BOB GARFIELD: And now, two forms of cyber war. Last year when a water pump in Springfield, Illinois burned out, a water district employee noticed that the system had been accessed remotely from somewhere inside Russia. Two days later, a memo leaked from the Illinois Intelligence Fusion Center, made up of state police, members of the FBI and the Department of Homeland Security, blamed the pump failure on Russian hackers. It looked to be the first example on American soil of the worst case scenario in cyber warfare, that a hacker could wreak havoc in the physical world.
MAN: If a water pumping station was hacked, could this happen to other key facilities, like electrical grids, oil and gas stations? And is there any way we can protect ourselves from this?
BOB GARFIELD: Last week, a massive seemingly bipartisan Cyber Security bill was filibustered in the Senate. It died primarily because the Chamber of Commerce and its Senate allies opposed even voluntary standards to protect infrastructure from this kind of attack. Industries, it said, already can and do protect themselves.
This Cyber Security bill was just the latest attempt to curb the threat of so-called “kinetic attacks” that would cause real world damage. OTM Producer Alex Goldman has an update on just how scared you should be.
ALEX GOLDMAN: The alarms have been sounding about attacks like these for years, coming from people like Secretary of Defense and former CIA director Leon Panetta:
LEON PANETTA: There’s a strong likelihood that the next Pearl Harbor that we confront could very well be a cyber attack.
ALEX GOLDMAN: Michigan Congressman Mike Rogers:
MIKE ROGERS: A cyber attack that could shut down critical infrastructure and potentially cause physical damage to the United States.
ALEX GOLDMAN: Senate Minority Leader Harry Reid:
HARRY REID: The nation’s top security experts have said a cyber 9/11 is imminent.
ALEX GOLDMAN: And the screenwriters for the latest movie in the Die Hard franchise:
[DIE HARD CLIP]
WOMAN: FAA just issued a critical alert. The entire network went down.
MAN: The transportation system’s crashing and they just hit the entire financial sector.
ALEX GOLDMAN: These kinds of attacks are not only hard to protect against, they’re hard to identify. Remember that Illinois water pump that was plagued by Russian hackers? Wired.com reported that Russia was suspected because an independent contractor who worked on the pump had remotely accessed its control systems while vacationing in Russia. It turns out, the Ruskies didn’t do it.
In fact, to date there’s only been one verified incident of destroying critical infrastructure via computers. That would be Stuxnet, a complex computer worm believed to be a joint effort of Israel and the United States that was used against an Iranian nuclear facility. Reportedly, Stuxnet fooled facility workers by making it look as though the plant was functioning normally, while it turned centrifuges at the plant on and off until they broke apart. But Stuxnet was not a classic cyber attack.
JERRY BRITO: It’s not as if some American soldier was simply at a terminal somewhere and sent commands across the Internet thousands of miles to Iran and caused something to blow up.
ALEX GOLDMAN: Jerry Brito, director of the Technology Policy Program at George Mason University’s Mercatus Center.
JERRY BRITO: In order for Stuxnet to take place, you had to have an amazing investment in traditional intelligence, in espionage. You had to have people infiltrate the Natanz facility in Iran, and once it had the weapon, once it had Stuxnet built, they had to get somebody to put it on the computer system.
The problem with folks in Congress being hysterical about cyber war is that they’re sort of giving short shrift to the fact that Stuxnet was incredibly difficult and the nations that could have the capability that the US would have with Stuxnet are very few.
ALEX GOLDMAN: Evidence of attacks on American infrastructure are so scant, I assumed cyber war was just a convenient fiction, exploited by lawmakers to push unpopular restrictive Internet regulation. But the more I learn about the online vulnerability of US infrastructure, the more serious the threat seems to be.
So how scared should you be? Well, to target a piece of infrastructure, cyber warriors would look for what are called SCADA systems, which control industrial processes, everything from milking machines on dairy farms, to banks of elevators, to water treatment plants. One of the simplest ways to safeguard our infrastructure is to simply keep SCADA systems off of the global Internet, a technique that’s called air gapping.
The reason Stuxnet could not be remotely installed on computers at the Iranian nuclear plant is because the system was air gapped. But even though air gapping SCADA systems is ostensibly the industry standard, that doesn’t mean it’s always happening.
EIREANN LEVERETT: I worked in quality assurance for GE Energy for five and a half years.
ALEX GOLDMAN: Eireann Leverett is a security researcher with IOActive
EIREANN LEVERETT: I heard from my superiors that we didn’t need to do a lot of security testing because these devices were never connected to the Internet. And that’s false on two counts, one that they are connected, to some degree, and secondly, that being disconnected they would be entirely secure. There are still issues, even if you’re not connected. So I wanted to combat that.
ALEX GOLDMAN: Leverett found a way to identify over 12,000 SCADA systems connected to the Internet, including things like:
EIREANN LEVERETT: Water treatment facilities, geothermal heat plans, power plants, dams, bridges, train stations.
ALEX GOLDMAN: So should you be scared that according to General Keith Alexander, head of the National Security Agency, there’s been a quote, “17-fold increase in computer attacks on American infrastructure between 2009 and 2011?”
Not that scared.
None of those attacks have had any impact. There’s a vast difference between accessing a poorly secured piece of infrastructure and causing pipelines to explode. More likely, our enemies would combine some form of cyber attack with traditional warfare. John Arquilla is a professor of defense analysis at the US Naval Postgraduate School.
JOHN ARQUILLA: When I introduced the concept of cyber war 20 years ago, in an article called “Cyber War is Coming,” the thing I envisioned most was the use of cyber attacks by militaries in the field to cripple their opponents’ responses, in a way similar to the use of air attacks in the initial Blitzkriegs of 1939 and 1940. They’d knock out communications.
Cyber attacks in Georgia in 2008 did just that and greatly enhanced the ability of the Russians to move forward with few casualties and quite effectively. This is something that I think is a prototype for what can be done on a larger scale in the future.
ALEX GOLDMAN: So should you be scared that Arquilla wholeheartedly believes that we’re already in the midst of an escalating cyber war? Not that scared, because he also believes that it may be preferable to traditional warfare.
JOHN ARQUILLA: Throughout all of history, war was just a matter of hurling mass and energy at your opponents. Now that the actual wars that are fought can be waged with far less casualties, I think the possibility of using cyber attack to cripple the military command and control of two countries getting ready to go at it with each other, were it done under some kind of international control, such as the Blue Helmets of the UN clicking for the cause, that also is pretty cool to, to think about.
The not-so-cool part is do we, because of the ease of having cyber warfare, do we intervene more often? As Robert E. Lee once said, it is well that war is so terrible. Otherwise, we should grow too fond of it.” Well, cyber war may not be so terrible, and we may grow over-fond of it.
ALEX GOLDMAN: In his book, “Confront and Conceal,” The New York Times’ David Sanger shows that the US might already be applying Arquilla’s vision of cyber war.
DAVID SANGER: You know, if you look back at what has been different about the Obama approach to national security, it’s been the embrace of something called the “light footprint” strategy, to find a way for the United States to be able to deal with its adversaries without sending 100,000 troops, without occupying a nation for five years, without spending several hundred billion or a trillion dollars. So, light footprint strategies involve usually high tech weaponry that’s a lot less expensive and doesn’t put personnel at risk.
The difficulty, of course, is that in the case of a cyber campaign, not just states hold the monopoly on the weapons here.
ALEX GOLDMAN: Many interviewed for this story shared Sanger’s fear, saying there’s fear that the democratization of technology enables not just nation states but common criminals, curious hackers and activist groups like Anonymous to wage war. John Arquilla warns us to beware the boomerang effect.
JOHN ARGUILLA: The first time around with Stuxnet there may have been some investments required. There are hackers already who have reverse engineered it. And the problem, of course, is that every time you use one of these techniques, you have signaled how to develop these weapons. So yeah, the race is on and, unfortunately, it’s not going to be limited to a few great powers. Everybody’s in this race.
ALEX GOLDMAN: If everybody’s in this race, some kind of regulatory standard for infrastructure security is probably called for. The challenge is accurately assessing the threat without sacrificing individual privacy. Solutions tend to be highly technical and can be difficult for legislators to comprehend.
Meanwhile, last week in the material world, three avowed pacifists, ages 57 to 82, broke into the Oak Ridge Nuclear Facility and spray painted anti-war slogans on a building that houses nuclear bomb fuel.
So should you be scared – of cyber war? Maybe. Of pacifists within the AARP? Definitely. For On the Media, I’m Alex Goldman.