U.S. Not Ready for Cyber War Hostile Hackers Could Launch
Hackers could virtually shut down the U.S. power grid and other systems—and we are not prepared. Michael Daly reports.
If the nightmare scenario becomes suddenly real ...
If hackers shut down much of the electrical grid and the rest of the critical infrastructure goes with it ...
If we are plunged into chaos and suffer more physical destruction than 50 monster hurricanes and economic damage that dwarfs the Great Depression ...
Then we will wonder why we failed to guard against what outgoing Defense Secretary Leon Panetta has termed a “cyber–Pearl Harbor.”
“An aggressor nation or extremist group could use these kinds of cybertools to gain control of critical switches,” Panetta said in a speech in October. “They could derail passenger trains or, even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shut down the power grid across large parts of the country.”
And Panetta was hardly being an alarmist. He could have added that cybersecurity experts such as Joe Weiss of Applied Control Solutions suggest a full-on cyberattack would seek not simply to shut down systems, but wreck them, using software to destroy hardware. Some believe we could then be sent into chaos not just for days of even weeks, but for months.
The mother of all nightmare scenarios would see electric, oil, gas, water, chemical, and transit, our entire essential infrastructure, knocked out as we sought to replace equipment that can take more than a year to manufacture and is in many cases no longer made in the U.S. Lights would stay out. Gas stations would be unable to pump and would have nothing to pump anyway. There would be no heat, no fuel, in many places no running water, no sewage treatment, no garbage, no traffic lights, no air-traffic control, minimal communication, and of course, no Wi-Fi. Neighborhoods around chemical plants could become Bhopals.
But Panetta was scary enough as he issued his warning at a gathering of Business Executives for National Security, appropriately held at the Intrepid Sea, Air, and Space Museum in New York, on a decommissioned aircraft carrier built in the immediate aftermath of the Japanese attack on Pearl Harbor. The ship was hurried into action and survived multiple kamikaze attacks as well as being torpedoed. Panetta now spoke aboard it of a new kind of threat not on land or sea or in the air, but in cyberspace.
“A destructive cyberattack could paralyze the nation,” Panetta said.
As it happens, the Intrepid is docked directly across 12th Avenue from the consulate general of the People’s Republic of China. The public was still five months away from learning via The New York Times of another Chinese government building, this the Shanghai headquarters of the People’s Liberation Army Unit 61398, which apparently has been busy hacking extensively into American infrastructure. Panetta no doubt was well aware of 61938 and similar units at other nations, as well as hackers in extremist groups.
“We know that foreign cyberactors are probing America’s critical infrastructure networks,” Panetta told the assembled executives. “They are targeting the computer control systems that operate chemical, electricity, and water plants and those that guide transportation throughout the country.”
Panetta went on, “We know of specific instances where intruders have successfully gained access to these control systems. We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction, and even the loss of life.”
He could have spoken of a 2007 experiment at Idaho National Laboratory, where researchers staged an experimental cyberattack that succeeded in commanding a power-station generator to destroy itself. He instead chose a more recent and dramatic example—an actual attack using a virus called Shamoon to wreck 30,000 computers at the Saudi oil company Aramco.
The virus “replaced crucial system files with an image of a burning U.S. flag,” Panetta noted.
Panetta did not say that Iran almost certainly was behind the attack or that it may well have been in retaliation for what are believed to be joint American-Israeli attacks that disrupted the Iranian oil business and wrecked a considerable number of centrifuges used to produce nuclear material.
No doubt for national-security reasons, Panetta also did not speak of the Chinese Unit 61398’s cyberinfiltration of Telvent, a multinational that devises the cyberconnections whereby companies can remotely control power grids, as well as oil and gas pipelines. The apparent intent of the hackers was not to steal information, but to obtain the ability to seize control of switches and valves from as far away as the Internet can extend. One cybersecurity expert calls this capacity the “the holy grail” of those bent on mass destruction.
The knowledge of the Telvent hacking, and who knows how many other classified cyberincidents, must have added to Panetta’s clear sense of urgency as he called on the private sector to join government in responding to the threat.
“The reality is that too few companies have invested in even basic cybersecurity,” Panetta said. “The fact is that to fully provide the necessary protection, in our democracy, cybersecurity legislation must be passed by Congress. Without it, we are vulnerable.”
Panetta mentioned in particular the Cybersecurity Act of 2012.
“This legislation has bipartisan support, but it has fallen victim to legislative and political gridlock,” Panetta said. “That is unacceptable to me, and it should be unacceptable to anyone concerned with safeguarding our national security.”
Another thing Panetta did not say was that the successful fight against the bill had been led by Sen. John McCain, who had served as a naval aviator aboard the Intrepid before becoming a POW during the Vietnam War. The McCain who is now a politician contended that the bill would place an onerous burden on the private sector by requiring it to make fundamental cybersecurity precautions.
In the absence of legislation, the most President Obama could do was issue an executive order that really amounted to no more than an executive recommendation, providing various ways for the government to offer companies nonbinding advice on ways to improve cybersecurity. Obama signed the order just before the State of the Union address.
"We know hackers steal people’s identities and infiltrate private email,” Obama said during the address. “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air-traffic-control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
One irony is that Obama’s economic-stimulus program may have inadvertently made the grid all the more vulnerable to cyberattack by earmarking $3.4 billion in 2009 toward upgrading the nation’s electrical system into a “smart grid” with interactive “smart meters” that consumers can access remotely.
“That may well mean that a hacker in Shanghai with his cellphone could do the same thing,” notes former CIA director James Woolsey.
The hacker could then proceed on into the system.
“A so-called smart grid that is as vulnerable as what we've got is not smart at all,” Woolsey adds. “It's a really, really stupid grid.”
Smart or stupid, the grid and the rest of our essential infrastructure could be knocked out of action for more time than it seems our civilization could bear if experts such as Weiss are correct. He notes that the built-in safeguards in our infrastructure are against accidents.
“Nobody ever designed them to be safe from intentional acts,” he says.
He says he is not being a voice of doomsday.
“I’m not trying to come up with worst-case scenarios, because I do not know what that could be.”
He adds a little irony of his own when it comes to the big equipment we would have to replace in the event of a large-scale attack: “What’s more, a lot of this stuff is made in China.”
One positive development is our increased ability to identify a hacker, in the case of the Chinese hackers all the way back to a building in Shanghai.
Meanwhile, it is worth considering the concluding words of Panetta’s speech aboard the Intrepid, which is also just a few minutes up West Street from where the Twin Towers once stood.
“Before Sept. 11, 2001, the warning signs were there,” Panetta said. “We weren’t organized. We weren’t ready. And we suffered terribly for that.”
His voice remained measured in the cavernous hold of the ship that once rang with calls to battle stations as the kamikazes closed in.
“We cannot let that happen again. This is a pre-9/11 moment. The attackers are plotting.”