Are we ready for “The Big One?”
Digital vulnerabilities and the threat of cyber warfare came into clearer focus for Americans in 2016, when our politics got an injection of terms like Wikileaks, stolen emails, and Russian hackers.
We had an even earlier warning, in 2014, when a major hack against Sony Pictures exposed personal, corporate, and financial information. The U.S. intelligence community determined that North Korea was behind the attack, an apparent retaliation for the film The Interview, which lampooned North Korean leader Kim Jong-un and dreamt up a fanciful assassination plot against him. The hack worked – when the group behind it threatened terrorist attacks against moviegoers, many theater chains cancelled screenings.
This begs the question – if North Korea can bring a major American corporation to its knees using only cyber savvy, what other threats may lie ahead for American citizens, companies, and our government? Here are six cybersecurity nightmare scenarios we should all know about:
1. Self-driving cars
While self-driving cars passing each other on the streets of America still feels like a fantasy, they will very likely become a reality within the next several decades. And once we give up control of the wheel, vulnerabilities in software could be exploited with serious consequences.
Two years ago, a team of experts easily penetrated the car area network (CAN) of a semi-autonomous Jeep Cherokee and killed its transmission. While it’s reasonable to assume that engineers have since made considerable progress securing these systems, it’s unsettling to think about someone hacking into a car and hitting the accelerator, slamming on the brakes or yanking the steering wheel off line. Depending on the circumstances, it could result in countless deaths.
2. Stock market
Wall Street drives the world economy and holds the fate of millions of Americans’ life savings. That means one properly targeted cyber attack could change the course of world history in a day.
Shutting down a huge payroll processor would leave tens of millions of households, many of which also are investors, without sufficient funds to pay for unsettled trades. ADP would be a prime target since it generates salary checks and direct deposits for about 16% of U.S. workers.
Hackers could try to inject false price quotes into data feeds. Publishing “fake news” through social media may set off a panic, especially if it purports to come from a reliable news organization. Indeed, in 2013 hackers got into the Associated Press Twitter account, and sent out a false report about explosions in the White House that injured President Obama, sending stocks tumbling.
Water, electricity, oil, natural gas. In the 21st century, these pillars of civilization are maintained and controlled electronically. What could an attack on this infrastructure look like?
Picture this: A few pump station operators along New York City’s water tunnels fire up their computers to check the status of various water pressure readings.
But their networks have been hacked, and the readings they see on their computers are not the real readings. The adjustments they make cause the water pressure to skyrocket, blowing several mains, and cutting water to various part of the city, if not the entire city. Sure these systems have redundancies, but those redundancies are vulnerable too.
Attacks require “significantly fewer resources and skill” than previously thought. Simultaneously, in other parts of the Northeast U.S., hacked high voltage transformers spin out of control and explode. The blackout could cut as wide as the Tri-State area, and last for months, compounding any attempts to fix the water lines.
Medical health records and private information are vulnerable – but so are the patients themselves receiving care in hospitals everyday.
Along with detailed personal information like Social Security numbers, health-care hacks can include sensitive information about a patient’s medical history and treatment. In other cases, breaches can cripple a hospital or health system, preventing sick people from getting the care they need.
Since its adoption in the 20th century, nuclear energy has remained one of the most powerful and awe-inspiring resources in human history. In the 21st century, the risks associated with it have grown.
The nuclear plant employees stood in rain boots in a pool of water, sizing up the damage. Mopping up the floor would be straightforward, but cleaning up the digital mess would be far from it.
A hacker in an adjacent room had hijacked a simulated power plant, using the industrial controls against themselves to flood the cooling system.
It took officials from three different Swedish nuclear plants, who were brought in to defend against an array of cyberattacks, a couple of hours to disconnect the industrial computer (known as a programmable logic controller) running the system and coordinate its repair.
Though the exercise was conducted in a simulated coal plant, not a nuclear one, the tactile nature of the demonstration — the act of donning rubber boots to fix the flooding — drove home the potential physical consequence of a cyberattack on critical infrastructure.
In a democracy, the legitimacy of a vote is a bedrock necessity. Even a doubt about reliable tallying could lead to widespread social unrest overnight.
Sixteen months ago, Marilyn Marks was just another political junkie watching a high-profile congressional election on her laptop when she saw something she found abnormal and alarming.
The date was 18 April 2017, and the election was in Georgia’s sixth congressional district, where the Democrats were hoping to pull off an upset victory against a crowded Republican field in the wake of Tom Price’s (short-lived) elevation to the Trump cabinet as health and human services secretary.
By mid-evening, Jon Ossoff, the leading Democrat, had 50.3% of the vote, enough to win outright without the need for a run-off against his closest Republican challenger. Then Marks noticed that the number of precincts reporting in Fulton County, encompassing the heart of Atlanta, was going down instead of up. Soon after, the computers crashed.
Election officials later blamed a “rare error” with a memory card that didn’t properly upload its vote tallies. When the count resumed more than an hour later, Ossoff was suddenly down to 48.6% and ended up at 48.1%. (He lost in the run-off to Republican Karen Handel.)
Marks was not rooting for Ossoff – she is a registered Republican and lives in North Carolina, two states to the north – but she cared deeply about the integrity of the vote and she knew that Georgia’s 15-year-old all-electronic voting system was almost impossible to audit because it produced no independently verifiable paper trail to check against the computer-generated tallies.
Was Ossoff robbed, or did the system right whatever went wrong? The point, Marks felt, was that it was impossible to be sure.
Cybersecurity experts have warned for years that malfeasance, technical breakdown or administrative incompetence could easily wreak havoc with electronic systems and could go largely or wholly undetected. This is a concern made much more urgent by Russia’s cyber-attacks on political party servers and state voter registration databases in 2016 and by the risk of a repeat – or worse – in this November’s midterms.
Today, most aspects of our daily lives rely on digital technology and communications. From driving a car to paying for groceries to going for a check-up at the doctor, cyber threats are all around us, even if we don’t think about them often. What’s more, nuclear security and our very democracy are vulnerable to attack from nation-states and rogue actors alike. As American citizens, we are well-served to be aware of these threats – and to make sure our elected officials are taking them as seriously as they should.