First your cell phone doesn’t work. Then you notice that you can’t access the Internet. Down on the street, ATMs won’t dispense money. Traffic lights don’t function, and calls to 911 don’t get routed to emergency responders. Radios report that systems controlling dams, railroads, and nuclear power plants have been remotely infiltrated and compromised. The air-traffic control system shuts down, leaving thousands of passengers stranded or rerouted and unable to communicate with loved ones. This is followed by a blackout that lasts not hours but days and even weeks. Our digital civilization shudders to a halt. When we emerge, millions of Americans’ data are missing, along with billions of dollars.
This scenario may sound like the latest doomsday blockbuster to come out of Hollywood. But each of the elements described above has occurred over the past decade as the result of a cyber-attack. Cyber-attacks are an accelerating threat, still without generally accepted terminology, effective deterrents, or comprehensive legal remedies. They are weapons of mass disruption, used by adversaries cloaked in anonymity, that could prove at least temporarily crippling to the digital infrastructure of modern society. This kind of attack is attractive to America’s enemies, not only because it allows weaker entities to take on far stronger ones but because it turns our technological strength into a weakness.
We know that al-Qaida is interested in cyber-terrorism. Seized al-Qaida computers show details about Supervisory Control and Data Acquisition (SCADA) systems in America, which control critical infrastructure, including electrical grids, nuclear plants, fiber-optic cables, oil and gas pipelines, dams, railroads, and water storage and distribution facilities. SCADA systems were never meant to be accessed by the public, but many are now controlled via the Internet, leaving them vulnerable to infiltration and attack. The al-Qaida computers also contained schematics of a U.S. dam, along with engineering software that enabled operatives to simulate its catastrophic failure and flooding of populated areas. One al-Qaida safe house in Pakistan was devoted to the operational study of Internet attacks, according to terrorism expert Magnus Ranstorp.
Perhaps America’s most dangerous online adversary is not the Islamic radical but the “hacktivist,” the technological equivalent of the lone gunman. “We’re facing people who, to quote the Joker, ‘just want to watch it all burn,’ ” says Tom Rushmore, whose New York–based small business lost $1.7 million between 2001 and 2003 to hacktivists. In March 2000, 49-year-old Vitek Boden, fired from his job at an Australian sewage-treatment plant, remotely gained control of its systems and flooded Queensland rivers, coastland, and parks with 1 million liters of raw sewage, causing millions of dollars of damage. In the United States, a researcher at IBM Security Services named Scott Lunsford successfully test-hacked into a nuclear power plant in 2007, despite assurances from the Nuclear Regulatory Commission that it would be nearly impossible. “It turned out to be one of the easiest penetration tests I’ve ever done,” Lunsford told Forbes. “By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, ‘Gosh. This is a big problem.’ ”
In less friendly hands than Lunsford’s, the ability to control a city’s power supply remotely could be devastating. Experimental cyber-attacks by the Department of Homeland Security have made electrical generators self-destruct. Recent congressional hearings concluded that vulnerabilities in both private and public power companies remain largely unaddressed. Energy infrastructure has already been hit abroad: “We have information that cyber-attacks have been used to disrupt power equipment in several regions outside the United States,” CIA senior analyst Tom Donahue said at a 2008 conference in New Orleans. “In at least one case, the disruption caused a power outage affecting multiple cities.”
The relatively recent development of globally interconnected digital networks has also given rise to a new era of espionage. Every day, the Department of Defense detects 3 million unauthorized computer probes of its networks, while the State Department fends off 2 million. The New York Police Department reports 70,000 attempted electronic intrusions daily. In 2007, the House Committee on Oversight and Government Reform gave the Department of Defense, the State Department, the Treasury Department, and the Nuclear Regulatory Commission an “F” on the Federal Computer Security Report Card. In June of that year, spies believed to be associated with China’s military successfully hacked into Secretary of Defense Robert Gates’s office computer system, forcing 1,500 computers to be taken offline. This followed extensive Chinese excursions into computers at the State Department and the U.S. Naval War College (whose computer system had to be shut down for several weeks).
China, in fact, has pursued cyber-espionage with particular intensity. “The Chinese operate both through government agencies, as we do, but they also operate through sponsoring other organizations that are engaging in this kind of international hacking, whether or not under specific direction,” Joel Brenner, a Bush and Obama administration senior counterintelligence official, told National Journal last year. In 2008, both the Obama and McCain presidential campaigns were infiltrated by electronic spies believed to be from China, who accessed internal position papers and travel plans as a way to gain information about the next president of the United States. In today’s White House, all cell phones must be surrendered before entering the Oval Office, Roosevelt Room, or Situation Room, for fear that embedded audio or video inputs might be remotely activated.
And the problem doesn’t stop at spying and potential theft of government secrets. Spies from Russia and China have cracked into the U.S. electrical grid and left behind software programs that could be used to disrupt or destroy critical infrastructure. “If we go to war with them,” an intelligence official told the Wall Street Journal this April, “they will try to turn them on.” The Pentagon also believes that Chinese military hackers have compiled a detailed plan to disable the U.S. aircraft carrier fleet. And in the spring of 2009, the Journal reported that elements of the $300 billion Joint Strike Fighter program—the most expensive in Department of Defense history—had been infiltrated by electronic spies from China.
Though we’ve been aware of the danger for at least a decade, the United States is still playing catch-up. In 2007, the Bush administration invested $17 billion in the Comprehensive National Cyber-Security Initiative, which identified and shored up existing vulnerabilities as well as developed procedures to use against significant Web intruders. Soon after his inauguration, President Obama declared that cyber-infrastructure would be considered a strategic national asset and announced that he would appoint a cyber-czar to direct all federal efforts out of the White House in coordination with both the National Security Council and the National Economic Council. Months after this announcement, however, the position remained unfilled. The Department of Homeland Security plans to hire up to 1,000 experts in computer security over the next three years. The Pentagon, for its part, has proposed a new military command for cyberspace, and several cyber-security bills are making their way through the Senate.
But our progress is not outpacing the proliferation of the threat. A two-day U.S. government war simulation in the last weeks of the Bush administration found, in the words of participants, that “the United States is unprepared for a major hostile attack against vital computer networks.” Whether it is perpetrated by al-Qaida, a hostile nation, or a lone hacker, we cannot afford to wait for a digital Pearl Harbor to take this threat seriously. Delay is denial. Cyber-attacks are coming—it’s not a question of if, but when and to what extent.