When Cyber Gets Physical
The last five years have seen massive data breaches.
Attackers grabbed 56 million credit card numbers from Home Depot in February of 2014. In 2015, they made of with 80 million records from health insurer Anthem, Inc. Later the same year, the U.S. Office of Personnel Management failed to protect the background checks of 21.5 million federal employees. Since then, we’ve seen huge breaches of Equifax, Marriot, and British Airways.
And it’s all but certain that more breaches will follow in the years to come.
Despite that, I’d wager that lost data won’t be the worst cyber consequence in the next five years. The biggest danger, rather, will be the increasing tendency for cyber to get “physical:” attacks on power plants, the traffic grid, irrigation systems, and insulin pumps. These targets are what researchers call “cyber-physical systems.” It’s not hard to imagine horrific cyber-physical systems attacks, and some have already happened. Specifically, here are four.
Russia-Estonia: 2007
Russia’s cyber-attacks against Estonia had a romantic beginning for something so technical. In April 2007 the Estonian government relocated a bronze statue of fallen Soviet World War II soldiers. Russia saw this as an insult, and responded in a flurry of devastating cyber-attacks.
Estonia’s defense minister told Wired Magazine: “The attacks were aimed at the essential electronic infrastructure… All major commercial banks, telcos, media outlets, and name servers — the phone books of the Internet felt the impact, and this affected the majority of the Estonian population. This was the first time that a botnet threatened the national security of an entire nation.”
It is true that the Estonia hacks weren’t really on physical systems, but their impact was surely felt in tangible ways for “the majority of the Estonian population.”
U.S.-Iran: 2009–2010
Of course the US is also engaged in offensive cyber warfare. Perhaps the most famous cyber-physical systems attack ever appears to have come from a US-Israeli partnership, and it was called “Stuxnet.”
Stuxnet was designed to disrupt the Iranian nuclear program. It targeted five plants in Iran, especially concentrating on uranium refinement. The virus was initially uploaded to computers using simple removable storage drives. Then it spread throughout the network of computers to search for the correct systems. It did as little harm as possible until it reached the process control network and the centrifuge control systems.
Then Stuxnet altered control commands in programmable logic controllers in order to damage the centrifuges slowly and almost imperceptibly. Stuxnet also replayed old feedback signals from the centrifuges in order to make it seem as though everything was running according to plan.
Iran acknowledged the attack, and some researchers suggest that it set back the country’s nuclear program by multiple years.
China-U.S.: Ongoing
This one makes Star Wars seem almost tame. According to research by Digijacks CEO Alan Silberberg, the next big target of cyberattacks may be satellites.
In 2013–2014 satellites used in the U.S. for weather forecasting, as well as satellites operated by the National Oceanographic and Atmospheric Administration were hacked, apparently by the Chinese. Then in 2016 the Australian Bureau of Meteorology was breached. The damage so far seems limited — maybe just a capability test. But Silberberg says that satellites ranging from commercial to military uses were built with hardly any view to security, and could be damaged more significantly or used for espionage.
Iran-U.S.: 2013
For New Yorkers, this one is close to home. For roughly three weeks, an Iranian hacker named Hamid Faroozi allegedly had control of systems at a water dam in Rye, less than twenty miles north of Manhattan.
The US Justice Department said that Faroozi had penetrated the system thoroughly enough to gain access to the sluice gate, which controls the flow of water. Fortunately the gate was under repair at the time, so that Faroozi could not actually change its operation. Whether Faroozi meant to actually cause damage or merely to test the idea of hacking a water dam, the hack reminded authorities of the potential for cyber-physical systems attacks. Researchers say that many power plants have outdated systems which have similar vulnerabilities.
These cyber-attacks have the potential to cause physical damage on par with so-called “kinetic” attacks: missiles, bombs. But it’s not clear whether they ought to be classified as acts of war.
In the next five years, it will be critical to think about the definition of a cyberwar, the ethics of cyberattacks, and the boundary between national and commercial interests and private and public actors.
This will require professionals who can navigate questions not only technical, but also legal, ethical, and political.
The author posted an earlier version of this article under a Creative Commons license on MercatorNet.
