Worms of Mass Destruction

USB pen drive and virus

The alarms are deafening but who is listening? U.S. Deputy Secretary of Defense William Lynn wrote a remarkable piece in Foreign Affairs warning of the threats and dangers posed by cyberattacks. Shortly thereafter, as if on cue, the Stuxtnet worm struck Iran. Its target was controllers made by Siemens that Iran is using in its nuclear systems causing them to fail and hence potentially crippling the entire program.

And what is happening in the aftermath? Despite the creation of a U.S. Department of Defense cyber command and intense rhetoric, the dangers of WMD — worms of mass destruction — haven’t led yet to a response remotely equivalent to the infamous Y2K crisis in which software and computers unprogrammed to turnover from 1999 to 2000 would crash the system. That crash never happened. That isn’t true for this form of WMD.

YouTube featured a 2 1/2-minute clip showing how Stuxtnet could be used to create real physical damage by forcing an electronic controller to overpressure a balloon, exploding it. Clearly, physical, as well as computer and software, damage can result from a Stuxtnet attack.

In a sense, cyberattacks might be considered the inverse of the neutron bomb. In the Carter years, the United States had designed a weapon that would kill humans by extreme radiation while doing minimal damage to buildings, cities and infrastructure. Critics carped that the neutron bomb would kill babies but not destroy their cribs. It was assumed that cyberattacks would cripple infrastructure doing little physical damage. That is an incorrect proposition.

The consequences of cyberattacks against, say, the electrical grid, Global Positioning System, banking and credit card systems and most chip-based electronics are potentially catastrophic. Imagine doing without electricity or without computers and Internet for an extended period. The actual effects would be punishing. To get a better sense of what killer worms can do, here are two real-life examples.

Suppose, simultaneously, millions of savings and checking accounts were hacked and direct payments and transfers changed or canceled without anyone’s knowledge. Or imagine if credit card billings were stopped or altered and you received a charge or credit for $1 million. Entire economies or certainly large sectors could be taken down and ruined possibly permanently. And fixing the damage to individuals would be expensive, take a great deal of time and in the interim do much damage.

The possibilities are self-evident. One other critical dilemma regarding cyberattacks is that we are still in the philosophical and strategic infancy stages akin to July 1945 after the first nuclear weapons were detonated and long before a theory and practice of deterrence were developed.

One model or analogy for cyber-thinking is money. Money and cyber are both ubiquitous and are the basis for conducting virtually all commerce outside bartering economies. Understanding the use, governance and threats to the monetary and financial systems applies to cyber and both national and international systems for its governance, regulation and protection.

Over time, banking, exchange rates, credit and debt mechanisms and rules of the game evolved. That evolution continues post-meltdown of financial markets. Indeed the financial meltdown and economic crisis are suggestive of what WMD could do to our lives. Along with cyber-thugs and states, let alone hacking for sport, bank robbers, counterfeiters, conmen and even investment bankers have gone after the money supply and financial systems, some legally, others not.

Of course, the 10-year-old computer genius who decides to disrupt or hack into global or national systems is another menace. It would indeed be interesting if the Stuxtnet inventors turned out to be in their early teens or even single digits in age.

Creating the equivalent of a nuclear deterrent structure or financial governance system is sorely needed for cyber. Many of the same challenges apply. For example, when does a cyberattack constitute an act of war? The cyber-sortie into Estonia from sources inside Russia wasn’t seen as an act of war. In financial markets, George Soros, famous for shorting the pound, cost the United Kingdom billions. If a criminal organization had been responsible for such losses using cyber, let alone al-Qaida, would that constitute the equivalent of an armed attack?

A serious and ongoing national and international effort to establish an intellectual framework including rules of the road and conventions for dealing with cyber is needed now, not later. Hitler’s onslaught into Europe in 1939, the attack on Pearl Harbor and of course September 11th caught the West off guard and unprepared. The chances of a major cyberattack by thugs, states or misguided youth are unity. The only question is how much damage will occur.

Action is needed immediately. But urgency seems AWOL. This new WMD threat is here. But will anyone act in time?

Harlan Ullman is Senior Advisor at the Atlantic Council, Chairman of the Killowen Group that advises leaders of government and business, and a frequent advisor to NATO. This article was syndicated by UPI. Photo credit: Reuters Pictures.

Image: virus-pendrive.jpg