Bad new world: Cyber risk and the future of our nation

As cyberwar's effects reach into the physical world, the ante goes up for policymakers

By Michael Assante

September 22, 2011 — CSO —

In September 2007, in a remote laboratory in Idaho, researchers began to show that that picture had begun to change, dramatically and irreversibly. Dubbed "Aurora," the researchers' project demonstrated the ability of a cyber hacker to destroy physical equipment—in this case a generator used to create electricity for the power grid. The Aurora research brought the question of physical safety and the ability for a nation to defend itself from attack in the cyber world to the forefront. For the next three years, this difficult discussion would largely remain just a discussion, contemplated, if passionately, in corners of Washington and at wonk-ish meetings across the U.S.

The first dramatic images of a generator shaking and belching smoke were vivid enough to force the informed to begin to consider the implications of such an attack occurring in the real world. We began to envision scenarios of a broad-scale attack on U.S. infrastructure, with the potential to cause blackouts that could last for months, contaminate our water supply, and cause industrial disasters. Forget Facebook—we began to worry about our ability to keep the lights on.

In 2010, along came the Stuxnet Worm, which took the hypothetical scenario extrapolated from the Aurora research and proved not only that it had been done, but also that it was released and traveling through cyberspace undetected. The worm carried with it all of the potential outcomes of Aurora to be triggered by a packaged-up set of autonomous code. Now the risk was real and it became very vivid. [Editor's note: Read the full text of Assante's Congressional testimony on Stuxnet (PDF, registration required).]

For the first time in a public forum we could read about a real-world scenario with physical consequences playing out as a result of an attack from a remote computer. In our minds' eyes, the images of toxic vapor rising from a chemical processing plant or a series of explosions at power plants across the country began to crystallize.

[Also see 4 things the Roman aqueducts can teach us about securing the power grid by Assante and Mark Weatherford]

This new "face" of the cyber threat tears away at our notion of cyber security being confined to the "cyber" world. It elevates certain types of computer attacks to a higher-level of decision-making in a nation state and turns what was traditionally a law enforcement matter into one for the military and intelligence community. Before Aurora and Stuxnet, a leader could afford to ignore or to tolerate the majority of cyber attacks and choose to quietly conduct investigations and deal with longer-term efforts to raise awareness and develop more responsible and capable participants in the computer ecosystem. When we considered the cyber security threat, most of us could easily dismiss the headlines as routine. Viruses, identity theft, WikiLeaks, even large-scale financial scams are part of our every-day vernacular, understood as an unavoidable consequence of our life on the web. We all recognize these risks exist, the costs can be quite large, but, after all, we like our e-mail, we like Facebook, we like the convenience of immediate access to virtually everything. We still get in the car each morning to go to work.

• Print