That Vermont water treatment plant’s industrial control system is just one of 26,000 ICS’s across the United States, identified and mapped by the Dutch researcher, whose Internet configurations leave them susceptible to hacking. Health care, transportation, agriculture, defense—no system is exempt. Indeed, all the critical infrastructure that undergirds much of our lives, from the water we drink to the electricity that keeps the lights on, is at risk of being held hostage or decimated by hackers working on their own or at the behest of an adversarial nation. According to a study of the United States by the insurance company Lloyd’s of London and the University of Cambridge’s Centre for Risk Studies, if hackers were to take down the electric grid in just fifteen states and Washington, D.C., 93 million people would be without power, quickly leading to a “rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses.” The cost to the economy, the study reported, would be astronomical: anywhere from $243 billion to $1 trillion. Sabotaging critical infrastructure may not be as great an existential threat as climate change or nuclear war, but it has imperiled entire populations already and remains a persistent probability.
From 2011 to 2013 Iranian hackers breached the control system of a small dam outside of New York City. Around the same time, they also broke into the servers of banks and financial firms, including JPMorgan Chase, American Express, and Wells Fargo, and besieged them for 144 days. The attacks were in retaliation for the Stuxnet virus, unleashed in 2010, which caused the destruction of nearly a thousand centrifuges at Iran’s largest uranium enrichment facility. Though neither the United States nor Israel took credit for the attack, both countries are widely believed to have created and deployed the malware that took over the facility’s automated controllers and caused the centrifuges to self-destruct. The attack was intended to be a deterrent—a way to slow down Iran’s nuclear development program and force the country to the negotiating table.If it hadn’t worked, a more powerful cyberweapon, Nitro Zeus, was being held in reserve, apparently by the US, primed to shut down parts of the Iranian power grid, as well as its communications systems and air defenses. Had it been deployed, Nitro Zeus could have crippled the entire country with a cascading series of catastrophes: hospitals could not have been able to function, banks could have been shuttered and ATMs could have ceased to work, transportation could have come to a standstill. Without money, people might not have been able to buy food. Without a functioning supply chain, there would have been no food to buy. The many disaster scenarios that could have followed are not hard to imagine and can be summed up in just a few words: people would have died.
When government officials like the director of the US Defense Intelligence Agency, Lieutenant General Robert Ashley, say they are kept up at night by the prospect of cyberwarfare, the vulnerability of industrial control systems is likely not far from mind. In 2017 Russian hackers found their way into the systems of one hundred American nuclear and other power plants. According to sources at the Department of Homeland Security, as reported in The New York Times, Russia’s military intelligence agency, in theory, is now in a position “to take control of parts of the grid by remote control.”
More recently, it was discovered that the same hacking group that disabled the safety controls at a Saudi Arabian oil refinery in 2017 was searching for ways to infiltrate the US power grid. Dragos, the critical infrastructure security firm that has been tracking the group, calls it “easily the most dangerous threat publicly known.” Even so, a new review of the US electrical grid by the Government Accountability Office (GAO) found that the Department of Energy has so far failed to “fully analyze grid cybersecurity risks.” China and Russia, the GAO report states, pose the greatest threat, though terrorist groups, cybercriminals, and rogue hackers “can potentially cause harm through destruction, disclosure, modification of data, or denial of service.” Russia alone is spending around $300 million a year on its cybersecurity and, in the estimation of scholars affiliated with the New America think tank, has the capacity to “go from benign to malicious rapidly, and…rapidly escalate its actions to cyber warfare.”
It’s not just Russia. North Korea, Iran, and China all have sophisticated cyberwarfare units. So, too, the United States, which by one account spends $7 billion a year on cyber offense and defense. That the United States has not advocated for a ban on cyberattacks on critical infrastructure, the Obama administration’s top cybersecurity official, J. Michael Daniel, tells Greenberg in Sandworm, may be because it wants to reserve that option itself. In June David Sanger and Nicole Perlroth reported in The New York Times that the United States had increased its incursions into the Russian power grid.
There are no rules of engagement in cyberspace. Like cyberspace itself, cyberwarfare is a relatively new concept, and one that is ill-defined. Greenberg appears to interpret it liberally, suggesting that it is a state-sponsored attack using malware or other malicious software, even if there is no direct retaliation, escalation, or loss of life. It may seem like a small semantic distinction, but cyberwarfare is not the same as cyberwar. The first is a tactic, the second is either a consequence of that tactic, or an accessory to conventional armed conflicts. (The military calls these kinetic combat.) This past June, when the United States launched a cyberattack on Iran after it shot down an American drone patrolling the Strait of Hormuz, the goal was to forestall or prevent an all-out kinetic war. Responding to a physical attack with a cyberattack was a risk because, as Amy Zegart of Stanford’s Hoover Institute told me shortly afterward, we don’t yet understand escalation in cyberspace.
Absent rules of engagement, nation-states have a tremendous amount of leeway in how they use cyberweapons. In the case of Russia, cyberwarfare has enabled an economically weak country to pursue its ambitious geopolitical agenda with impunity. It has used cyberattacks on industrial control systems to cripple independent states that had been part of the Soviet Union in an effort to get them back into the fold, while sending a message to established Western democracies to stay out of its way.
As Russia has attacked, Greenberg has not been far behind, reporting on these incursions in Wired while searching for their perpetrators. Like the best true-crime writing, his narrative is both perversely entertaining and terrifying.
by Sue Halpern, NYRB | Read more:
Image: Vladimir Putin; drawing by Tom Bachtell
