"Step one: take out all the transportation. Step two: the financial base and telecoms. Step three: you get rid of all the utilities. Gas, water, electric, nuclear. that's why they call it a fire sale, because everything must go."
That's Justin Long, lecturing an audience that includes Bruce Willis about the magnificent scale of a cyber attack threatening the United States. In the fictional universe of Live Free and Die Hard, and most other movies that deal with cybersecurity, a skilled hacker can bring national infrastructures to their knees with a minute or two of harried typing. Maybe from his parents' basement. Definitely on a black-and-green-screened computer that beeps every time a key is pressed. In other words? Not real. Not at all.
Let's try this again: The ongoing cyber attack brings down SecureTrade-a computer-based, electricity trading platform for the Eastern Interconnection. Coupled with several other factors already stressing the power grid, this causes blackouts across the East Coast, sparks public panic, shuts down financial markets, and complicates ongoing recovery efforts. Advisers ultimately decide that the President might have to use his Article II Constitutional powers to nationalize utilities and call out the National Guard.
Sounds like a movie, right? Well, it was. Sort of. That scenario was lifted from a report by the Bipartisan Policy Center, a think tank that ran a simulation of two large scale, plausible cyber attacks, called Cyber Shockwave. On TV. Seriously:
Notice the all star cast: Former Secretary of Homeland Security Michael Chertoff as National Security Advisor; former Director of National Intelligence John Negroponte as Secretary of State; Clinton White House Press Secretary Joe Lockhart as Counsellor to the President. There were two goals for this bizarre exercise: to gauge how well America is prepared for a cyber attack (not very!), and less explicitly, to show the American public what on earth a cyber attack is. Among the many reasons the televised event felt strange is the fact that by and large, the concept of a "cyber attack" is totally, meaninglessly abstract to most people.
So, should we be worried? Should you be worried? Yes and no. Cyber attacks haven't been - and likely won't be - as spectacular or explosive as they are in the movies. But they still matter.
Nightmare Scenario One: Wargames
A government employee inserts a flash drive into his office computer. This stick happens to be infected with malware, which is able to transmit data from these classified computer systems to locations outside of the secure network. The worm spreads, funneling valuable operational data to enemy regimes, who use it to zero in on sensitive locations, weapons stores and critical infrastructure, which they then systematically destroy.
This basically happened! Except for the part where the data got used by anyone. Deputy Defence Secretary William Lynn wrote a few months back in Foreign Affairs about the "most significant breach of US military computers ever", which was caused by an infected USB drive used in a military base. Cleanup took over a year, and the source of the attack was never disclosed. Perhaps the data was collected by a foreign government, or perhaps not. Either way, it was a near miss.
And just last week, malware wormed its way dangerously close to the heart of another country's military-industrial complex. The Iranian government finally confirmed, after much speculation, that "several" uranium enrichment centrifuges were damaged by malicious software installed "in electronic equipment". What they're opaquely alluding to is almost certainly the Stuxnet worm, a nasty little piece of malware that targets specific pieces of industrial equipment. It doesn't take an overactive imagination to draw a line between "infected uranium enrichment hardware" and "disaster".
Both events were stunning failures in computer security, to be sure. But don't move that modular bomb shelter to the top of your Christmas list quite yet. The 2008 breach of the US security systems was a disaster in IT terms, but didn't result in any action by foreign governments, as far as we know.
As for Stuxnet, it is kind of crazy that a piece of malware made it into a few Siemens industrial controllers in Iran. But by most accounts, it was a widely distributed piece of software, that just happened to infect sensitive facilities in a sensitive part of the world. It caused inconvenience, and even physical damage to an industrial facility, but not death. It wasn't, as one German security researcher called it, "the arrival of an F-35 fighter jet on a World War I battlefield."
The verdict? A cyber doomsday is more possible than it's ever been, but it's not something you need to be thinking about on a daily basis. Or even a monthly one.
Nightmare Scenario Two: State-sponsored Script Kiddies
When it came time to choose scenarios for their simulation, the Bipartisan Policy centre didn't have to stretch its collective imagination too far. It only had to look to the recent past. In 2007, Russia was accused of targeting Estonia's baking and media systems in the wake of the removal of a Soviet war memorial. That same year, Symantec claimed that China had used a botnet of millions of computers to attack computer systems in the United States, India, and Germany. In September of 2009, attacks possibly originating from North Korea targeted South Korea's largest newspaper, as well as some of its largest banks. Most recently, as partially revealed in the Wikileaks cablegate episode, the Chinese government was involved in concerted attacks on American websites, including Google. One of the purposes, it is alleged, was to view dissidents' emails.
Together, these events begin to paint a picture of the true cyber threat. It's subtle, not particularly sophisticated, backed by governments and carried out by vast networks of zombified computers. It is a threat to privacy, and causer of mass annoyance. It's a bit mundane, even. But it's very real.
"Cyber attack is a term that gets thrown around a lot," says Blaise Misztal, Associate Director of Foreign Policy for the Bipartisan Policy institute and planner of this year's televised exercise. He contents that the term should be used to describe "attacks from foreign governments", a distinction that drove the institute's choice of scenarios: a botnet built from malicious smartphone apps, targeted at the nations telecom infrastructure; and a targeted attack designed to bring down an energy trading platform.
These aren't the kinds of threats that keep citizens up at night. But they're the kinds of threats that can cause billions of dollars of damage - in lost profits, troubleshooting, panic selling and the like - all the while disrupting millions of peoples' lives in small but nonetheless noticeable ways. They're disruptive, and designed to cause fear of the financially costly, if not visceral, variety.
The good news, then, is that modern cyberwar isn't especially bloody, or lethal. It's the annoying tactics of DDOS-ing script kiddies, writ large and backed by millions of dollars.
The bad news? We're woefully underprepared for it, even as it happens. According to the BPI's report:
The cyber threat to our national security is real. The U.S. government needs updated policies, legal authorities and operational capabilities to respond to cyber attacks, whether it means defending our networks from intrusion by hackers or securing critical infrastructure.
Misztal explains that most of the problems encountered by the participants in the simulation came down to a near-total lack of ability to communicate between the government and private industry, and a lack of command structure. Misztal says that it wasn't clear "who is in charge" in such situations, which made initial response efforts difficult. Michael Chertoff, writing after the simulation, worried that "there is not in place a user-friendly process to allow government cyber defenders to effectively collaborate with the private sector to take advantage of their expertise and knowledge during the response to a cyber attack".
Some will read language like that and see evidence of an unwieldy, neutered security apparatus. Other will see an old man urging private citizens to give up yet more of their civil liberties to ensure that cyber attacks are manageable.
That this is the conversation we're having about cyber attacks - security versus privacy; response versus prevention - is telling. This is a debate about policy, minimising economic impact and preventing the erosion of civil liberties. What it isn't, for the foreseeable future, is a debate about life and death.