Most computer users have become accustomed to being told that their data is woefully insecure, and that their computers are subject to assault from a variety of malicious sources. Such sources include viruses, Trojan horses, worms, malware, spyware, key loggers, cookies (not the kind in a jar, although these are bad, too), hackers, your bad passwords and your cup of coffee. Reasonably, most people ignore such dire warnings, along with the helpful advice to just create sixteen-character random string passwords and not forget them.
Even the best of us occasionally acquire viruses, but they’re usually not so bad – at least not bad enough to warrant too much action. However, on a larger scale, computer security is rapidly becoming a big deal. There have been several recent high-profile assaults on major corporations, which have yielded massive thefts of both intellectual property and user data.
In late 2009, an organized cyber-attack penetrated the security systems of Google, Adobe, Yahoo, the ballistic-missile-producing company Northrop Grumman and even security software giant Symantec. Google says the attack originated in China, and many have been quick to suggest that the Chinese government must have been involved at some level. Whether or not this is actually true, the event should serve as a wakeup call. If Google, with its armies of well-informed engineers, can be broken into then it is unlikely that much else is safe.
About a week ago, Defense Secretary Leon Panetta warned of an urgent need to strengthen network security at critical facilities across the country, both in the government and the private sector. Especially at risk is the nation’s infrastructure, like power plants, water treatment centers, oil pipelines and refineries, and even the electronic stock markets. In the past, these operations worked independently, with no computers. Power plants just burned stuff, emitted nasty black smoke and pumped electricity into the power lines – they were “stupid”, with no way of adjusting to real-time conditions.
That is no longer the case. Now, nearly all our infrastructure is connected to the Internet (although the local water pump is not yet on Facebook). This has allowed for increased efficiency and reliability, but has also generated previously unforeseen vulnerabilities. One of the key difficulties is that industries, which have traditionally had nothing to do with computers, have little institutional knowledge of how to protect against cyber-threats. Large overhauls and redesigns of often antiquated hardware and software would be required to bring security at these facilities into the current century.
Don’t believe that a few computer weirdos could cause this much havoc? Well, they already have. The most prominent and clearly government-organized cyber-attack was the Stuxnet worm, which was discovered by computer security researchers in 2010. This highly sophisticated weapon – and it was a weapon, despite its purely cyber-existence – targeted Iranian nuclear centrifuges, commanding their motor controllers to wildly vary the rotation speed of the machines, quickly causing them to self-destruct.
The most alarming aspect of cyber warfare is that it is a relatively democratic pursuit. You do not need multi-billion dollar weapon systems or a standing army, but merely a group of clever and extremely well-trained computer experts, who exist across the world. Despite the seeming implausibility of a mere computer virus causing real, concrete damage, the threat is quite real, and we would be well-advised to act on it.