Correction: An earlier version of this editorial mistakenly referred to the Arthur R. Bowman dam. The text has been updated to reflect the correct name, the Bowman Avenue dam.
ABOUT 30 miles north of New York City, in Rye, N.Y., sits the Bowman Avenue Dam, a reinforced-concrete gravity dam constructed a century ago for ice-making, and now primarily used for flood control, with a sluice gate that can control water permitted to flow downstream. Between Aug. 28 and Sept. 18, 2013, a hacker sneaked into computer systems that monitor the dam and move the sluice gate.
According to a grand jury indictment unsealed Thursday in federal court in New York City, the hacker was Hamid Firoozi, 34, the network manager for a computer security firm, ITSec Team, based in Iran. Mr. Firoozi collected information about the dam’s water levels and temperature, and the status of the sluice gate. He might have been able to open the gate, but, fortunately, it was manually disconnected for maintenance.
He was charged with one count of computer hacking. The intrusion shows once again that cyberattacks are proving feasible against critical civilian infrastructure such as electrical grids, power plants and dams. The Bowman Dam is not the Hoover Dam, but its vulnerability ought to concern everyone.
Mr. Firoozi was part of a larger group of seven people employed by ITSec and another company, Mersad , that were also behind a massive onslaught against websites run by U.S. banks that reached a peak in September 2012, the indictment says. In effect, the group overwhelmed the websites with so many hits that hundreds of thousands of regular customers could not access their bank accounts. The attackers didn’t steal data or money, but using robot-like botnets, threw so much traffic at the websites — up to 140 gigabits per second — that the sites failed.
It is unlikely that Mr. Firoozi or the others, still in Iran, are going to face trial in a U.S. courtroom for these assaults. Nor will grand jury indictments deter future cyberattacks from abroad. But leveling charges and naming those responsible shows that the hackers cannot always escape with anonymity; doing so may crimp international travel by those charged, and the hidden hand of Iran is exposed. According to the Justice Department, the two companies involved worked for the government, including Iran’s Revolutionary Guard, and one of the hackers, for his effort, got credit toward completion of mandatory military service.
How do these Iranian assaults differ from Stuxnet? That was the computer worm deployed by the United States and Israel to wreck centrifuges in Iran making enriched uranium that could be used in a nuclear bomb. The attack methods were similar; Stuxnet also targeted industrial control mechanisms. But Stuxnet was aimed only at Iran’s illicit weapons-making ability, not at harming civilians. The distinction is important — just like the difference between military and civilian targets matters in other forms of war.
So far, the world’s major powers have managed to coalesce only around some informal and voluntary norms of behavior for cyberconflict. Perhaps it is time to set them down more concretely and firmly rule out floods and blackouts as tools of cyberattack.