Cyberspace offers new frontier to exploit weaknesses, initiate attacks
PITTSBURGH — Thirty years after a young hacker played by Matthew Broderick nearly triggered a nuclear war in the movie “WarGames ,” fears of malicious computer attackers causing real-world destruction are an everyday reality.
Online attacks, such as those recently aimed at U.S. banks and the Federal Reserve, represent a new front in wars fought with computer keystrokes rather than weapons. Costly to the banks, the attacks merely annoyed customers who could not access their accounts online.
Future strikes, top military experts warn, could be destructive — even deadly — targeting nuclear power plants, public water systems, railways, air traffic control and hospitals.
“People have realized that cyberspace — just like land, air and sea — is another domain that they need to defend, control and protect,” said David Brumley, a computer security researcher at Carnegie Mellon University. “Cyber attacks are part of a covert war right now.”
Discovered in 2010, the computer worm Stuxnet went where only science-fiction movies had gone before — leaping out of digital code to destroy Iran's uranium-enrichment centrifuges by making them spin out of control.
Like the A-bomb dropped on Hiroshima, the exploit set off an arms race with unseen consequences: If Iran initiated the bank attacks — as Jim Rohr, CEO of PNC Bank, speculated — the disruptions could signal a desire to wreak havoc and perhaps to seek retribution.
No one has taken responsibility for Stuxnet, but the consensus among computer security experts points to the United States and Israel, said Liam O Murchu, a manager of security response operations at Symantec, a computer software security company in Mountain View, Calif.
Even if the United States started this fight, however, Defense officials warn that the nation has much to lose. With ubiquitous computers, tablets and smartphones and a looser attitude about online information than countries like China that have strict censorship, America looms as a major target.
“An attacker who mounted a concerted campaign against pretty much any physical facility in the United States or elsewhere could probably do pretty substantial damage,” said Ari Juels, director of RSA Laboratories, which conducts data security research for the government and others.
For now, a large-scale infrastructure attack might be theoretically possible but practically difficult for perpetrators who want to make it happen, said Marty Lindner, principal engineer at CERT, a CMU program that works with the military. An adversary must conduct extensive spying, identify vulnerabilities and figure out a way to exploit them.
“There is the potential — just like the lights going out in New York — that all of the ducks could line up in a row and an adversary could cause really bad things to happen,” Lindner said. “What I struggle with is the reality of that.”
Countries with the capability, such as China, have little motive for destroying the American economy. Enemy nations, terrorists and others who might want to mount such an attack cannot pull it off, said Dmitri Alperovitch, co-founding chief technology officer of CrowdStrike, a security technology company in Irvine, Calif.
Over time, ramping up to a destructive attack gets easier, said former CIA Director Michael Hayden. Hackers, terrorists and rogue nations soon will have the computer attack abilities of the most sophisticated nation-states.
“We're a very connected nation,” Hayden said. “That's why many people in American industry are so concerned.”