Tech-savvy Americans often complain about our intelligence agencies. Privacy is an exotic discussion topic, and it seems somehow liberating to oppose our government behemoths.
In fact, in academic settings it is perfectly acceptable to bemoan the NSA. You can even run your own Tor node and not worry about backlash. (Tor is an anonymization network that can be used to hide activity on the internet, whether it is related to political dissidence — or organized crime.)
Certainly, this opposition has real foundations. On the other hand, what the NSA, CIA, and FBI do is very, very important. American national security depends on cyber expertise. And I would argue that if we don’t have it, we will get burned very badly and very quickly.
Why? Because cybersecurity is no longer a thing of zeros and ones, bytes and email accounts. Hacked databases are not the most dangerous threat. Instead the danger is the imminent threat of cyber attacks — as they say — ”going kinetic.” That’s military jargon which means “having physical effect.”
These are attacks on what researchers call “cyber-physical systems:” power plants, the traffic grid, irrigation systems, etc. It is not hard to imagine really bad cyber-physical systems attacks, and some have already happened. In particular, here are five relatively little-known cyber-physical systems attacks.
1. Russia-Estonia: 2007
Russia’s cyberattacks against Estonia had a romantic beginning for something so technical. In April 2007 the Estonian government relocated a bronze statue of fallen Soviet World War II soldiers. Russia saw this as an insult, and responded in a flurry of devastating cyberattacks.
Estonia’s defense minister told Wired Magazine: “The attacks were aimed at the essential electronic infrastructure… All major commercial banks, telcos, media outlets, and name servers — the phone books of the Internet felt the impact, and this affected the majority of the Estonian population. This was the first time that a botnet threatened the national security of an entire nation.”
It is true that the Estonia hacks weren’t really on physical systems, but their impact was surely felt in tangible ways for “the majority of the Estonian population.” Could you do your work without banks, telcos, and the Internet? Countries need technical experts to protect this critical infrastructure.
2. Russia-Georgia: 2008
The Russo-Georgian War featured a traditional invasion with hundreds of deaths and maybe hundreds of thousands of refugees. But it also featured heavy cyber bombardment. And one of the most interesting cyberattacks fell upon a real cyber-physical system.
The target was a pipeline in Turkey which also runs through Georgia, circumventing Russia. The pipeline exploded spectacularly several days before the beginning of the Russo-Georgian War.
It’s still not clear what happened. One possibility is that it was caused by a bomb. But also sensors designed to keep the pipeline safe might have been deactivated by malware. A Bloomberg article says that investigators found hackers had tapped into a security camera, navigated through a network into a Windows computer running control software for the pipeline, and then damaged the sensors. Then they were able to increase pressure in the pipeline without alerting anyone. If attackers physically came to the site and triggered the explosion, they went almost completely undetected because the hackers had disabled video monitoring systems.
The pipeline explosion shows that cyber attacks can have real physical consequences. It blurs the line between traditional warfare and cyber warfare, and makes it obvious that any national defense organization needs cyber experts.
3. US-Iran: 2009-2010
Of course the US is also engaged in offensive cyber warfare. Perhaps the most famous cyber-physical systems attack ever appears to have come from a US-Israeli partnership, and it was called “Stuxnet.”
Stuxnet was designed to disrupt the Iranian nuclear program. It targeted five plants in Iran, especially concentrating on uranium refinement. The virus was initially uploaded to computers using simple removable storage drives. Then it spread throughout the network of computers to search for the correct systems. It did as little harm as possible until it reached the process control network and the centrifuge control systems.
Then Stuxnet altered control commands in programmable logic controllers in order to damage the centrifuges slowly and almost unnoticeably. Stuxnet also generated fake feedback signals from the centrifuges in order to make it seem as though everything was running according to plan.
Iran acknowledged the attack, and some researchers suggest that it set back the country’s nuclear program by multiple years.
4. China-US: Ongoing
This one makes Star Wars seem almost tame. According to research by Digijacks CEO Alan Silberberg, the next big target of cyberattacks may be satellites.
In 2013-2014 satellites used in the US for weather forecasting, as well as satellites operated by the National Oceanographic and Atmospheric Administration were hacked, apparently by the Chinese. Then in 2016 the Australian Bureau of Meteorology was breached. The damage so far seems limited — maybe just a capability test. But Silberberg says that satellites ranging from commercial to military uses were built with hardly any view to security, and could be damaged more significantly or used for espionage.
5. Iran-US: 2013
For New Yorkers, this one is close to home. For roughly three weeks, an Iranian hacker named Hamid Faroozi allegedly had control of systems at a water dam in Rye, less than twenty miles north of Manhattan.
The US Justice Department said that Faroozi had penetrated the system thoroughly enough to gain access to the sluice gate, which controls the flow of water. Fortunately the gate was under repair at the time, so that Faroozi could not actually change its operation. Whether Faroozi meant to actually cause damage or merely to test the idea of hacking a water dam, the hack reminded authorities of the potential for cyber-physical systems attacks. Researchers say that many power plants have outdated systems which have similar vulnerabilities.
Defense is a real responsibility
So cyberattacks have the potential to cause real, physical damage. And this damage affects real physical people. At the national level, the US and other countries have mandates to protect their citizens.
The mission that the NSA, the FBI, the CIA carry out is critical. It would be only too comfortable to sit back and ridicule the intelligence agencies without considering their real responsibilities.
Does this mean that there should be no limits on what we do to protect American assets? That there is no need for accountability, and that intelligence agencies are justified in deceiving the public? We haven’t even discussed the question of whether these agencies should develop offensive capabilities, which of course they do. Does this mean that anything goes?
On the contrary, it is becoming critical to think about the definition of a cyberwar, the ethics of cyberattacks, and the boundary between national and commercial interests and actors. Some definitions are probably out there. But I doubt they are deeply considered. Cyber ethics requires professionals who can navigate legal, ethical, and political questions. This will certainly be a challenge that accompanies the technical ones.
The takeaway from these attacks is not a utilitarian justification designed to allow national security agencies to deceive citizens or operate without bounds. But it is a claim that there is a definite responsibility for a nation to protect its infrastructure and ultimately its people. Otherwise, we will get burned.
At the national level, the US has a mandate to protect its citizens. At the individual level, it is easy to discern a call for ethical and competent cyber experts.
Jeffrey Pawlick is a PhD Candidate in Electrical Engineering at the Tandon School of Engineering, New York University.
