Without doubt, cyber-attack is the greatest threat to protecting today’s critical infrastructure and preventing the worst disaster in U.S. history. The term “cyber” is derived from the word “cybernetics,” coined by Norbert Weiner in 1948 to describe the study of control systems. Current usage of the term “cyber” is tied to the 1990s rise of the internet and its common reference as “cyberspace.” In today’s vernacular, the term refers to computers and anything related to them.
Over the past 30 years, the explosive growth of the internet and continually increasing power of processors have fueled the rapid integration of computers into almost every facet of people’s lives. Concurrently, as computers have taken on greater roles in society, they have also become more attractive targets for malicious agents, both foreign and domestic. The first contemporary cyber-attack occurred in 1989 when a computer worm designed to map the size of the internet inadvertently almost brought it to a halt. [1] In 1989 the internet had not yet gone public nor undergone the HTML revolution that would create the world wide web and was still relatively small with an estimated 2.6 million global users. [2] Today, the internet hosts over 4.1 billion users [3] and is considered a “lifeline” infrastructure supporting many essential services in both the public and private sector. [4]
In 1997, the President’s Commission on Critical Infrastructure Protection warned of the future potential to inflict domestic catastrophic destruction through cyber-attack on the nation’s critical infrastructure. [5] The report precipitated Presidential Decision Directive #63 in May 1998 directing executive agencies to protect the nation’s critical infrastructure from both physical and cyber-attack. [6] Following the terrorist attacks of 9/11, the 2002 Homeland Security Act assigned responsibility for protecting the nation from cyber-attack to the new Department of Homeland Security (DHS). Today, the DHS Office of Cybersecurity and Communications maintains watch over U.S. cyber infrastructure from the National Cybersecurity and Communications Integration Center (NCCIC). [7] Unfortunately, the NCCIC has very few resources and no authority to intervene outside government unless requested.
Title 18, Section 1030 United States Code, enacted by the 1984 Counterfeit Access Device and Computer
Fraud and Abuse Act, makes it a crime to access a computer or alter its data without permission from
the owner. Subsequent amendments also make it a crime to create and distribute malicious code that
might otherwise subvert or disrupt the intended functioning of a computer. Despite these prohibitions,
computer crime is a growing business. In 2017, 160,000 cyber-attacks were reported, nearly doubling
the number of attacks reported in 2016. In fact, the number of cyber-attacks is suspected to be closer to
350,000 since many go unreported. [8]
In 2018, the White House reported that 2016 cyber-attacks cost the U.S. economy between $57 billion
and $109 billion. [9] The global cost of cyber-attack in 2017 is estimated to be more than $600 billion.
[10] Of greater concern are the predictions from the 1997 Presidential Commission Report made
manifest with the 2010 STUXNET attack on an Iranian nuclear processing plant and the December 2016
cyber-attack shutting down electricity to the city of Kiev. In an unprecedented move, in March 2018 the
U.S. accused Russia of systematically infiltrating the U.S. electric grid and gaining the ability to disrupt or disable power plants. [11] A coordinated cyber-attack shutting down the North American grid could
precipitate the worst disaster in U.S. history.
A 2017 report by the Council on Foreign Relations determined that a large-scale cyber-attack on the U.S. power grid would inflict economic damages in excess of $243 billion, on par with Hurricane Katrina, but result in only a small rise in death rates as health and safety systems failed. Although the report acknowledges potentially worse consequences, it seems to tend toward a conservative estimate. [12] Considering that 35,000 people were killed due to a European heat wave in August 2003, [13] it is not hard to imagine the potential number of casualties if the North American Grid was shut down at the height of summer. The death toll could exceed the 6,000 killed in the 1900 Galveston Hurricane, still the worst disaster in U.S. history outside the Civil War.
Despite our understanding of the threat, our defenses remain woefully inadequate. According to the Department of Homeland Security, cybersecurity is the “activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against the damage, unauthorized use or modification, or exploitation.” In concept, cybersecurity is easy. In practice, cybersecurity is hard.
We know that in order to attain cybersecurity three conditions must be met: confidentiality, integrity, and availability. Confidentiality ensures that a computer and data are not accessed by an unauthorized agent. Integrity ensures that the computer and data are not corrupted by an unauthorized agent. Availability ensures that the computer and data are always accessible when wanted. As seemingly simple as they sound, though, these conditions are hard to attain. They are hard to attain because computers are inherently stupid and fragile.
Computers are stupid because, unlike humans, computers are incapable of making value judgments regarding their actions and will perform as directed regardless of the outcome, even if the consequences are catastrophic. Computers are also fragile because a single wrong character can disrupt millions of lines of code. Finding such flaws is impossible. Even a small 100-line program with some nested paths and a single loop may contain 100 trillion paths. Assuming each path could be evaluated in a millisecond, that’s 1,000 paths tested every second, it would take 3,170 years to test all possible paths even in a simple piece of code. [14] Most useable software contains millions of lines of code; Google Android alone has 12 million lines of code. Consequently, with any useful piece of software, you don’t know what you’ve got and have no way of finding out.
According to a 2014 study, the two primary methods of cyber-attack are phishing and exploitation. Phishing is a social engineering technique designed to fraudulently obtain names and passwords from authorized users. Exploitation takes advantage of software flaws to obtain access to a computer or its data. [15] The troubling implication from phishing is that your computer security is only as strong as your weakest user. Likewise, the troubling implication from exploitation is that new forms of cyberattack for which we are unprepared will continually emerge because software is inherently flawed.
Unfortunately, as of yet there are no solutions to these problems, and none available on the foreseeable technical horizon. Despite incredible advances in Artificial Intelligence due to “deep learning” (i.e., neural networks), these methods have yet to produce a machine exhibiting reasoning skills capable of avoiding catastrophic consequences; the Turing Challenge still stands. Quantum computers and networks may prove less hackable due to the physics of entanglement, but their design is directed toward a specific class of computationally challenging problems (i.e., they are ill-suited for general purpose problems which occupy most of today’s computers), and they can’t overcome the problem from phishing attacks.
Indeed, there is no invulnerable defense against a determined attacker. The inescapable consequence from the current predicament is that cybersecurity is a continuous and evolving practice against a continuous and evolving threat. Until such time as we can eliminate vulnerabilities to cyber-attack, our critical infrastructure will remain at-risk to this potentially catastrophic threat.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.
References
[1] Fresh01, “The History of Cyber-Attacks,” [Online]. Available: https://fresh01.com/the-history-ofcyber-attacks/.
[Accessed 19 October 2018].
[2] Our World in Data, “Internet,” [Online]. Available: https://ourworldindata.org/internet. [Accessed
19 October 2018].
[3] Internet World Stats, “Internet Growth Statistics,” [Online]. Available:
https://www.internetworldstats.com/emarketing.htm. [Accessed 19 October 2018].
[4] US Department of Homeland Secuirty, “National Infrastructure Protection Plan,” US Department of
Homeland Security, Washington, DC, 2013.
[5] President’s Commission on Critical Infrastructure Protection, “Critical Foundations: Protecting
America’s Infrastructures,” US Government Printing Office, Washington, DC, 1997.
[6] The Whitehouse, “PDD-63, Critical Infrastructure Protection,” The Whitehouse, Washington, DC,
1998.
[7] R. White, “Homeland Security in a Nutshell,” International Journal of Social Science Studies, vol. 5,
no. 6, 2017.
[8] Security Intelligence, “Cybersecurity Incidents Doubled in 2017, Study Finds,” [Online]. Available:
https://securityintelligence.com/news/cybersecurity-incidents-doubled-in-2017-study-finds/.
[Accessed 20 October 2018].
[9] The Council of Economic Advisers, “The Cost of Malicious Cyber Activity to the U.S. Economy,”
Executive Office of the President, Washington, DC, 2018.
[10] McAfee, “Economic Impact of Cybercrime – No Slowing Down,” McAfee, 2018.
[11] National Public Radio, “Report: Russian Hackers Had the Ability to Shud Down U.S. Power Plants,”
NPR, Washington, DC, 2018.
[12] R. K. Knake, “A Cyberattack on the U.S. Power Grid,” Council on Foreign Relations, New York, NY,
2017.
[13] S. Bhattacharya, “European Heatwave Caused 35,000 Deaths,” NewScientist, 10 October 2003.
[Online]. Available: A large-scale cyberattack on the U.S. power grid could inflict considerable
damage. The 2003 North-east Blackout left fifty million people without power for four days and
caused economic losses between $4 billion and $10 billion. The Lloyd’s scenario esti. [Accessed 27
October 2018].
[14] IEEE Spectrum, “Why Software Fails,” IEEE Spectrum, 2005.
[15] Center for Strategic and International Studies, “Net Losses: Estimating the Global Cost of
Cybercrime,” Intel Security, Santa Clara, CA, 2014.
