You can’t see it. You can’t smell it. You can’t hear it. But you should fear it.
The internet has evolved beyond simply moving 1s and 0s around at the speed of light. On their own they can’t hurt you. But when the bits and bytes are put into the right form and context, they can be lethal. It’s no coincidence the Department of Defense has called cyberspace the “Fifth Domain” of modern warfare.
What many consider a scenario from the movies is now quite real.
In 2012, I was interviewed by CNN Entertainment about the James Bond film “Skyfall”. I was asked “Would it be possible for a bad guy to hack into MI6 – or any infrastructure – to target it for destruction?”
I replied that “many critical infrastructures are connected to Supervisory Control and Data Acquisition systems, controlling our electricity grid, water, and sewers, and are therefore are a huge soft target for terrorism.”
Last month the UK’s National Cyber Security Centre (NCSC) warned that Britain will be hit by a life-threatening “Category 1” attack in the near future. According to the NCSC, a Category 1 incident is “an attack which causes ‘sustained disruption’ of essential services or affects national security, leading to severe economic or social consequences, or to loss of life.”
We now have a major nation highlighting the consequences of a cyberattack with the same language normally reserved for a terrorist attack.
How did we get here?
Russia has already launched the first successful BlackEnergy attack. BlackEnergy was originally developed in 2007 as a distributed denial-of-service tool (DDoS). It evolved in 2014 to a full package that targeted Industrial Control Systems (ICS) and embedded espionage modules, with the ability to attack multiple types of operating systems and employ KillDisk, which erases files and destroys the ability to boot up computers.
We’ve done it too. As far back as 1982, the CIA tricked the then-Soviet Union to steal software that had been programmed with a logic bomb. The Soviets used the stolen software to operate their gas pipelines in Siberia. A logic bomb has a set of instructions secreted inside the computer code that – when the conditions or timing is right – executes a preprogrammed routine.
The CIA’s logic bomb “was programmed to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds.” The result was the “largest non-nuclear explosion and fire ever seen from space.” No fatalities were recorded, but the initial impact reportedly raised fears that a small nuclear device had exploded.
In the case of the Flame and Stuxnet attacks against Iran’s centrifuges in 2009 and 2010, the code targeted a certain model of PLCs — programmable logic controllers – that controlled the interaction between Iran’s computers and their uranium centrifuges. Stuxnet altered the PLC programming and caused the centrifuges to spin too quickly for too long a time. Simultaneously, it told the controlling computer everything was fine. The result was massive damage to delicate systems and instruments.
The Iranian uranium enrichment systems were air-gapped, meaning there was no physical connection to the Internet. An Iranian spying for Israel is reported to have introduced Stuxnet through a USB drive, which gave access to the rest of the computer network. The first attacks were launched in June and July of 2009.
It’s no coincidence that in September of 2009, the Obama administration revealed the existence of a secret Iranian enrichment plant. The CIA’s covert communications system with their agents was unwound after the announcement. It seems the intelligence gleaned from the deployment of Stuxnext, along with reports from Iranian assets, was used to verify the existence of the secret facility.
As computers and systems became more directly connected to the Internet, it was only a matter of time before remote access would become the weapon of choice. Lost in the hoopla of the November 2014 Sony hack was a terrifying meltdown, literally, in Germany.
Just before Christmas in 2014, a steel mill was compromised through spear-phishing emails. The attackers appeared to have intimate knowledge of how the plant operated (Similar to the Iranian PLCs). According to a Wired article, they manipulated and disrupted “control systems to such a degree that a blast furnace could not be properly shut down, resulting in ‘massive’ — though unspecified — damage.”
The fact that there haven’t been massive casualties from a cyberattack appears to be more a product of luck than prevention. We have now evolved from modifying stolen software, to introducing malware into an air-gapped system, to compromising a network connected to the internet.
The British security service MI5 lists five threat levels, with the most serious being Severe and Critical. It’s quite possible the Joint Terrorism Analysis Centre (JTAC), the agency that sets the threat level for the UK for international terrorism, could issue a Critical alert for a Category 1 cyber incident.
If they did, would people respond in the same way as the threat from a traditional, physical attack? Would citizens know what to do?
A more chilling aspect of that Bond interview I did was when I was asked about transportation safety. In the movie, the villain Silva is able to hack into the MI6 mainframe, access the London Underground, and send one of the Tube’s trains off the rails. I replied that “Transportation is one of the softest terrorism targets there is.” That’s still true today. Whether an attacker could actually send a train off the rails is not something I want to find out.
One thing is now clear: A Category 1 cyberattack that involves loss of life isn’t just for the movies anymore.
Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He previously worked as a senior advisor in the U.S. State Department Antiterrorism Assistance Program and as senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.