In the dead of winter, the electricity goes out. Not just in your town, but in many small towns nearby. After a few hours, power returns — but not everywhere. In some places it’s out for days. Hospitals struggle to keep generators running to treat hypothermia sufferers; emergency lines are jammed, preventing ambulances from being dispatched. An overwhelmed police force struggles to maintain calm. What first appeared an inconvenient accident is soon revealed as an act of sabotage: someone wants the power down. Someone is sowing chaos and waiting to take advantage.
This was the nightmare scenario lurking beneath the recent breathless reporting by the Washington Post that “Russian hackers had penetrated the U.S. electric grid” via a Vermont utility. The specter of foreign invaders lurking in the nation’s infrastructure prompted a statement from Vermont Sen. Patrick J. Leahy: “This is beyond hackers having electronic joy rides — this is now about trying to access utilities to potentially manipulate the grid and shut it down in the middle of winter.” Other politicians were equally heated, with Vermont Gov. Peter Shumlin calling Russian president Vladimir Putin a “thug” and saying, “This episode should highlight the urgent need for our federal government to vigorously pursue and put an end to this sort of Russian meddling.”
Soon, though, the Post had to acknowledge that the Russians hadn’t infiltrated Vermont’s power grid after all. The computer in question, a laptop not connected to the grid, reportedly triggered an alarm when a user logged into his Yahoo email account, as millions of people do every day. Experts dismissed the false alarm.
The speed with which politicians rushed to cast blame speaks to a pervasive cultural concern about the vulnerability of interconnectedness. As more devices come online — think of the much-vaunted “Internet of Things,” encompassing cars, refrigerators, dolls, baby monitors, and more — it’s easier to imagine them becoming weaponized, used to disrupt our increasingly digital lives. For a certain cast of mind, it’s easier to imagine that everything is connected and vulnerable, even if that’s not the case. At the same time, there are real dangers. When experts talk about often murky concept of “cyberwar,” they’re often tempering understandable paranoia with realism. Like William Gibson’s concept of the future, cyberwar is already here, but it’s not evenly distributed — and certainly not in the fully formed way of actual war.
Take the now-familiar example of hacking the power grid. “There is no single electric grid in the United States,” said Mark Mills, a senior fellow at the Manhattan Institute. There are thousands of grids, both local distribution grids and long-haul transmission grids, and most aren’t connected to the internet; there’s no universal switch to just turn off the power in the U.S. But Mills also argued that making grids “smarter” and more interconnected increases vulnerability to hackers. While the industry and many regulators understand that risk, there’s still a push to bring systems online — “smarter” is better. “The utility is being told to move faster, and they have no choice; they’re a regulated monopoly,” he said. Larger organizations tend to better balance security and connectivity, he says, but attackers could focus on smaller facilities likely to be more vulnerable. Multiple, coordinated attacks could disable multiple grids, increasing chaos and uncertainty.
How hard would it be? “They can use LinkedIn to social-engineer their way into the admin’s email box, get them to click on a spoofed email,” said James Scott, a senior fellow at the Institute for Critical Infrastructure Technology. It’s the same kind of phishing attack that hackers used to breach the Democratic National Committee and the email account of John Podesta, chairman of Hillary Clinton’s presidential campaign. It’s a simple technique that continues to work: clicking the email could, for example, download malware that steals the target’s password.
Once inside the network, hackers can install backdoors to continue wreaking havoc even if they’re discovered. For a sophisticated attacker, that might mean using zero-day exploits, security holes that haven’t yet been discovered and patched. But Scott said that level of technical skill might not even be necessary. Too many small and mid-sized organizations don’t diligently update their software with security patches, he said, “and so they will have the networks completely riddled with exploits ready to go.”
To wreak the most havoc they’d likely still need physical access, according to Mills, But, cyber-infiltration scenarios aside, he said, “I’m much more worried about terrorists with guns and bombs than I am about hacking the grid.” Firstly, it’s simply easier to attack people with guns and bombs. Secondly, the goal of terrorism is not just violence, but spreading fear. Guns and bombs make for violent spectacle; power outages are usually an unspectacular inconvenience. The Northeast blackout of 2003, caused primarily by a software bug, knocked out power to 55 million people; nearly 100 people died, but there was no widespread panic. Scott, too, imagines a situation in which knocking out the power is a prelude to more violent tactics. And to further panic, attackers could disrupt emergency communications.“You could do that by spamming 911, making it so no legitimate calls could get through. That’s easy to do,” he said.
“When we think about cyberattacks, we think about hacking, it’s been mostly in the space of stealing information, ranging from your credit card number to what a Democratic party leader is putting in their email,” said Peter W. Singer, a strategist at New America and co-author of Cybersecurity and Cyberwar: What Everyone Needs to Know. He argues for clear distinctions in our thinking about cyberattacks, and for drawing bright lines separating hacking, crime, terrorism, and, finally, full-scale cyber war.
We’ve seen data theft, even what appears to be state-sponsored hacking — think about the Chinese breaching the Office of Personnel Management (OPM) or, more recently, the still-contentious claim that Russia lies behind the cache of leaked Democratic emails published by Wikileaks. We’ve seen crime, perhaps most notably with ransomware attacks on hospitals.
And, Singer told Vocativ, we’re seeing the potential targets for cyberattacks increase as more devices come online, built without much consideration of security. “A lot of the vulnerabilities are being baked in right now,” he said, “and there are lots of different reasons for that. It’s everything from [the fact that] car companies, doll companies don’t see themselves as software security companies, and yet now that’s what they’re increasingly responsible for, to a lot of laws and regulations are just not there yet.”
We’ve even seen the first real-life case of the “energy grid hack,” when, in late-December 2015, operators watched helplessly as infiltrators shut down power distribution centers in Ukraine, leaving 230,000 people in the dark. Ukraine blamed Russia, though cyber-security experts suggested a more complicated picture—attribution can be a fundamental difficulty with cyberattacks, when hackers can hide their tracks and plant false leads, and many of the tools of the trade are freely available.
What we haven’t seen is all-out cyberwar. At least, Singer said, not yet. Instead, we’ve seen more covert attacks, like the Ukraine attack or Stuxnet, the virus launched by U.S. and Israeli forces to destroy Iran’s nuclear-enrichment capabilities. Today, state-sponsored cyberattacks typically happen sub rosa and are disavowed; Stuxnet’s very existence might not have been revealed had officials not talked to the press. Taking responsibility, after all, would mean revealing offensive capabilities and wading into a realm of warfare where the rules remain murky, even non-existent.
But rising political tensions, say between the U.S. and China or the U.S. and Russia, increase the possibility of all-out cyberwar, Singer said. We haven’t seen cyberwar yet, he said, because we haven’t seen actual war between cyber-armed countries. A novel he co-authored, Ghost Fleet: A Novel of the Next World War, is a Tom Clancy-inflected take on a war between the U.S. and China, set ten years in the future. In it, cyberwar is simply a tactic that supports the larger strategy of war. Picture malware burrowing into classified computers at the Department of Defense (much like the intrusion that forced the State Department to take part of its network offline) and Chinese-manufactured microchips revealing themselves as Trojan horses; killer satellites that take out the United States military’s communication capacity and scramble its GPS readings, as North Korea has already done against South Korea; autonomous drones deployed to take out air defenses, then intercept and disrupt communications. It’s all designed to confuse and conceal, thickening the fog of war.
Singer doesn’t suggest a similar future war is inevitable, though he does point out that much of history, has been spent with the great powers at war with one another. Unless (or until) that kind of war breaks out, nation-sponsored cyberattacks may remain a nominally covert activity. And experts tend to keep their cards close to their vests when it comes to details, whether about perceived weaknesses or how to ultimately attribute attacks: both can provide blueprints for would-be attackers. The ICIT’s Scott explains the ease with which hackers can hide their tracks; his organization recently removed from its site a guide to various known attackers, arguing that it could be used to falsify evidence pointing to a specific group. Yet he also believes open attacks on U.S. infrastructure are less likely to come from Russia or China, because those countries have so much to lose. “It would come from a highly sophisticated mercenary that’s doing contract work for a smaller state,” he says, “or a Hail-Mary state altogether like North Korea.”
Still, countries continue to spend millions honing their cybersecurity capabilities, both offensive and defensive. Since 2010, NATO has run a cyber-defense exercise called Locked Shields, involving more 550 people across 26 countries, organized from Tallinn, Estonia. Participants can work from their home countries, carrying out attacks on a fictional country; defenders try to maintain the country’s servers, online services, and an industrial control system. The U.S. Cyber Command, the Department of Homeland Security, and the FBI run an annual Cyber Guard. This year, the more than 800 participants dealt with a fictional attack leading to a wide-spread power outage affecting millions across the U.S., a refinery gushing oil off the coasts of Texas and Louisiana, and a network outage that shut down the port of Los Angeles.
It’s valuable preparation for a series of potentially unfortunate events; forewarned is forearmed, after all. But Singer cautions that we can be prepared for cyberwar without being paranoid about it. “On one hand, if we were to go to war with another nation—with a Russia, with a China—an actual war, like the classic definition of it, i.e. violence, physical damage, there are amazingly destructive things that could be done through cyber means,” he says. “On the other hand, there have been more power grids taken down by squirrels in a week than by hackers in all of history.” At least for now.