Cyber-attacks are the newest frontier of war, and can strike harder than a natural disaster. Here's why the US could struggle to cope if it got hit.
Samantha Lee/Business Insider
- A successful cyber attack on critical infrastructure could do as much damage as a natural disaster, bringing a whole country to a standstill.
- Nations have launched cyber-attacks for years. But the world has yet to see a full-power, multi-pronged attack on a major developed state.
- Experts described in detail to Business Insider how a serious cyber attack could knock flat the systems which underpin all of our lives.
- The US - despite its strengths - is particularly vulnerable because so much infrastructure is controlled by private companies, who may not be well-equipped to deal with a major threat.
Imagine waking up one day, and feeling like a hurricane hit - except everything is still standing.
The lights are out, there is no running water, you have no phone signal, no internet, no heating or air conditioning. Food starts rotting in your fridge, hospitals struggle to save their patients, trains and planes are stuck.
There are none of the collapsed buildings or torn-up trees that accompany a hurricane, and no flood waters. But, all the same, the world you take for granted has collapsed.
This is what it would look like if hackers decided to take your country offline.
Business Insider has researched the state of cyber warfare, and spoken with experts in cyber defense, to piece together what a large-scale attack on a country like the US could look like.
Nowadays nations have the ability to cause war-like damage to their enemy's vital infrastructure without launching a military strike, helped along by both new offensive technology and the inexorable drive to connect more and more systems to the internet.
What makes infrastructure systems so vulnerable is that they exist at the crossroads between the digital world and the physical world, said Andrew Tsonchev, the director of technology for cyber defense firm Darktrace.
Computers increasingly control operational technologies that were previously in the hands of humans - anything from the systems that route electricity through power lines, to the mechanism which opens and closes a dam.
"These systems have been connected up to the wild west of the internet and there are exponential opportunities to break into them," said Tsonchev. This creates a vulnerability which experts say is especially acute in the US.
Most US critical infrastructure is owned by private businesses, and the state does not incentivize them to prioritize cyber defense, according to Phil Neray, an industrial cybersecurity expert for the firm CyberX.
"For most of the utilities in the US that monitoring is not in place right now," he said.
One of the most obvious vulnerabilities experts identify is the power grid, relied upon by virtually everyone living and working in a modern country.
Hackers showed that they could plunge thousands of people into darkness when they knocked out parts of the grid in Ukraine in 2015 and 2016. These hits were limited to certain areas, but a more extreme attack could hit a whole network at once.
Researchers for the Pentagon's Defense Advanced Research Projects Agency (DARPA) are preparing for just that kind of scenario.
They told Business Insider just how painstaking - and slow - a restart would be if ever the US lost control of its power lines.
DARPA program manager Walter Weiss has been simulating a blackout on a secretive island the government primarily uses to study infectious animal diseases.
On the highly restricted Plum Island, Weiss and his team ran a worst-case scenario which requires a so-called "black start," in which the grid has to be brought back from total deactivation.
"What scares us is that once you lose power it's tough to bring it back online," said Weiss. "Doing that during a cyber attack is even harder because you can't trust the devices you need to restore power for that grid."
(Defense Advanced Research Projects Agency)
The exercise requires experts to fight a barrage of cyber threats while also grappling with the logistics of restarting the power system in what Weiss called a "degraded environment."
That means coordinating teams across different substations without phone or internet access, all while depending on old-fashioned generators that need to be refueled constantly.
Trial runs of this work, Weiss said, showed just how fragile and prone to disruption a recovery effort is. Substations are often far apart, and minor errors or miscommunications - like forgetting one type of screwdriver - can set an operation back by hours.
A worst-case scenario would require interdependent teams to coordinate these repairs across the entire country, as much of the population waits in darkness.
But even an attack on a seemingly less important utility could have a catastrophic impact.
Maritime ports are another prime target - San Diego and Barcelona reported attacks in a single week in 2018.
Both said their core operations stayed intact, but it is easy to imagine how interrupting the complicated logistics and bureaucracy of a modern shipping hub could ravage global trade, 90% of which is ocean-borne.
Itai Sela, the CEO of cybersecurity firm Naval Dome, told a recent conference that "the shipping industry should be on red alert" because of the cyber threat.
The world has already seen glimpses of the destruction a multipronged cyber attack could cause.
In 2010, the Israeli-American Stuxnet virus targeted the Iranian nuclear program, reportedly ruining one fifth of its enrichment facilities. It taught the world's militaries that cyber attacks are a real threat.
The most intense frontier of cyber warfare is currently Ukraine, which is fighting a simmering conflict against Russia.
Besides the attacks on the power grid, the devastating NotPetya malware in 2017 paralyzed Ukrainian utility companies, banks, and government agencies. The malware proved so virulent that it spread to other countries.
Hackers have also caused significant disruption with so-called ransomware, which freezes computer systems unless the users had over large sums of money, often in hard-to-trace cryptocurrency.
An ongoing attack on local government services in Baltimore has frozen about 10,000 computers since May 7, getting in the way of ordinary activities like selling homes and paying the water bill. Again, this is proof of concept for something far larger.
In March this year, a cyber attack on one of the world's largest aluminum producers, Oslo-based Norsk Hydro, forced it to close several plants which provide parts for carmakers and builders.
(Terje Pedersen/AFP/Getty Images)
In 2017 the WannaCry virus, designed to infect computers to extract a ransom, burst onto the internet and caused damage beyond anything its creators could have foreseen.
It forced Taiwan Semiconductor Manufacturing Co., the world's biggest contract chipmaker, to shut down production for three days. In the UK, 200,000 computers used by the National Health System were compromised, halting medical treatment and costing nearly $120 million.
The US government said North Korean hackers were behind the ransomware.
North Korean hackers were also blamed for the 2015 attack that leaked personal information from thousands of Sony employees to prevent the release of "The Dictator", a comedy movie about Kim Jong Un.
These isolated events were middling to major news events when they happened. But they occur against a backdrop of lesser activity which rarely makes the news.
The reason we don't hear about more attacks like this isn't because nobody is trying - governments regularly tell us that they are fending off constant attacks from adversaries.
In the US, the FBI and DHS say Russian government hackers have managed to infiltrate critical infrastructure like the energy, nuclear, and manufacturing sectors.
The UK's National Security Centre says it repels around ten attempted cyber attacks from hostile states every week.
Although the capacity is there, like with most large-scale acts of war, state actors are fearful to pull the trigger.
James Andrew Lewis, a senior vice president and technology director at the Center for Strategic and International Studies, told Business Insider that the fear of retaliation keeps many hackers in check.
"The caveat is how a country like the US would retaliate," he said. "An attack on this scale would be a major geopolitical move."
Despite the growing dangers, this uneasy and unspoken truce has kept the threat far from most people's minds. For that to change, Lewis believes the world needs to see a real, large-scale attack with real collateral.
"I'm often asked: How many people have died in a cyber attack? Zero," he said.
"Maybe that's the threshold. People underappreciate the effects that aren't immediately visible to them."