At a time when the Internet has been inextricably linked to our national infrastructure, there are understandably serious concerns about the ability of the U.S. power grid to withstand a coordinated attack from hackers in cyberspace. The Internet has become the back door and front door to controlling nearly every aspect of our national infrastructure. Something as relatively simple as a Google search could lead hackers to possible entry points for controlling a nuclear power plant. At his confirmation hearing this summer, Defense Secretary Leon Panetta warned that, “There’s a strong likelihood that the next Pearl Harbor we confront could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental system.”
Given the extent of this risk, it’s perhaps not surprising that 90% of our nation's cybersecurity dollars are spent on defense. However, in order to prevent the first Pearl Harbor of cyberspace, is it time to start shifting more of those dollars to offense? The U.S. power grid is simply too complex, too interconnected and too exposed to depend on a single line of defense, no matter how sophisticated.
The logic of shifting more cybersecurity spending to offense is starting to gain credence in the Pentagon. Several months ago, the Pentagon began working on new rules of engagement that would equate an attack on our nation's critical infrastructure as an "act of war." As such, the Pentagon would have more options at its disposal, including the ability to launch an overwhelming conventional strike on the attacker’s infrastructure. In many ways, this new line of thinking is suggestive of the older Cold War period, in which both sides developed massive arsenals capable of overwhelming any defense system. The threat of overwhelming force was the bedrock of Mutually Assured Destruction. Any attempt to launch a pre-emptive attack would be met with a similarly overwhelming attack, thereby negating the value of any offensive first strike.
Rest assured, playing havoc with the U.S. power grid would cause more than traffic snarls on Main Street and random power outages — it would be the equivalent of a premeditated attack on U.S. soil. A single cyberattack would be, according to scenarios outlined in the Financial Times, equivalent to 50 hurricanes hitting at once, causing up to $700 billion in damage and crippling the country for weeks. What’s most concerning is that this cyberattack would not necessarily have to be carried out by a sovereign power — it could just as easily be carried out by terrorist cells in a place like Iran or Yemen.
The cybersecurity stakes are being raised. By some estimates, nearly 85% of the world's utility networks have been infiltrated by hackers and spy agencies. Hackers have stolen valuable documents from the Pentagon and evidence is mounting that the Chinese have been looking for ways to hack into our nation's grid.
So what would an offensive strike on a nation’s infrastructure look like? Perhaps the best example is the much-discussed Stuxnet worm — a piece of computing code that carried a lethal digital payload that could not be tracked. According to the conventional wisdom, the U.S. military let loose Stuxnet in Iranian nuclear facilities. Once Stuxnet went to work by exploiting holes in software code, it caused control systems to spin out of control, crippling Iran’s attempt to build a nuclear weapon. It was, quite simply, the first-ever targeted attack on a nation's industrial control systems.
Stuxnet was the equivalent of launching a nuclear strike in the digital era. It was the “Hiroshima of Cyber War.” And it’s just the beginning. There are more innovations on the cyberwar front. The Pentagon is now hiring hackers to play offense. At this summer’s Black Hat security conference, the emphasis was on hiring the types of hackers who might have been tempted to poke around the U.S. grid and instead, offer them incentives to play offense elsewhere.
In an ironic twist, hooking up our nation’s infrastructure to the Internet has actually made it more, not less, vulnerable. It has also changed the way the Pentagon must approach war. All future war will necessarily contain a whiff of terror — it will be invisible, anonymous and devastating. War will start with a bit of malicious code sitting stealthily in a nation’s power grid, waiting for the right opportunity to strike — just as terrorist sleeper cells wait patiently for their orders. It was once said that the best offense is a good defense. The Internet era has turned that logic on its head — the best defense might just be a good offense.
Read more news and ideas on Innovations: