Let’s not shut down the Internet to ward off cyberattacks

July 1, 2013

My colleague Robert Samuelson makes the case against the Internet, pointing to a report from the Defense Science Board earlier this year about the damage foreign adversaries could do by attacking our digital systems.

That report suggests that as a result of a full-scale attack, there could be "no electricity, money, communications, TV, radio or fuel (electrically pumped). In a short time, food and medicine distribution systems would be ineffective." Even worse "U.S. guns, missiles and bombs may not fire, or may be directed against our own troops."

But it's important to emphasize that this scenario is based on a "full-scale conflict with a peer adversary" — that is, a great power like Russia or China. And digging into the specific threats that the DSB is worried about makes clear that they don't have all that much to do with the Internet.


Chart from "Resilient Military Systems and the
Advanced Cyber Threat" Defense Science Board, Department of Defense.

The DSB helpfully divides adversaries into six tiers. In the lowest two tiers are garden-variety hackers, who exploit known vulnerabilities in computing systems. These attacks will tend to be of the "nuisance" variety: defacing or disabling companies' Web sites, hijacking poorly-secured e-mail or Twitter accounts, or stealing credit card numbers or trade secrets from corporate networks.

In the middle tiers, which the report labels III and IV, are parties with the capability to discover and exploit previously unknown vulnerabilities in computer networks, and to launch more sophisticated attacks. These might involve penetrating even well-secured corporate or government networks, allowing extended surveillance and even sabotage of important systems like the electric grid.

The top tiers, V and VI, involve adversaries who have the power to create vulnerabilities. For example, the Chinese government might gain control of a semiconductor company selling chips to the United States and insert circuitry that allows the Chinese to remotely monitor, control or destroy U.S. computer systems. Or a Russian covert operative might gain physical access to a secure facility in order to modify hardware or software.

This taxonomy makes two things clear. First, the farther you go up the pyramid, the less necessary the Internet becomes to mount attacks. Indeed, the report notes that top-tier attacks long predate the modern Internet. In the 1970s, the Soviet Union managed to place modified Selectric typewriters into the U.S. Embassy in Moscow and the U.S. Mission in Leningrad. The modified typewriters would wirelessly transmit every keystroke to nearby Russian listening posts.

Stuxnet, the malware that sabotaged the Iranian nuclear program, provides a more recent example. Stuxnet was designed to spread via infected USB sticks introduced to Iranian facilities by covert operatives. Turning off the Iranian Internet would have done little to stop the attack.

Second, only the most powerful states in the world have even the theoretical capability to bring about the kind of mass havoc the DSB envisions in a full-scale "cyber war." Bringing down the U.S. power grid, financial system and other critical systems would require thousands of engineers to study U.S. systems and make careful plans to sabotage them.

Again, Stuxnet provides a good example. Its author -- reported to be the U.S. government -- had intimate knowledge of the expensive Siemens industrial control equipment the Iranians used to control their centrifuges. The attack took years of planning and millions of dollars. Premeditated sabotage — for example, introducing compromised chips into an adversary's infrastructure — is even more difficult.

An attacker who wanted to cripple the American economy would have to launch these kinds of sophisticated attack against dozens, if not hundreds, of U.S. systems simultaneously. Only governments, and probably only a handful of great powers, have the capacity to do so. And while such an attack would certainly be awful, the nations capable of carrying them out also have bombers, aircraft carriers and nuclear weapons. They've had the capability to kill tens of millions of Americans for decades, and shutting down the Internet wouldn't stop them.

Comments
Show Comments
Most Read Business
Next Story
Ezra Klein · July 1, 2013