Many experts reckon the first cyberwar is already well under way. It’s not exactly a “cold war,” as the previous generation understood the term, because serious damage valued in millions of dollars has been done, and there’s nothing masked about the hostile intent of state-sponsored hackers. What has been masked is the sponsorship.
Every strike has been plausibly deniable, including whitehat operations such as the nasty little Stuxnet bug Iran’s nuclear weapons program contracted a few years back. Cyberwar aggressors like Russia and China officially claim to be interested in peace and security.
The cyberwar could get much hotter soon, in the estimation of former CIA counter-intelligence director Barry Royden, a 40-year intel veteran, who told Business Insider the threat of cyberterrorism is pervasive, evasive, and so damned invasive that, sooner or later, someone will give into temptation, pull the trigger, and unleash chaos.
Effective security against a massive attack by militarized hackers is “extremely difficult – in fact, it’s impossible,” according to Royden. “Everyone is connected to everyone, and as long as you’re connected you’re vulnerable. And there are firewalls, but every firewall is potentially defeatable, so it’s a nightmare in my mind. You have to think that other governments have the capability to bring down the main computer systems in this country, power grids, hospitals, or banking systems – things that could cause great economic upheaval and paralyze the country.”
There are, in fact, excellent reasons to believe hostile governments have the capability Royden describes. Even top-level systems at the State Department and White House have been penetrated by hackers, in what appear to be exploratory operations. North Korea, a relatively small cyberwar player, did a horrific amount of damage to Sony Pictures, possibly with the help of insiders. We don’t know how many “insiders” there are. Not only is hacker warfare fought on an entirely new battleground, but it adds new dimensions to old-school espionage.
Some non-governmental hacking incidents could be a result of military hacking units polishing their skills. Last week, Penn State University announced it was hit by “two sophisticated hacking attacks, one of which cyber-security experts say originated in China,” according to NBC News. The personal information of some 18,000 students and university employees was jeopardized. The university had to disconnect its systems completely from the Internet to deal with the threat.
Unplugging from the Internet won’t be an option if systems across the nation, including vital infrastructure systems, are hit simultaneously by a massive attack.
Penn State University President Eric J. Barron put the problem in perspective by vowing to “take additional steps to protect ourselves, our identities and our information from a new global wave of cybercrime and cyberespionage.”
The extent of the risk to our nation’s physical infrastructure was highlighted when security researcher Chris Roberts was removed from a United Airlines plane last month, because he was passing his time on the tarmac tweeting about the plane’s security vulnerabilities.
Popular Science notes that the Government Accountability Office recently published a report “highlighting the potential dangers posed by hackers using commercial airlines’ onboard wireless communications networks, including Wi-Fi, as a possible attack vector.”
Roberts previously claimed to have hacked the International Space Station and taken control of its thermostat, and he thought he might have a shot at hacking the Mars rover.
Economic infrastructure is equally at risk. The Federal Reserve Bank of St. Louis confirmed on Tuesday that its systems were breached by hackers, “redirecting users of its online research services to fake websites set up by the attackers,” as reported by the New York Times.
Victims of this hijacking have been exposed to unknown peril at the hackers’s websites, including “phishing, malware, and access to user names and passwords,” according to a warning from the agency. The hack was discovered in late April, but there doesn’t appear to be any firm information on how long it was in effect or who was responsible.
Imagine what it would be like if everything from power grids, to airplanes, to banks and government services were hit all at once, terrorizing much of our plugged-in society right off the Internet. Imagine the damage that would be done to major online industries by weeks of panic, in which those fortunate enough to have electric power for their computers were afraid to log on, and people regarded their smart phones as if they were petri dishes full of ebola.
Former CIA chief Royden thinks we’ve essentially returned to the days of mutually assured destruction as the most effective deterrence. “Now, if they were to do it to us and we were to do it to them, it would almost be like a nuclear standoff,” he told Business Insider. “They could do it but if they did it what would the cost be? Because they know we have the same capabilities and that we presumably attack their computer systems the same way and we could destroy their economy. So you hope that no one is going to do that but you’re vulnerable. These days, I think the cyber world is the big threat.”
What if an authoritarian adversary decides its less-prosperous citizens can make do without the Internet more easily than the hyperactive American economy, reducing the value of deterrence? What if they believe they can take out our retaliatory cyberwar capability with a surprise attack that comes with mere moments of warning, rather than the Cold War paradigm of first-strike launches giving nuclear adversaries enough time to get their own birds in the air? What if they calculate that American and European intelligence services would be reluctant to unleash full-blown cyber-chaos on the entire world, especially if there’s any significant doubt about the true source of a massive attack on us?
So far, the deterrence calculation appears to be working… except for all those cyber-commandos who feel free to mess around with the computer systems at the White House, State Department, major retailers, Wall Street firms, universities, Federal Reserve Banks…