As cyber attacks have become a daily fixture of world headlines, much of the conversation has centered on commercial data breaches and targeted hacking of governmental, military, and national infrastructure targets. Yet, the future cyber battleground is likely to center on the civilian world of the Internet of Things, turning everything from consumer drones to traffic signals into weapons that will utterly paralyze a nation and render it incapable of military response. In turn, the perpetrator, which could be a terror group or even a loose collective of hacktivists, could create sufficient plausible deniability to make it impossible to adequately respond. This is the future of cyber warfare.
Modern cyber attacks are focused not only on stealing information, but on destroying critical infrastructure. While the Stuxnet attack on Iranian centrifuges is perhaps the best known example, earlier this year a German steel mill was “massively” damaged through an attack on its industrial systems. Last year’s Sony breach took out the company’s computer networks for months, while in the last three years Iranian hackers have destroyed 75% of the computers belonging to Saudi Arabia’s national oil company, heavily damaged a US casino’s networks and disrupted the US banking sector in a sustained denial of service attack that cost millions of dollars to defend against.
Offensive cyber weapons under development are believed to include tools to shut down power grids and airline networks, interrupt phone and internet connectivity, disrupt and delete financial sector records, and physically jam or sever critical military communications systems. The United States itself recently announced a new half-billion dollar program to develop “lethal” cyber weapons designed to "trigger a nuclear plant meltdown; open a dam above a populated area, causing destruction; or disable air traffic control services, resulting in airplane crashes." Most troubling, such weapons have leveled the playing field, with an individual terrorist or hacker able to wield the same offensive capability as an entire nation.
A common denominator in these attacks is the increasing targeting of the private sector, which has far fewer resources to defend against or halt an attack. In fact, security has received little attention in the commercial products that power much of our daily lives. The industrial control systems that run many of the world’s factories can be accessed with a hardcoded password, while a hidden backdoor allows access to the controllers powering everything from the electrical grid to railroad and traffic control systems. Administrative consoles for water and sewage treatment plants, shutdown controls for power plants, traffic light overrides, and even the master power switch for a hospital can all be accessed online.
In 2013 researchers found more than 25,000 Internet-connected deployments of an automation platform “used widely by the military, hospitals and others to control electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms and other critical building facilities” that could be vulnerable to attack. Due to their increasing ubiquity, drones are fast becoming a target, with US military drones being successfully downed by Iran, and a new breed of civilian drones that can autonomously locate and take control of other nearby drones.
Perhaps most worryingly, the proliferation of “smart” devices for the home is creating an unprecedented landscape of targets. Home automation systems have been found highly vulnerable, allowing a hacker anywhere in the world to turn off alarms or lights, adjust the temperature, and even unlock and open doors. New televisions frequently include cameras and microphones that can be remotely hacked and used to spy on ordinary citizens at a global scale, peering into living rooms and bedrooms or displaying false information on the screen.
Even when not hacked, some brands of televisions may stream private conversations back to the manufacturer and its partners to assist with features like voice activated commands. Thousands of home security and baby monitor cameras, often picking up highly intimate scenes, can be readily accessed, while specialized search engines like Shodan make searching for vulnerable devices as easy as a keyword search. Even mobile phones can be turned into mobile listening stations piercing into corporate boardrooms and homes alike.
Thankfully to date most of these vulnerabilities have been exploited in isolation, but the 2007 cyber attack against Estonia offers a stark reminder of the considerable disruption such attacks can wield when used as part of a coordinated multifaceted attack. The Estonian attacks were largely denial of service attacks, disrupting critical information services from the banking sector to parliament, but having less of an impact on physical infrastructure, due perhaps to fewer internet-connected civilian devices a decade ago. What might a coordinated national-scale cyber attack look like in today’s era of the Internet of Things?
I have spent the last several months exploring this question, researching the current threat landscape and conversing with a wide array of civilian and government experts on the trends they are observing both in the overall cyber environment and especially with regards to the emerging world of the Internet of Things. From those conversations comes the following outline of what a modern cyber attack in the Internet of Things era might look like, drawing together all of the current known vulnerabilities and cyber attack strategies and weaving those together into a concerted attack that an enemy nation or even hacker collective might execute.
Such an attack might begin at a very small scale, designed as covert action to tip a country into regime change or influence an election. Traffic signals would be subtly manipulated to increase gridlock, the power grid would be tipped into sporadic brownouts, phone and internet connectivity would become spotty, water treatment plants would malfunction requiring boil orders, and key government systems would encounter intermittent failures. Taken together, the citizenry would perceive a government falling apart, unable to reliably provide basic services or govern, while leaving no traces suggestive of a foreign attack. This could be coupled with selective leaks of hacked personal information offering evidence of corruption or embarrassing personal details of senior politicians. If enacted in the leadup to an election, a sustained attack could shift the balance of power against the incumbent leadership, or even force a snap election.
If the goal of the attack was to covertly topple a regime, then hostilities might end here, with the victim nation entirely unaware that it had ever been attacked and with a new government in power. If, however, the goal was to destroy the other nation in a first strike attack, a full-scale cyber onslaught could utterly cripple a nation.
The first phase of the attack would begin with a targeted program of hacking, tapping into webcams, cellphones, smart televisions, security cameras, and any other microphones or cameras in homes of politicians and leaders across the targeted country, recording them in their private moments. Mass hacking of employee records, medical and travel details, dating, infidelity, drug, alcoholism, pornography, and gambling websites would be used to assemble dossiers on all senior government and military leadership.
A copy of the dossier would be provided to each target, with blackmail payment demanded to keep it from public disclosure. This would unnerve national leadership, causing a psychological shift towards fright and loss of power that would destabilize the senior decision making process. Within short order all of the blackmail material would be publicly released regardless of payment, leading to national-scale upheaval as the entire political class scrambles to contain the damage, with many likely resigning, while military leaders are reassigned. Such an attack might be expanded to local mayors or even low-level local employees like DMV workers and police and judicial workers, or the corporate sector. False information could be readily mixed with the real, adding to the damage.
With the nation’s civilian, military, and commercial leadership completely preoccupied, the attack phase would begin. The first wave would involve a massive spamming campaign, using all of those hacked home devices to send trillions of emails paralyzing inboxes, email servers, and internet backbones. Every alarm system in offices and homes across the country would be activated or 911 calls placed from that location, causing a massive deployment of emergency services scattered across each city. All Internet-connected door locks would be unlocked and lights turned off, including at banks, prisons, power plants, and sensitive government facilities. Heating systems would be turned to maximum, including in computer machine rooms, while “smart” ovens and stoves would be turned on and refrigerators turned off. Every “smart” radio and television would be turned on with volume set to maximum and tuned to a shrill tone to maximize disorientation.
The mobile and landline telephone networks and internet access would then terminate nationwide, cutting off communications, either by disabling the network operators themselves, or by turning the nation’s mobile phones and computers into massive jamming and denial of service attack nodes. Credit card processing would be disabled and financial networks shut down and any accessible records deleted.
With emergency services scattered across each city, the traffic signal network would then begin to adjust traffic flows to cause massive accidents across the city, blocking critical intersections. All internet-connected vehicles would be shut down on the roadway, causing further accidents and completely paralyzing the road networks. With total gridlock and emergency vehicles dispersed, military and emergency services would be utterly unable to respond. Military radar systems would suddenly show a massive fleet of incoming targets from all directions heading towards the nation before suddenly going dead, prompting panic and diverting all remaining military resources towards responding to a non-existent threat.
Water, sewage, and power plants would all shut down or explode, dams would open and flood downstream communities, and gas pipelines, manufacturing facilities, and chemical refineries would be destroyed. Finally, in a scene from Hitchhock’s The Birds, the nation’s consumer drones would awaken and begin flying randomly around living rooms, while those outdoors would use their GPS to terrorize public spaces.
At this point, the targeted nation is at a standstill, wracked by complete and utter chaos, with nearly immeasurable economic damage focused on its citizens and a long road to recovery. Depending on the level of damage, the nation might be removed from the global economic system for an extended period of time, especially if cyber attacks were coupled with physical communications infrastructure damage.
Most frighteningly, almost everything outlined here could be executed this afternoon by a non-state actor such as a terror organization or vigilante hacker collective. Key elements of the attack could likely be enacted with minimal detectability and with the potential for full deniability of state involvement if launched by an enemy country.
Yet, this dystopian vision doesn’t have to become a reality. The reason these vulnerabilities exist is that cyber security has not historically been a priority in the private sector. While some companies like Google, Yahoo, Facebook, and Twitter pay cash rewards when hackers notify them of vulnerabilities, others like Oracle have threatened customers who let them know about potential security risks. Hidden backdoors and hardcoded passwords have long been fixtures of industrial systems that were built for the pre-internet era and designed to make it easy for maintenance personnel to access them, rather than making it hard for criminals to damage them. The Internet of Things in particular has created a vast landscape of new vulnerable devices in the civilian sector, where low price and ease of use has trumped advanced security measures.
There are also few incentives for companies to focus on security given that the legal liability landscape remains unsettled (though cyber insurance represents a growing market) and successful attacks are still relatively rare. Eliminating cyber security vulnerabilities is a highly technical and specialized field and there are not enough skilled experts in the workforce as of yet. However, if more companies were to follow the model that Google and others have embraced in focusing heavily on security and creating incentives for hackers to reveal the vulnerabilities they find, then the vulnerabilities outlined here could be fixed and a doomsday cyber attack made that much harder.
As the Internet of Things has raced ahead of the current state of the art in cybersecurity’s ability to defend the billions of internet-connected devices flooding homes and offices around the world, it has brought with it a “cyber first strike” capability. Unlike the conventional and nuclear military eras, in which only large nation states could field such advanced weaponry, in the cyber era a sophisticated terror group or hacker collective can economically devastate even the world’s most advanced nations and in a way that renders traditional military response moot. To stop this from becoming reality, cybersecurity of the civilian sector is today must be recognized as indistinguishable from national security itself, requiring far greater investment from the private sector in the security of the devices we use, and ensuring that such a dystopian world never comes to fruition.
