Cyber attacks on Western targets are coming faster and having more serious effects. We have gone in a period of months from massive data thefts at Home Depot and Target to the assault on Sony pictures to, most recently, the defacing of U.S. Central Command’s Twitter and Facebook feeds. The perpetrators of these attacks remain unknown although the Islamic State has claimed responsibility for the Central Command hacks and the FBI has labeled North Korea the source of the Sony operation.
Recent cyber events are like the first signs of a tsunami when the tide retreats out to sea. What comes next is an inundation that will sweep everything before it. As more groups, organizations and states become capable of conducting cyber attacks the potential for truly catastrophic damage to our infrastructure, institutions and military capabilities is increasing.
We have been lulled into a false sense of security due to a combination of factors. So far, none of the attacks have caused obvious and serious damage to property or casualties. It is hard to equate spam email and web site defacements to suicide bombings, drone strikes or televised beheadings. Second, victims of serious attacks tend to lie, pretending that they were not actually penetrated or that the damage was relatively minor. Our own government cyber security agencies don’t talk about what they can and can’t do. But it is a safe bet that our offense is better than our defense and both are better than their counterparts in the private sector.
In a recent interview with Fox News, Chairman of the Joint Chiefs of Staff General Martin Dempsey acknowledged for the first time that in the cyber domain the U.S. faces peer competitors. Some of these competitors have clear advantages over their U.S. counterparts. As the recent Mandiant report demonstrated, the Chinese military is investing in advanced cyber capabilities. Moreover, the activities of Chinese hackers are not restricted while U.S cyber warriors are.
We must not be lulled into a false sense of security by the fact that known cyber attacks have tended to skim the surface of what can be done via the Internet. Recently, a cyber attack on a German steel mill caused extensive damage to the facility. The hackers used a sophisticated spear phishing technique to gain access to the core networks of the plant and then targeted its internal systems, causing the furnace to overheat. This is only the second known case of a cyber attack being employed to cause significant infrastructure damage (the first being the infamous Stuxnet virus that disrupted Iran’s nuclear enrichment centrifuges). But it won’t be the last.
Properly planned, timed and executed cyber attacks could wreak incalculable damage on vital infrastructure. Admiral Michael Rogers, head of both the National Security Agency and the U.S. Cyber Command testified before Congress last year that the U.S. power grid and other crucial infrastructure sectors have been penetrated by the Chinese and other governments, posing a serious threat to shut down these systems and create chaos.
So far, Western nations, including our own, have been able largely to downplay the cyber threat and minimize expenditures because attacks have been annoying but not particularly destructive physically or harmful to life. This is the same pattern that was in place with respect to physical terrorism of the years before 9/11. What will be the cyber equivalent of the attacks on the World Trade Center and how soon will it come?
Find Archived Articles: