In the October issue of DTI, I wrote a story about the near-term realities of—and emerging long-term trends in—cyber warfare, using this summer’s Russian attacks on Georgian networks as a jumping off point.
And the outlook is grim. What makes it so is that there’s often a thin line, if there is any line at all, between attacking military targets and corporate and/or public targets, and as of right now, the United States has no national plan to combat such attacks.
Part of the problem says Bill Woodcock, research director of Packet Clearing House, a non-profit research institute, is that the United States has been lagging behind competitors in Internet bandwidth growth in recent years is dangerous, and since 2005
We’ve had 47 percent annual growth and the Chinese have had 117 percent. Indians the same thing. In an environment in which the background doubles in size every year, failing to double in size for a year means a substantial setback. We’ve failed to double for eight years. Under this administration there’s been no attention or funding to cyber defense or cyber offense. It’s been ignored. So we’ve had eight years of falling behind on an exponential growth curve where the Chinese and Indians have been investing aggressively, so they’ve been more than doubling each year. So when you have cumulative exponential differences in exponential growth that accumulate over eight years, its very difficult to get back.
To simplify matters, Woodcock explains that:
If our infrastructure was bigger than someone else’s infrastructure, they would have to max out their infrastructure in order to attack us, and we would still have excess capacity. If their infrastructure is larger than ours, they can attack us using a portion of their own infrastructure without impacting their own needs, and take us completely off line, so it’s very much just a balance of numbers. And we’re getting smaller and smaller and smaller relative to everyone else.
If energy, as has so often been said this election season, is a national security issue, then both the power grid and nuclear energy plants, which have notoriously bad security infrastructures, are national security risks that are increasingly vulnerable to attack by sophisticated foreign or domestic entities. Woodcock says that
The biggest threat in the U.S. right now [are] control systems for things like dams, power plants, and nuclear power plants which are being put on the Internet so they can be controlled from a central location, so that introduces vulnerability…Most of the utilities in the country are on the Internet. Of course they have firewalls, but people can discover their vulnerabilities.
While practically anyone can go online and acquire manuals for the control boards, Woodcock says that “you could spend a year studying it all and then you could try to black out the Northeast, but that’s a lot of effort. The complexity of it all limits the threat to some degree, unless you’re a nation state.”