With both state and non-state actors becoming more adept at carrying out attacks in the cyber realm, the threat to global security and economy will continue to grow. This raises the possibility that cyber-attacks could spark an actual conflict outside of the cyber sphere. In just the first six months of this year, the severity of the attacks reached a new high.
Florida Water – In February, a plant operator noticed how the cursor of his computer started moving across the screen and opened software functions that controlled the water treatment process. The hacker was able to boost the level of sodium hydroxide pumped into the water by 100 times its normal level before the attack was thwarted.
Colonial Pipeline – The cyber-attack directly impacted the fuel supply for the East Coast of the United States. The chaos, fuel shortages and price spikes were a consequence of a leaked password to an old account with access to the VPN used to access the company’s server. Colonial paid a ransom in Bitcoin although much of that was reportedly recovered.
Microsoft Exchange – A Chinese cyber espionage group uncovered and exploited four newly discovered vulnerabilities in the email software, putting at risk millions of organizations and government agencies across the globe. Microsoft worked to revert the damages caused by releasing an update to the system and providing mitigation guidance. The issue caused most email exchanges to be offline or degraded for several days.
Those are just the tip of the iceberg. Hundreds of lesser known (or now forgotten) attacks have occurred such as Marriot International in 2020 which revealed the personal information of some 5.2 million hotel guests including name, mailing address, email address, phone number, employer, gender and date of birth.
The use of cyberweapons against military industrial systems was reinforced with destructive effect in 2010 by the most (in)famous computer virus of them all: Stuxnet.
Stuxnet was a complex, multifaceted malware that disabled uranium-enrichment centrifuges in Iran, slowing down the country’s nuclear program. Back then, nothing could match Stuxnet for complexity or sheer cunning — the worm was able to spread imperceptibly through USB flash drives, penetrating computers that were not connected to the Internet or a local network.
Hundreds of thousands of computers were infected yet the worm manifested itself only on computers operated by Siemens programmable controllers and software. On landing on such a machine, it reprogrammed these controllers. Then, by setting the rotational speed of the uranium-enrichment centrifuges too high, it physically destroyed them.
Whilst many in the West cheered Stuxnet, it reinforces the question of whether by accident or design a cyber-attack may result in a devastating outcome. Many speculate that numerous ‘Trojan Horse’ programs lie idle in the computer operating systems of government departments and various utilities around the world waiting to be activated. An investigation confirmed the malicious script in the Florida Water system had been in place for at least two months before activation, for example. Could a single cyber-attack initiate a tit-for-tat response leading to a military confrontation? Stuxnet, for all its brilliance a decade ago, ushered in a new era of cyber-attack and the reaction by the injured or threatened recipient could initiate a dangerous escalation.
This is an interesting and very relevant post. Organisations such as the U.S. Center for Security Policy have long emphasized this issue.
The challenge for a state taking supra-cyber action against cyber attacks might sometimes be attribution.
Could an innocently corrupted digital command cause an accident or be misinterpreted as a hostile act?
Or; unforeseen programming responses to untested inputs? Wasn’t there a trading glitch or two that have impacted Wall Street. It used to be that the defence forces consumed the most computer power . Not sure that still holds true.
Complexity leads to vulnerability.
A cyber attack could certainly be an act of war.
So you’re saying we should drink only beer? To be on the safe side? OK, if you insist.
but only from small (read tasty) breweries. Automation in the large conglomerates is also a risk.
Interestingly there seems to be a sort of gentlemen’s agreement that cyberattacks aren’t casus belli for war. I suspect that’s because the threat of nuclear weapons has made initiation of war a very dangerous thing indeed. Most of the major cyber players are also nuclear powers.
There’s certainly reputational damage. China is on the nose for their notorious cyber campaigns. Retribution though tends to be in the soft diplomatic fields such as sanctioning individuals and restricting businesses like Huawei. If China hadn’t gotten so cocky and overconfident Huawei would’ve absolutely owned the internet.
Without naming a brand there is some extremely powerful automation equipment out there.
One we are very familiar with gets deployed literally everywhere.
Lock your routers and switches down to mac address and physical port, we can still tunnel across campuses if there’s a corporate network .
Well, we could in legacy versions.
Anyway, we can still provision other devices from any device.
Trivial to write an object in code and drop it somewhere to be compiled in-situ by the destination engine.
So it isn’t just industrial plants, it’s distributed throughout near every tall building you can see.
Working “from home” we reach all the way into your “essential” services.
So be nice to me.
There’s even a search engine on the webz that will go fetch internet exposed hardware of the type I mention above.
Won’t refer to that search engine by name.
For a decade or more these systems were often deployed with default credentials.
Which means, I can log in with ‘platform’ credentials
Which means … I ‘could’ do almost anything.
Most of the problems from cyber attacks stem from corporations using the public Internet as their network backbone rather than leasing private lines. Many large corporations, banks for example, still use private networks to keep their networks safe, though private networks are more expensive to maintain.
Fucking stupid idea: hooking all the infrastructure required for a modern society to survive to electronic controls and the internet.
It’s almost as if we want to die.
It’s not as if there was no other possibly way to do it.
You don’t HAVE to hook the water control systems up to the internet.
Seriously, when they build this stuff doesn’t anyone go “Do we really need to have the servomotors that dump the bleach in the water accessible over the internet? You know, the internet with the Nigerian scammers and the Russian mail order brides and the Mafia and the Chinese hackers”?
I always watched those movies in the 90s where the hacker guy does all this amazing stuff accessing infrastructure or bank vaults or freeway cameras and went “Come on, that’s not believable, they wouldn’t have that thing hooked to the internet. Why”? Apparently the engineers watched the same movies and went “Wow! We can hook everything up to the internet”.
correct
Which is exactly why I have, at not slight expense, drilled two bores on my property and installed solar powered pumps and tanks on both. The only automatic controls are limit switches and such. None are internet connected in any way.
If they are going to poison my water they better pack a lunch.
“ Interestingly there seems to be a sort of gentlemen’s agreement that cyberattacks aren’t casus belli for war”
In my view it’s because at the moment they are just posturing, perhaps seeding. There are no gentlemen in war.
Lest anyone think I’m a cut it all off from society survivalist type, nope. I still pay for public water for instance and use it to flush our toilets, because it also lets me dump my sewerage into their system for them to handle – which seems appropriate.
Meanwhile, I have a fully operational septic system installed for when they decide to change the rules.
As to the war caused by a cyber attack, who would notice or even believe it if announced by govts or their poodle press at this point?
Stealing elections electronically is a cyber-attack. How did the sheep respond to that?
If you could disable one in ten cars on the road at a given time(better still, cause them to rear end the car ahead), a city would be grid locked for a long time. Throw in some substations and water supply, sewer etc disabled and you have panic and pandemonium .
“ Meanwhile, I have a fully operational septic system installed for when they decide to change the rules.”
I have a manual posthole borer that goes to about 4’, 6” diameter . Instant long drop but also handy for scraps etc for which it is used now.
OB,
“ Many large corporations, banks for example, still use private networks to keep their networks safe, ”
“Safer” would be a better word.
In the end, security has a human element. Unless I’m mistaken, the stuxnet job was a secure private network except for USB access by authorised personnel.