It’s no secret that China has one of the most effective cyber snooping operations in the world. If you belong to a high profile company, there’s a good chance someone with a dot-cn email address has tried to penetrate your servers. The United States is no slouch in the cyber game, either, though a casual glance at the gargantuan, lumbering American cyber bureaucracy suggests that in the event of a serious cyber attack, it would take longer for generals and bureaucrats to figure out jurisdiction than it would to actually stop the attack. At any rate, for all the alarmist rhetoric of late, there’s no evidence that anyone actually possesses a serious “cyber WMD.” Whenever a politician compares weapons of mass destruction (or 9/11) to a even the worst, most devastating cyber attack, they are either revealing a massive and hollow cavern inside of their skulls, or insulting you with the most shameless of fear mongering, or both.
I’ll let you decide: Would you prefer China to lob at your local shopping mall a shell packed with blister agents, or mount a catastrophic distributed denial of service cyber attack? I know which I’d choose. Meanwhile, so many variables, assumptions, and leaps of logic are required for predictions of “imminent” attacks that it seems more likely that we’ll die from an invasion of space aliens than from a script kiddie in Isfahan. Before I invest time worrying about enemy cyber warriors overloading nuclear power plants and crashing airliners, maybe they could prove their might by poking around with streetlights or make the local Redbox spit out the wrong DVD.
None of this is to say that electronic espionage doesn’t exist. Just the opposite—foreign powers are working every day to steal data from corporate, financial, and government networks. Rather, I’m suggesting that instead of preparing for a post-apocalyptic mineshaft gap, we first need enemies who’ve managed to fashion a club from some dead animal’s femur.
We know that our enemies are Russia and China, with Iran and North Korea desperate to get into the game. The big target is the U.S. power grid, but then, the target is always the power grid in any kind of war, and the goal is always to take it down with any kind of weapon available, be it a platoon of guerrilla fighters, a squadron of long range bombers, a team of saboteurs, or a division of conventional ground forces. We know that foreign cyber forces have snooped around our electricity infrastructure. Their goal is unclear, though the consensus is that they are mapping things out. (One wonders why Palo Verde, or whomever, doesn’t simply unplug their computers from the Internet.) Depending on the news report and the source, these foreign intruders might be leaving little programs behind that can be activated in the event of a war. Or they might not. It’s a nice, simple metaphor, but it requires a lot of imagination to see everything coming together.
In order to take down the U.S. power grid, cyber attackers would have to first penetrate the computer networks of our major power plants and then penetrate the right computers on the right networks. (Gaining access to the janitor’s email isn’t going to blanket Manhattan in darkness.) Attackers would then be required to infect all the right places with dormant viruses that are designed to shut everything down, without catching anyone’s attention in the IT department. This virus would have to remain obscure indefinitely, as we’re not going to war with China tomorrow, presumably. (The Wall Street Journal first reported of Chinese fingerprints on our networks in 2009. I’m hopeful that we’ve updated software since then.) The power plants’ systems would need to remain unchanged and unhardened, with unfettered Internet access, indefinitely. (Barring this, Chinese agents on the inside with sufficient access to activate the virus.) There would need to be a war, of course, and assuming all of the above remained unchanged, China (or an undetected Chinese agent) would need to actually flip the switch—and that still doesn’t mean that this Rube Goldberg device would actually work.
That’s a lot of assumptions, and even if such a system were activated, it would have to shut down turbines and successfully cut off the flow of electricity. It’s not going to be enough to merely annoy power plant administrators with pop-up advertisements. I concede that it is possible, but I also have a pretty elaborate plan in which China can strategically down one of their own satellites and send it crashing into the Lincoln Memorial. If we’re just making things up, there’s no limit to the destructive power of cyber warfare.
The most devastating cyber weapon ever deployed was the joint U.S.-Israel cyber attack codenamed OLYMPIC GAMES, in which a virus called Stuxnet was injected into computers at the Natanz nuclear facility in Iran. The virus cleverly took control of the plant’s centrifuges, sending them spinning wildly while telling operators that everything was working as normal. Stuxnet knocked out ten-percent of the centrifuges, which Iran quickly replaced. It’s worth noting that the Natanz facility was hardened—there were no external points of entry for the cyber attack. The West had someone on the inside. Likewise, it wasn’t a general-purpose weapon, the way a JDAM, for example, might equally destroy an enemy depot or fuel point. The weapon required very detailed knowledge of how the plant was designed. According to the Institute for Science and International Security, the effect of this genuinely robust cyber attack by the world’s most capable cyber powers was relatively minor.
Last year, Aramco, Saudi Arabia’s national oil firm, was hit by a massive cyber attack that proved “disquieting” to U.S. officials. The weapon of choice was a virus called Shamoon, and it damaged (well, it erased) 30,000 computers with the goal of shutting down oil production. In fact, it didn’t slow production by a single molecule. It was a giant headache for everyone involved, but in terms of sheer destructive power, it inflicted less physical harm than a paper cut. At worst, long-term studies might show a spike of carpel tunnel syndrome among network administrators in Saudi Arabia—exactly the kind of thing we didn’t see on 9/11, or in 1995 in the Tokyo subway.
It goes without saying that one day cyber warfare will become a more pressing threat, the same way nuclear weapons, biological weapons, chemical weapons, high explosives, and every other type of horrifyingly dangerous thing in the world will become easier to build, smaller, and proliferate widely. I’ll still choose a cyber attack over an atom bomb in Times Square, but until then, I’ll be impressed when our cyber commandos can make a website that doesn’t use Adobe Flash—itself a notorious security risk.
D.B. Grady is the pseudonym of author David Brown. He is co-author of The Command: Deep Inside the President’s Secret Army (Wiley, 2012) and Deep State: Inside the Government Secrecy Industry (Wiley, 2013). He can be found at http://dbgrady.com or on Twitter at @dbgrady.
