How Dangerous Is a Cyberattack?
It could cause a blackout. Or maybe a nuclear war.
Photograph by ThinkStock.
The House of Representatives passed the Cyber Intelligence Sharing and Protection Act, or CISPA, on Thursday. Rep. C.A. Dutch Ruppersberger, D-Md., said the bill would help protect the country from a “catastrophic cyberattack.” What’s the worst-case scenario for a cyberattack?
Nuclear winter, but don’t count on that happening. In a 2009 paper for the International Commission on Nuclear Non-proliferation and Disarmament, cybersecurity analyst Jason Fritz described how computer hackers could trigger a nuclear war. Hackers would infiltrate the detection systems of a nuclear state, he wrote, and fool its military into believing a nuclear strike was already underway. Officials would have 15 minutes, at most, to decide whether the alarm was genuine and how to respond. The hackers could create confusion during that brief period by shutting down communications systems with a denial-of-service attack—an event that would mimic the electrical disruptions that might occur if a nuclear weapon were to detonate in the atmosphere above the country. Ultimately, the panicked leaders might order a counterstrike, leading to an all-out nuclear war. Most cybersecurity experts regard this scenario as exceedingly far-fetched, though. There are too many encryption points, and too much human involvement, in nuclear launch systems for this to happen.
A hacker, or team of hackers, would have a better chance of infiltrating the military’s non-nuclear computer systems, but even that isn’t likely to produce any catastrophic results. Chinese hackers reportedly gained access to the nonclassified data on the defense secretary’s computer in 2007, but machines containing classified information are far more difficult to contact. Slightly more worrying was the infiltration of the control systems for the Joint Strike Fighter plane, made public in 2009, although the most highly classified and critical elements of the aircraft’s computer systems were insulated from the attack, according to military sources. Analysts say that any infiltration of the plane’s systems could, at worst, merely degrade its radar or targeting capabilities, reducing the number of enemies it could successfully engage at one time.
The nation’s power grid would be a more viable target. In 2007, programmers hired by the Department of Homeland Security demonstrated how easy it was to overcome the grid’s antiquated software security systems and remotely take control of a generator. Once hackers had a line in, they might cause turbines to spin out of control until the generator had been reduced to a smoking, shaking, and, ultimately, broken-down pile of metal. The simulated attack very closely resembled the one used to damage centrifuges at Iran’s Natanz nuclear complex: The Stuxnet virus commanded those machines to spin beyond their tolerances.
The nightmare scenario of a cyberattack on the grid would be the destruction of so many generators that the entire country would lose power for months. That probably wouldn’t happen, though, because officials would shut the system down as soon as the first couple of generators went haywire. The result would likely be a two- or three-day regional blackout, akin to the 2003 loss of power in the Northeast or the successful 2005 cyberattack on the Brazilian power grid. Whether you consider that catastrophic depends on your interpretation of the word.
Got a question about today’s news? Ask the Explainer.
Explainer thanks Carl E. Landwehr of the Cyber Security Policy and Research Institute at George Washington University, James Andrew Lewis of the Center for Strategic and International Studies, and Martin Libicki of the RAND Corp. and author of Cyberdeterrence and Cyberwar.