SPECIAL SERIES:Cybersecurity: The Next Great Battlefield
In this series of articles running through July, RealClearPolitics and RealClearDefense take an in-depth look at the intersection of cybersecurity, technology, and warfare in the 21st century. Below is Part 8.
Cyberattacks take many forms, but most are never seen. They fall into at least two general categories: those that seek to steal and those that seek to disrupt or destroy. The former have generated most of the interest and press over the last few years. The latter are far more threatening.
The scale of the threat is far beyond what most Americans realize. According to reliable sources, counting each attempt at “phishing” or other kinds of illicit entries, on average a U.S. company is attacked at least 4 million times a year. That’s 7.6 attacks per minute for each company. The average financial services company is attacked 1 billion times a year, which is 1,920 times a minute. And even a low-cyber-priority government organization like the U.S. Postal Service was attacked 4 billion times in 2016, which is 7,610 times a minute.
Around 82 percent of attackers are private hactivists, who often have a political agenda. They have a less than 1 percent chance of breaking into a system. Cyber criminals mount 15 to 17 percent of attacks. Motivated by financial gain, they are much more effective, with a success rate of about 20 percent.
But state-sponsored attacks are by far the most effective. They constitute only an estimated 2 percent of total attacks, but are effective an estimated 98 percent of the time. True, a full-on cyberwar has not yet happened. However, senior military officers have said they believe unequivocally that the next major war will begin in cyberspace. In military parlance, it is called “phase zero.” Of phase zero attacks, cyber assaults on electrical grids are considered in the intelligence community to be more than possible, and could prove to be devastating.
We think we know what might happen in a cyberattack on our nation’s electrical grid. We would likely face a mountain of temporary inconveniences: ATMs not working; payment processing services that credit and debit cards rely upon not functioning; mobile phone service spotty -- and then nonexistent when the batteries in the phones and the transmission towers run down. With no GPS navigation, we’d have no Google Maps or Apple Maps to guide us. This could go on for several days, as it did in 2007 when Russia attacked Estonia in this way. But with the combined efforts of the private sector, the U.S. government, and the military working to address the crisis, it should be resolved within a week -- right?
It is where threats intersect that the greatest risk lies. The federal government designates 16 key infrastructure sectors. Fifteen of these include communications, critical manufacturing, emergency services, financial services, food and agriculture, health care, transportation, information technology, and chemicals. The 16th is electrical power.
All of the other 15 depend on electrical power. And electricity generation, transmission, and management is today governed entirely by computer systems. The vulnerability of these systems can scarcely be overestimated. Let’s take the most basic requirement of life: water. Water in most major cities is pumped. In many places, with no power, there would be no water.
Here’s where the issue of intersecting threats gets truly ominous. We are not just talking about no water to drink, and the necessity of getting by on bottled water (while supplies last). We are talking about no water for sanitation: no water to flush toilets and no water to wash hands. And without sanitation, we are talking about the threat of disease running rampant. And no functioning health system to deal with it. Diseases that flourish without sanitation are almost unseen in the developed world. But in the absence of sanitation, dysentery, hepatitis, cholera, typhoid, cryptosporidiosis, and other maladies can quickly emerge. Because most of us have no experience with this kind of thing, we have no idea what a typhoid or cholera epidemic is like. (In addition, as we learned in Puerto Rico last year, no electricity for pumps means no water abatement or flood control. The streets of San Juan were flooded for months not because of Hurricane Maria, but because there was no electricity to power the pumps that regularly cycle the water out of low-lying neighborhoods year-round.)
Imagine one of our large cities with no power, no water, no phones, no email, no texting, no food, no refrigeration, limited currency exchange, no functioning hospitals, no sanitation services, no public transportation, and no effective law enforcement. Now imagine dozens of our large cities, perhaps all the large cities in, say, the eastern half of the country, in that predicament.
That could be the result of a major and effective attack on one of the three primary power grids, or interconnections, supplying power to the continental United States: the Eastern Interconnection, the Western Interconnection, and the Texas Interconnection. Interconnections are alternating-current power grids that synchronize and tie together electric utilities in their regions. And power grids are the ultimate “soft targets.”
Cyberattacks are low in cost, asymmetrical (meaning they can cause large amounts of damage for a small amount of effort), and to some extent anonymous — or, at least, difficult and time-consuming to trace. Many potential combatants have what are essentially sleeper cells, already installed within networks in other countries, including the United States, that could strike with devastating speed and effect.
One of the most troubling issues regarding the electric grid’s vulnerability is directly related to the ability of cyberattacks to cause physical damage to actual structures — not only computers. In the Stuxnet attacks, mounted in 2010 by the National Security Agency and the Israel Defense Forces, a computer virus damaged centrifuges in Iran. It’s fanciful to think that our adversaries didn’t learn a lesson from this episode.
Major electrical grid attacks would almost certainly focus on the SCADA (Supervisory Control and Data Analysis) systems, which govern the entire electrical grid in every country. Because the software is essentially the same in every country, the vulnerability is global.
Power grids work by maintaining a delicate balance between the amount of power generated and the amount of power used, which changes from place to place on a moment-by-moment basis and must be carefully managed. To put it in simple terms, it is essential to maintain a balance of power going in and power going out. Think of a balloon (or really, a series of balloons) with air going in one end and out the other, which have to be kept inflated to a specific, desired level by carefully monitoring the amount of air entering and exiting. Too much air and the balloon bursts; too little and it deflates. If these SCADA management systems are disabled or destroyed, cascading failures can wipe out the grid. Not only can SCADA systems be hacked, but in a sophisticated attack, the monitoring components (the parts that human managers watch, to make sure nothing is going wrong) can also be spoofed, to make it seem to observers that things are normal -- until it is too late.
Cyberattacks are not a one-time crisis. Because they are deliberate, they can be ongoing. An initial attack could knock out a power grid, and then once it is fixed, a subsequent attack could knock it out again from another direction.
But if we eventually cope, as we did in Puerto Rico, with even the most devastating natural disasters, surely we can cope with -- and eventually overcome -- the effects of even very serious cyber disasters. But there’s a key difference. Cyberattacks are not a one-time crisis. Because they are deliberate, they can be ongoing. An initial attack could knock out a power grid, and then once it is fixed, a subsequent attack could knock it out again from another direction. Such iterative series of attacks can continue unabated for an indefinite amount of time, eroding the ability to recover.
It is a mistake to believe that the electrical grid in any country is well protected from this, but the vagaries of the U.S. grid pose unique security challenges. Deregulation has led to the existence of over 3,500 entities providing electrical service in this country. Many of them are small and poorly protected. This is because these low-cost “last mile” providers do not spend the money to protect themselves and are not required to do so by law or regulation. They can therefore provide direct, sometimes unhindered “back door” access into larger entities (major power companies) for cyber vandals. In practice, this means that what the military calls “attack surfaces” -- vulnerable entry points -- on the electrical grid have increased by orders of magnitude.
Attackers could paralyze the electrical grid, but they can also paralyze critical infrastructure without directly targeting the grid. The WannaCry attack that disabled computers around the world in May 2017 -- including many in major British hospital systems -- is viewed as an example of an ongoing effort by the West’s adversaries to test vulnerabilities of key industries. It used a tool called “Eternal Blue,” which was stolen from the NSA. That attack very probably was conducted by our new (post-summit) “friends” in North Korea.
There are many other malicious actors in cyberspace. The best evidence suggests that Russian-directed hackers have infected more than half a million storage devices and routers in dozens of countries, in preparation for a possible future global Russian cyberattack.
The danger of escalation is one that military analysts continuously emphasize. The theory of modern war has included the basic concept that you can escalate to more or less the level you want to, and can then de-escalate, a concept sometimes called “escalation dominance.” Cyberwar makes escalation difficult to control. Escalation to a devastating level of destruction can occur very quickly, and would be hard to dial back. Moreover, in contrast to the systems developed during the Cold War regarding the nuclear threat, there is no treaty body or “hot line” -- essentially no means for controlling a true cyberwar. And cyberattacks can be devilishly difficult and time-consuming to attribute (an attack that happens in minutes can take weeks or months to trace), which means there is a tendency to strike out at all possible attackers. Since offensive cyber capabilities are easier to develop and deploy than defensive ones, it is easy to envision just how quickly this could become existentially destructive to modern civilization.
The so-called Internet of Things, or IoT, represents the evolution of a network of networks quickly growing beyond human conceptualization or control. The number of “things” in this vast web is debated, but the best guess is about 9 billion. But that number is expected to double or even triple, to between 20 billion and 30 billion, within five years. These things range from home thermostats and kitchen stoves to power plants. As many as 70 percent of them have known vulnerabilities, and the number with as-yet-unknown vulnerabilities is probably significantly higher.
The list of intersecting risks goes on and on, but at least one more is worth mentioning. There are fundamental design flaws in all computers systems and computer chips — not just in IoT systems. These are multiple, and many are unknown until a cyberattack manifests itself. This has numerous security implications, not the least of which is the intersection of these flaws with the compromises that major tech firms have made for commercial gain with governments in countries such as Russia. These compromises mean that tech companies allow such governments to access their systems and data — even to their source code.
The formal risk assessment processes of organizations such as the Department of Homeland Security — and the translation of these into policies and regulations — moves far too slowly for today’s technological and political realities.
The formal risk assessment processes of organizations such as the Department of Homeland Security — and the translation of these into the policies and regulation of state and private sector owners of critical infrastructure, which can take years — moves far too slowly for today’s technological and political realities. It is profoundly out of sync with the speed and scale of development of the threats.
In the spring of this year, the United States Cyber Command released a new command doctrine, called “Achieve and Maintain Cyberspace Superiority: A Command Vision for U.S. Cyber Command.” This is based on the realization that cybersecurity now intersects with essentially all aspects of national security. According to reports and sources, over the past few months the U.S. Cyber Command has been given new latitude to engage in far more continuous and assertive operations in an attempt to counter cyber activities at earlier stages of operations, and potentially to deploy cyberweapons in first-use combat operations. Some senior military figures have long contended that the U.S. military must have the ability and authority to respond to cyberthreats on a day-to-day basis, and that the previously existing policy and authority were too constraining and slow. Although this certainly seems correct, constant attacks and counterattacks could well increase the risk of the potentially uncontrollable escalation noted above. It is the classic double-edged sword.
The list of possible combatants is long and growing, and in addition to dozens of nation-states now includes non-state actors such as Hezbollah, criminal networks, and even individuals who, in certain circumstances, can wield the destructive power of a state in the cyberwar domain.
Ukraine has been an experimental theater or “combat lab” in which many of these techniques have been deployed by Russia or Russian proxies. This is a harbinger of things to come. According to Ukrainian sources, attacks have been perpetrated with the indirect or even direct involvement of Russian secret services against the energy, media, finance, transportation, military, and political sectors there. In December 2017, for example, the Ukrainian government cited 6,500 cyberattacks in just the most recent two months, against 36 targets. Multiple blackouts have occurred, believed to be the result of cyberattacks against SCADA systems in that nation.
There is compelling evidence that Iran, North Korea, and Russia have already penetrated electric power grids — as well as many other systems — in the U.S. These “other” systems include nuclear power plants. Is there any real need to describe how devastating a successful cyberattack on a nuclear power plant could be? Think Chernobyl or Fukushima, but next to a major metropolis.
The dangers are more than just national in scope. A successful, prolonged cyberattack on even one major country's electrical grid would probably trigger huge market movements and possibly a global economic depression. This threat has enormous implications for businesses and investors and all those who benefit from investments, such as pensioners and other retirees. This is why it is so striking that the private sector hasn’t been more proactive about cyberthreats. The business community largely seems focused almost exclusively on threats intended to steal their information or their money, not the much more potentially devastating activities to disrupt and destroy their operations.
The intelligence community considers a serious, motivated attack to be a near-certainty, which means that much more effort should immediately be put into mitigation and protection of these fragile systems. In particular, it is essential that we look closely at past incidents, the responses, and how they can be improved. Unless we do that, and do it soon, it is far too likely that this threat may be coming soon to a (combat) theater near you.
Dee Smith is the host of the four-part documentary series “A World on the Brink,” which airs weekly in Washington, D.C., and Maryland on WMPT starting June 23 at 10 p.m. (Check local listings for times in other areas.) He is also CEO of the private intelligence agency Strategic Insight Group.