With all the talk of an impending cyberwar as the Cybersecurity Act of 2012 travels through Congress, the question of what a cyberwar would actually look like is still pretty ambiguous. Is it fear mongering? Or is the impending doom for real? We asked some experts to get a better sense of what cyberconflict looks like in reality.
- Scenario 1: Important websites will be shut down. One of the most famous attacks happened in 2007 to Estonia, a small and high-tech European country on the east border of Russia. Estonia removed a Soviet soldier statue from the country's capital, and soon after, government, political, bank, and major newspaper websites were shut down. Many of the attacks were "denial of service," meaning the attackers used computers to send tons of requests to the sites, thus overloading the servers. The attacks went on for about three weeks. The Estonian government had to close off the sites to foreign access to stop the attacks, which were originating from all across the globe. NATO brought in some cyber experts to help manage the attacks. How worried should we be? Somewhat. Estonia is a highly wired and advanced country, and the attack was unexpected. Worse, it's hard to prove blame. Estonia accused Russia of the attacks, saying one of the addresses was from the Russian government. Russian officials denied it. As such, the attacks avoided an official "war" label, though the term was invoked in interviews and in media. Instead of war, it was a scary demonstration of power from private citizens—cyberterrorism, in other words.
- Scenario 2: Hackers access military systems and compromise its ability to function in combat, or a true war in cyber form. Since our military systems are highly networked, if a hacker were able to gain access to them, it could compromise the effectiveness of our fighting forces. GPS, for example, is something that could be redirected by an expert hacker. The famous Stuxnet worm, now known to be created by the U.S. and Israel, hacked into Iran's nuclear facility and destroyed nearly 1,000 centrifuges that were meant to enrich uranium for nuclear weapons. It was the first big example of a cyberattack crossing over into the physical world, proving that its possible. The Pentagon has said that if a cyberattack that turns physical (such as hurting critical infrastructure or causing death), the U.S. may respond with military action. How worried should we be? Though hackers have stolen information from military networks before, Susan Brenner, a professor of law and technology at the University of Dayton, points out that the most vulnerable points belong to private companies, not the government. After all, Stuxnet targeted civilian systems and machinery made by Siemens.
- Scenario 3: Hackers will hurt critical infrastructure such as the electrical power grid, financial systems, or transportation networks. This is the sort of scenario that some policy makers are most concerned with. An attack could cause large parts of the country to lose power by overpowering transmission systems, says Herb Lin, chief scientist at The National Academies. "Big lumps of iron" transmit our electricity, and if one is destroyed, we have no spares and each one takes nine months to build, Lin says. Barack Obama, in a Wall Street Journal op-ed last week, offered an example of train derailment, since many transportation systems rely on computer networks to function. How worried should we be? Let's not get too paranoid. These are doomsday scenarios. Experts agree that it's a definite possibility but not the easiest or most likely way someone would try to inflict damage. "The simple repetition of the worst case scenarios tends to make people think it's the most likely, which is not true," Lin says. "Does that mean we shouldn't prepare for it? No."
- Scenario 4: Hackers will wage a slow but significant form of economic warfare by stealing proprietary information or money from our private companies. Cybercrime and espionage could crossover into war if the thieving hackers are being sponsored by a government. The U.S. suspects countries such as China and Russia to be doing just that: Stealing the information of private companies to gain an economic advantage. "For around the cost of what a big multinational company spends on an antivirus subscription each year, a group of hackers can go [into a system] and take anything they want," says Scott Shackelford, a business law and ethics professor at Indiana University who studies cybersecurity and privacy. Plus, defensive systems must be updated regularly in order to combat new viruses and worms, and even the best systems money can buy may have vulnerabilities. "You can spend an infinite amount but not get an infinite amount back," Shackelford says. How worried should we be? Very, because this type of conflict has little public-private collaboration precedent, but this type of attack is happening right now. Some are calling it a "cyber cold war," where countries are in a race to build up the most offensive and defensive cyber systems. A study by Symantec Norton Security found last fall that the amount of money being channeled through cybercrime almost matches the amount in the drug trade at $388 billion. It's a bigger source of concern because the private sector is the target, which means the networks aren't in the control of policymakers, Brenner says. "In WWII, no one said to our companies: 'You gotta build bomb shelters, arm yourselves'," she says. "No one said that because we could control our borders. Military could keep them out. But in cyberspace, every computer is a point on a border."
At this point, there has never been a true cyberwar, our experts told us. (Some prefer the term "conflict," since the legal definition of war has not been invoked.) As the Cybersecurity Act currently stands, standards of security are voluntary instead of mandated because business interests worried about too much regulation. Even so, the bill can still be amended, counter-bills are being introduced, and whatever happens before the August break won't solve all our worries. "Nobody knows what to do," Brenner says. "It is so ridiculously complicated."