More In This Article
SA Forum is an invited essay from experts on topical issues in science and technology.
It’s been a busy summer for computer security mavens. The U.S. and China locked horns on cyber espionage, Edward Snowden allegedly leaked classified intelligence about National Security Agency (NSA) monitoring programs that target communication networks, and the Cobalt malware took 13 U.S. oil refineries offline. If you missed that last one, that’s because it was fictional—a scenario created for a student cyber attack challenge held on June 15 at American University in Washington, D.C.
The event was a sort of a hybrid Model U.N. hackathon cyber war games exercise, involving 65 college and graduate students (including myself) who are training for careers as future cyber warriors and policy makers. In many ways the Cyber 9/12 Student Challenge mirrors the U.S. government’s own Cyber Storm exercises, with the important exception that the student exercise isn’t mandated by Congress to strengthen cyber preparedness in the public and private sectors.
The Cobalt malware—an invention of the Atlantic Council, which hosted the event—was fake, but its target was a real-life vulnerability: the U.S. energy infrastructure, specifically the oil refineries and pipelines that produce and transport gasoline and other refined fuel products all across the country. Almost any discussion or description of a doomsday cyber scenario involves an attack on U.S. critical infrastructure. You can see this play out in the Cyber Storm exercises hosted every few years by the Department of Homeland Security for government and industry organizations to practice cyber threat responses. In three simulations that took place in 2006, 2008 and 2010, catastrophic cyber attacks caused clear and serious physical damage. A computer virus that turns off the lights, shuts down the telephone system and halts military operations could cost lives.
To date, intentional computer-based attacks that have direct physical impacts have been few and far between, so far as we know. That doesn’t mean these scenarios couldn’t happen in real life, or that there aren’t real and serious vulnerabilities in the country’s critical infrastructure networks. There is a perception that we haven’t yet experienced such a catastrophe because of a combination of luck and the reluctance on the part of nations, militias and other entities capable of launching a cyber attack to set a dangerous precedent. In 2011, for instance, news outlets reported that the Obama administration decided against infiltrating the computer systems of the Libyan government to interfere with their military communications and air-defense system due to concerns about whether other nations might follow suit as well as uncertainty surrounding whether such measures required Congressional approval. The Stuxnet worm that in 2010 struck Iranian nuclear facilities, causing centrifuges to speed up, thereby interrupting the uranium enrichment process essential for the development of nuclear technology, is the exception, judging by unclassified knowledge.
At the Atlantic Council’s event, there was a strong sense that a successful cyber attack on U.S. critical infrastructure is inevitable. There’s also a pervasive fear that when (or if) such an attack occurs, the U.S. is primed to overreact. Department of Defense announcements that they intend to view cyber attacks as “acts of war” suggest a military force nearly itching to flex its muscle in response to a serious computer network–based disruption, if only as a means of deterrence. Cybersecurity professionals—not to mention students hoping to work in the field someday—can also have an incentive to trumpet the threat of cyber attack that at times may heighten the risk of overreaction. At least five times over the course of the daylong cyber challenge, we were reminded by presiding officials how crucially important the work we’re doing is, and how desperately the country needs people like us.
Concerns about overreaction and the use of military force in response to digital intrusions often lead to discussions about the difficulty surrounding definitive attribution of these types of attack. If you want to retaliate, how do you know whom to hit? In our exercise intelligence pointed to Russia, but the evidence wasn’t clear-cut.