The war in Ukraine has called at least some people’s attention to cybernetic warfare. Russia has in the past launched massive attacks on Internet-connected computers in other countries (Estonia in 2007, Georgia in 2008, Ukraine in 2022). If, as seems increasingly likely, its current conflict ends in embarrassing defeat, a weakened and humiliated Russia may see hacking in the same way that Hitler saw rockets and jet fighters, as a last equalizer against the country’s perceived enemies.
With that thought in mind, consider the speculative scenario that James Meigs lays out in the May issue of Commentary:
The event that would come to be known as “Cyber Harbor,” or “Cyber 11th,” started small. One morning, the “autopilot” mode on some Tesla cars started going haywire. First, dozens, then thousands of cars began veering into oncoming traffic all across the country. Emergency rooms were swamped with crash victims. Then, office workers in dozens of industries watched in shock as their computers began spontaneously deleting files. It took about 24 hours for officials to realize that these scattered problems were connected. The power grid was next: Blackouts began in California and soon rolled across most of the U.S. The Internet started crumbling as well. Routine communications became impossible.
It took only a few days for grocery-store shelves to go bare. Gas stations put out “No Fuel” signs. Even if supplies of food and gas were available, trucks couldn’t deliver them. The country’s banking system had collapsed; with credit cards and ATMs disabled, truckers had no way to buy diesel fuel. The backup generators powering hospitals, police stations, water-treatment plants, and other critical infrastructure eventually drained their fuel tanks and went silent.
In most cities, the looting tapered off after about two weeks. There was nothing left to steal. By then, armed gangs had begun roaming the suburbs, breaking into houses and ordering the terrified homeowners to surrender any hidden caches of food.
The remainder of the article presents evidence that –
a large-scale cyberattack on the United States of the sort I describe here is becoming more thinkable by the day. Ukrainian military victories and Western sanctions have pushed Vladimir Putin into a desperate corner. And while Russia is now making a show of negotiations, there’s no doubt Putin is keeping his options open. Russian leaders have raised the threat of nuclear weapons several times during this conflict. We need to take that threat seriously, especially if Putin concludes that his regime, and therefore his life, is at risk. But a full-blown cyberwar is far more likely than a nuclear exchange. And it could be just as devastating.
Mr. Meigs outlines the factors “greasing the skids toward cyberwar”: “First, our vital infrastructure is more automated than ever before.”
“Second, there are more computers to hack: Not just smartphones and laptops, but the myriad devices that make up the Internet of Things – digital doorbells, smart speakers, thermostats, children’s toys, and more.”
Third, “all these previously disparate technologies” are connected through the Internet. For example –
Modern vehicles contain 50 or more computer systems, and many receive automatic, over-the-air software updates. Once, a criminal who wanted access to your car would have had to jimmy the lock. Today, a few bits of malicious code could give a hacker entrée to all vehicles of a particular make and model. To put it another way, hackers trying to sow chaos on our highways wouldn’t need to target individual cars; they could target entire networks of cars. Now apply that same logic to other networks of crucial technology: gas pumps, ATMs, aircraft cockpits, hospital ICUs, and so on.
A decade ago, Iranian hackers showed how oil production could be drastically curtailed without setting fire to wells, blowing up refineries or hijacking supertankers.
They just exploited a weakness in Microsoft’s Windows operating system to take over the computers of some 40,000 Aramco office employees. Workers in marketing, finance, HR, and other departments watched as the “wiper virus” systematically erased files and then disabled 85 percent of the company’s computers. Aramco’s only solution was to unplug every workstation and completely disconnect from the Internet.
Of course, that made work impossible. In an effort to go green, Aramco had done away with most paper records. So the company didn’t have a database of customers or vendors, or even contact information for its own employees. Even though its refineries and drilling rigs had been left untouched, Aramco struggled to keep product flowing. Gasoline tankers backed up for miles at Aramco refineries as workers tried to invent paper-based systems for billing and record-keeping on the fly. It took months to sort out the mess. There’s a lesson here: It is natural to focus security efforts on high-risk infrastructure such as pipelines or power plants. But even humble back-office functions can prove crucial if they are disabled en masse. Everything is connected.
It would be ideal to have an “Iron Dome” against that kind of attack, but that is a fantasy. The great vulnerability of computer networks is the human beings who use them. The Democratic National Committee in 2016 had a top-of-the-line IT staff, but nothing could prevent John Podesta from falling for a grade school level phishing scam.
Mr. Meigs urges greater attention to cybersecurity, but he puts little trust in its efficacy. Just as there is only one sure way not to become pregnant (just one known failure in the past 2,000-plus years), there is only one sure way to prevent a cybernetic catastrophe: Don’t let the Internet be critical to your life.
Private business and public utilities should rethink their fashionable focus on lean, just-in-time supply chains. Efficiency has been the watchword, but as the Covid pandemic revealed, hyper-efficient supply chains are also hyper-vulnerable to disruption. We need more redundancy – more slack in the system. That goes double for the power grid and other physical infrastructure. It’s important to protect these systems from attack. But it is just as important to ensure they can bounce back quickly if they are damaged. Even people in seemingly noncritical fields should remember that nothing digital is secure. Virtual assets need redundancy, too: Any information an organization can’t function without should have a paper backup. [emphasis added]
Homeowners as well need to plan for the worst. We don’t all need to start building fallout shelters, but every home should have enough food, medicine, batteries, and other essentials to survive for three weeks at least. And toilet paper. Never forget the toilet paper.
How many people will follow that advice? How many, in the current state of things, can? Could it be that the country needs a Resiliency Board far more urgently than one for “Disinformation Governance”?
Comments