Without warning, a power station shuts down. Moments later, others. Cities are blacked out, but in the grid control room the screens show nothing wrong. Simultaneously, air traffic control fails, as do traffic lights. The stock market collapses under a barrage of fake transactions, erasing billions of dollars in minutes. Security of the domain name system collapses too, and news sites are hijacked to spread false information. Enemy hackers have taken control. It's the Digital Apocalypse.
(Apocalypse film image by Kevin Dooley, CC2.0)
Could it actually happen?
The US Department of Defense takes the threat seriously and now considers the cyber realm to be the fifth battle-space, along with land, sea, air and space.
Speaking at the RSA Conference in San Francisco yesterday, US Deputy Secretary of Defense William Lynn said that the attacks his team has seen so far have only caused disruption — relatively unsophisticated, short in duration and narrow in scope. But the most dangerous networked threats could cause actual physical damage — as Stuxnet did to Iran's nuclear program.
"It is possible to imagine attacks on military networks or critical infrastructure like our transportation system and energy sector that could cause severe economic damage, physical destruction or even loss of life," he said. "A couple dozen programmers wearing flip-flops and drinking Red Bull can do a lot of damage."
But elsewhere in the conference, a panel of information security specialists hosed down some of the more elaborate scenarios.
"Electric companies are in the business of safety and reliability, so from a contingency plan perspective they've pretty much got it down cold," said Mike Echols, critical infrastructure protection program manager for the Salt River Project, one of Arizona's largest power and water utilities, adding that disrupting multiple power stations "would take a pretty sophisticated hacker".
The energy sector is more prepared than many people imagine, Echols said. A sector-wide computer emergency response team (CERT) is being formed with assistance from the Department of Energy. The industry already liaises with the military.
The telecommunications system is similarly robust, according to Bob Dix, who works on critical infrastructure protection for Juniper Networks.
"Last year the IT sector and the telecommunications sector conducted a pretty extensive risk assessment against a set of functions that we deliver," Dix said. "We are, by and large, resilient in these systems."
There's similar confidence in the finance sector.
"A lot of it comes down to resiliency," said Justin Peavey, chief information security officer for financial services solutions provider Omgeo. That resiliency comes from conscious design and testing, and sometimes just through the diversity of systems developed over years: mainframes running COBOL alongside modern servers.
There's also no single place to attack. "The financial industry has no heart," Peavey said, to audience laughter. "Nothing to drive that stake through," added Echols.
"It's kind of like trying to attack transportation," Peavey said. "Maybe you can cause traffic jams some place. Maybe you could take out a car or two, or bus... What we're talking about here is the differentiation between an attack that might bring down a component, a company, maybe even a major data feed, versus the topic of this session here, which is cyber apocalypse."
According to Peavey, an attacker probably wouldn't even have a suitable test environment consisting of disparate mainframes and market interfaces to develop a complex attack that would work the first time without being detected. And while millions of fraudulent transactions would undermine trust, trust can be restored by rolling back to the last-known good system state.
Yet not all share the optimism. "I have to disagree with my colleagues here a little bit," said Dmitri Alperovitch, vice president of threat research with McAfee. "There is a lot of resiliency in all these industries. Unfortunately, a lot of that resiliency was designed with a mindset of safety as opposed to security."
The lesson from Stuxnet, for example, was that operators looking at control room screens are useless if those screens are being fed false data.
Alperovitch's definition of a digital apocalypse is "anything that dramatically changes our way of life", including events that cause mass casualties.
"The stock market shutting down for a couple hours, not a big deal. If it's down for a month, that has huge implications for the rest of the economy," he said. "When we had the 48-hour blackout, we survived. Not a big deal. Birth rates went up. If that had lasted for weeks and months, our entire world could change."
For Dix, the key concern is control systems. "People used to ask me what kept me up at night. It would be a simultaneous physical attack and an attack on the control system that controlled the ability to get water out of fire hydrants, to control traffic systems. That kind of simultaneous event worries me even today," he said.
"We need to understand the capabilities in this cyber realm can kill people, and folks need to understand that capability is here today."
Stilgherrian is attending the RSA Conference in San Francisco as a guest of Microsoft.