Could a sophisticated foe break US cyber defenses?

Photos: AP Images

L

ast Tuesday, flights across the United States were delayed for hours due to a “computer malfunction.” The dramatic announcement and the paralysis at airports across the country led many on social media to wonder whether this was really a computer malfunction — or a cyberattack.

Two days later, after an internal investigation, the reason became clear: The culprit was an outdated computer system — more than 30 years old — in the process of being upgraded. A file was accidentally deleted, causing a malfunction, which was soon fixed.

The world breathed a sigh of relief, and life returned to normal.

But one can’t help but wonder, just how secure is the United States’ critical infrastructure? The more systems are connected to the Internet, the greater the risk that in the event of a cyberattack, essential systems will cease to function. From traffic lights and hospitals to the water company, everything is connected to the Internet, and everything could be at risk. To what extent are other countries trying to disrupt key American infrastructure, and can we sleep at night?

“There is certainly cause for concern,” says Quentin Hodgson, senior international and defense researcher at the Rand Corporation focusing on cybersecurity, cyber operations, critical infrastructure protection, risk management, and command and control.

“There have been some attacks here in the US, but nothing truly catastrophic yet,” Hodgson says. “I’d first say that the reason we haven’t seen a significant attack is because of intention and motivation. It would be highly escalatory and dangerous for a nation like China or Russia to attack our infrastructure, and they know that. We also are not in a situation where they would feel compelled to take such drastic action, even with the ongoing conflict in Ukraine.”

But that doesn’t mean they don’t have the capability, Hodgson cautions. He classes Russia and China as the most sophisticated and capable nations, outside of the US and a select few other Western countries. “That said, to have truly destructive effects is not a simple thing. It takes a lot of work to understand of how these systems function and how to create physical effects through cyberspace. It takes a lot of intelligence gathering, and that still doesn’t guarantee that the attack would work when an adversary wants it to.”

But the US can’t afford to rest on its laurels. “As we modernize our infrastructure,” Hodgson says, “the vulnerabilities can proliferate as critical infrastructure owners integrate more sophisticated operational technology that interfaces with IT for monitoring and control. The United States should be doing more to work with the private sector owners of these systems to not just understand how these attacks might occur, but to develop more resiliency in the systems so they can fail gracefully and not catastrophically. Cybersecurity protections are not enough given the complexity of these systems.”

Cat and Mouse

Professor William Banks at Syracuse University’s College of Law, an expert on cyber conflict and national security law, says that the technology behind cyberattacks has not advanced to the point of being deadly — yet.

“Cyber penetrations tend to be disruptive rather than destructive,” he says. “Only a few cyberattacks have proven destructive, such as the successful efforts of Israel, and perhaps the US, to destroy centrifuges central to the Iranian efforts to produce nuclear weapons. Cyber offense and defense resemble a cat-and-mouse game. The offense is typically ahead, but the defense is good and getting better.”

And while the US has become much better at both in the last decade, Banks says, the country faces a unique challenge in cyber defense because of its extreme decentralization. “Much of US critical infrastructure remains vulnerable to cyberattack, largely because it is primarily in private sector ownership. To date, the US government has been reluctant to impose controls on critical infrastructure and has opted instead for recommended security measures. In countries where government owns most critical infrastructure [e.g., Israel], controls are much more effective and successful defense is easier to achieve. In the US, the electric grid and water supply remains particularly vulnerable to cyberattack.”

Professor James Curtis of Webster University’s George Herbert Walker School of Business and Technology is not one to downplay the threat from cyber warfare. “To paraphrase Clausewitz, cyber war is just traditional warfare by other means,” he says.

And because the components of cyber  warfare are computers, online connectivity, and vulnerabilities in software, it is much less costly to wage, Curtis says. “Traditional kinetic warfare requires massive amounts of troops, weapon systems, physical movements, logistics, and many other elements. It is also comparatively slow in execution and expensive. Cyber warfare is instantaneous, cheap, can be executed by a small cadre of combatants, and it is difficult to initially identify the attacker. I don’t think it is in much doubt that all future major military warfare offensives will be led by cyberattacks. So, the danger to the world is extremely serious and I would argue is at the same crisis level as nuclear weapons.”

There have been scattered cyberattacks on major industrial targets — SolarWinds, Sony, isolated infrastructure points — but overall they have not been successful. Curtis warns that it would be a mistake to attribute that lack of success to a strong US cyber defense, or to insufficient capabilities on the part of adversaries.

“America, and democracies in general, are not very well protected against major cyberattacks on critical infrastructure,” he says. “Some of the US 16 critical infrastructures are better protected than others, but none can be considered well-protected or invulnerable to a successful nation-state or terrorist attack.”

Instead, Curtis says, America’s enemies may simply be afraid of what an all-out cyberattack would trigger in the way of response.

“The more likely reality is that the potential result of a major attack on critical infrastructure would result in an unknown political impact, and an even more unpredictable military response,” he says. “As an example, if a rogue nation such as Iran were to successfully conduct a major cyberattack against the US electrical grid in the middle of a major winter cold period, the results could be tens of thousands of Americans dead, billions of dollars in costs to the nation, and without doubt, a required kinetic military response against Iran. That response would not be proportional and would likely be a devastating military response along the lines of post-9/11.”

Fears of Armageddon

That being said, a geopolitical rival who feels pushed into a corner might be tempted to unleash a painful attack on the US — and Curtis says the Armageddon-scale potential of such an attack would be fearsome.

“I would argue the fears [of a major cyberattack] are actually intentionally minimized by corporations and the government. The threat is real, it is imminent, and has a high possibility of being devastating to the US economy with massive loss of lives. It literally keeps me up at night thinking of the potential impact on America if a nation-state with the cyber capabilities such as China or Russia did decide to conduct a full-on simultaneous attack against multiple critical infrastructures such as the electrical grid, water systems, nuclear plants, the defense industrial base, etc., that have the propensity to push this nation into a crisis that we have never experienced in the homeland.”

Ultimately, Curtis says, the best argument for a stout cyber defense is that the offensive capabilities of cyber warfare are affordable and easy to acquire for a wide range of foes.

“The bottom line is that developing a cyber offensive capability is generally an easily achievable ‘weapon system’ that is cheap compared to the cost to research, develop, and produce traditional kinetic weapon systems,” he says. “And it has the added value of being instantaneous and very difficult to rapidly assign attribution for the attack. If Russia attacks Ukraine with a bomb, it is evident to the world, but when they attack via online cyber weapons, the mode is hidden, and it becomes quite challenging to attain public awareness and support for the resulting impact of the cyber weapon’s deployment.”

Professor Michel Benaroch of Syracuse University’s Whitman School of Management warns that even if the US does invest heavily in cyber defense, “there’s no 100 percent protection.” It’s better, he advises, to focus efforts on protecting key systems.

“Economically, it would be impossible to guarantee 100 percent safety of every piece of software or hardware,” he says. “So it’s just a matter of time before somebody outsmarts the software or discovers some kind of gap or back door that they can break through. I think the biggest concern should be about those very, very unlikely events, like a nuclear power plant that gets compromised. That is very, very unlikely, but when it happens, it can be catastrophic.”

Benaroch is dismissive of the abilities of terror groups to mount any kind of major cyberattack.

“They don’t have the capability to compete with any well-established country,” he says. “They don’t come even close. If a state wanted to inflict damage on another state using cybersecurity or cyberattacks, they would probably be able to do it. But then they’d expect to get [hit back]. So I think there is sort of like a fear of mutually assured destruction when it comes to state-sponsored cyberattacks. For terror groups and other small groups, even the ones that do it just for the money, they don’t have the sophistication.”

(Originally featured in Mishpacha, Issue 946)