers infiltrated an electricity transmission station outside (surprise, surprise) Kyiv, Ukraine, blacking out part of the city. The highly automated malware simply took over grid operators’ computers and began remotely flipping circuit breakers as the stunned workers watched. “It seemed like something in a Hollywood movie,” one said. Fortunately, utility workers were able to restore power manually within an hour. But that was cold comfort. Security experts believe that the intruders weren’t actually trying to trigger a long-term blackout; they were just doing a trial run.

Grid saboteurs have also made what appear to be practice runs targeting U.S. power networks. One chilling 2013 incident at a power substation in northern California even included physical attacks on infrastructure. Investigators believe that multiple attackers severed underground fiber-optic cables and then fired more than 100 rounds of ammunition at the facility’s transformers. The attackers, who seemed to have had detailed knowledge of the substation’s weak points, were never caught. Grid experts shudder at the notion of a coordinated attack combining such physical attacks on infrastructure with widespread cyber disruptions.

In 2012, Iranian hackers attacked Aramco, the Saudi Arabian energy giant that produces about 10 percent of the world’s oil. The hackers didn’t try to blow up oil refineries or crash supertankers. They just exploited a weakness in Microsoft’s Windows operating system to take over the computers of some 40,000 Aramco office employees. Workers in marketing, finance, HR, and other departments watched as the “wiper virus” systematically erased files and then disabled 85 percent of the company’s computers. Aramco’s only solution was to unplug every workstation and completely disconnect from the Internet.

Of course, that made work impossible. In an effort to go green, Aramco had done away with most paper records. So the company didn’t have a database of customers or vendors, or even contact information for its own employees.

Whether they originate from Russia, or Iran, or just from bands of dirtbag hackers, bigger and bolder cyberattacks are coming. In the U.S., the military, law enforcement, and the private sector are all improving their cybersecurity chops. But we need to do more.

Eli Lake warned that the U.S. must also prepare for the possible day when our digital defenses fail and our critical infrastructure goes dark. “Doing so requires the revival of the Cold War concept of civil defense,” he writes. Every community needs a plan to cope with an extended breakdown of the power grid, communications, and other vital services. That should include ensuring fuel supplies for backup diesel generators, and even stockpiling emergency food rations.

Private business and public utilities should rethink their fashionable focus on lean, just-in-time supply chains. Efficiency has been the watchword, but as the Covid pandemic revealed, hyper-efficient supply chains are also hyper-vulnerable to disruption. We need more redundancy—more slack in the system. That goes double for the power grid and other physical infrastructure.

Any information an organization can’t function without should have a paper backup.

Homeowners as well need to plan for the worst. We don’t all need to start building fallout shelters, but every home should have enough food, medicine, batteries, and other essentials to survive for three weeks at least. And toilet paper. Never forget the toilet paper.