Infrastructure protectionU.S. contemplates responses to a cyber-Pearl Harbor attack on critical infrastructure

Cybersecurity experts often contemplate how U.S. security agencies would react to a cyber-9/11 or a digital Pearl Harbor, in which a computer attack would unplug the power grid, disable communications lines, empty bank accounts, and result in loss of life.

Summer Fowler is a deputy technical director for cybersecurity solutions at CERT, the U.S. first computer emergency response team, based at Carnegie Mellon University’s Software Engineering Institute. Fowler works with Pentagon officials, cyber intelligence officers, and the private sector to identify key cyber assets, secure them from cyberattacks, and coordinate a response should hackers infiltrate secured systems. “Ultimately, it absolutely could happen,” Fowler said. “Yeah, that thought keeps me up at night, in terms of what portion of our critical infrastructure could be really brought to its knees.”

The Tribune Review reports that the United States, along with most industrialized countries work diligently to build, arm, and aim cyberattacks that can be initiated at the first provocation of war. Until then, militaries and intelligence agencies conduct cyber espionage, often to send a message or disrupt an adversary’s capabilities.

For example, the United States and Israel launched the Stuxnet attack on Iran’s uranium-enrichment facilities in 2010. The FBI has also discovered hackers tied to the Iranian government breaking into the systems of American defense contractors, universities, and energy companies. DHS has found Russian hackers placing destructive software into American power grid, telecommunications, and oil distribution systems. Security analysts at FireEye report that in the early stages of Russia’s involvement in the Ukrainian conflict, malware was detected erupting from both countries.

Analysts have not detailed the specific intent of the potential cyberattacks, but they do suggest that “computer network operations are being used as one way to gain competitive advantage in the conflict.”

Before countries consider going to war, they must lay the groundwork for cyberattacks, said Kenneth Geers, a former U.S. representative to NATO’s cooperative cyber defense center in Estonia and cybersecurity expert who conducted the FireEye research.

“Because both weapons systems and critical infrastructure use computers and networks to run and operate, they are much more than legitimate targets,” said Geers. “They are absolutely necessary to attack and undermine on a daily basis. … If things go bad, nobody is going to forgive you for not having done this already.”

Some critics have questioned the likelihood of a cyber-9/11, noting that there has yet to be a major cyberattack aimed at critical infrastructures, despite an increase in sophisticated hackers. “I kind of hate to be that guy,” said Dan Tentler, a cybersecurity tester based in San Diego. “But I have to ask: If these systems have been open and vulnerable for 15-plus years, why haven’t the bad guys done bad stuff yet?” Tentler believes hackers have too much to lose to disrupt the same systems they use to steal information and money.

CERT’s Fowler agrees. “There’s no reason to drop a nuclear bomb if you can come in through a door or come in through a window,” she said. “Right now, a lot of money is being made — and stolen — by these organizations. And we haven’t seen the need for the big cyber 9/11 yet.”

Nader Mehravari, a senior member of CERT’s Cyber Risk Management Team, points out that “The risk is higher. Not only because there are more clever adversaries but because there are things that we have done to ourselves.” Mehravari is referring to the decision by critical infrastructure companies to connect their systems online for off-site control and 24/7 monitoring.

Project SHINE, a private research project, found more than two million industrial control systems connected to the Internet. More than 30 percent of those systems are based in the United States. “The people who conceived of this convenience did not take into account the evil that is out there,” said Joji Montelibano, the technical manager of CERT’s Vulnerability Analysis Team.