The next 9/11-scale attack on North America likely won’t be launched by terrorists wielding box-cutter knives, hijacking airplanes to fly them into buildings. Nothing so dramatic.
It could come quietly, through the fiber-optic network that invisibly knits together the modern world. Imagine a highly-orchestrated series of online attacks on our critical infrastructure — oil and gas pipelines, nuclear power plants, electricity grids, critical communications systems, even our banking system.
Such an attack could shut down key sectors of the North American economy. It could kill many, many people.
Think of the consequences if the network that manages key operating systems in our nuclear power plants were to be attacked by a vicious malware. As generators ground to a halt and the lights went out, critical cooling systems in the reactors would also malfunction. Result: a reactor core meltdown that would make Chernobyl or Three Mile Island look like a picnic.
What would happen if the computer software systems and networks that manage air traffic control across North American airspace came under attack? Thousands of commercial airliners that take to the skies every day would suddenly be flying blind, without any contact with air traffic controllers on the ground. The ensuing havoc and loss of life is almost too horrible to contemplate.
But we need to think about it, because this is not some airy science fiction scenario or the plotline of a new James Bond movie. This is the new world of cyberwarfare — of deadly threats lurking unseen in the electronic global commons that provides the lifeblood of the modern world.
A recent report by Mandiant Corp., the U.S. Internet security firm, warned that the Chinese People’s Liberation Army might have been the source of a series of highly sophisticated attacks on 141 major companies — underscoring the growing dangers of cyberesponiage and data theft. Even the Pentagon has not been immune.
Espionage is one thing. Disruptive attacks directed at disabling key military, economic and industrial systems are quite another.
And it is not just hostile states like China and Russia that we have to worry about. Like the Wild West, the frontiers of the Internet have their own, special brand of brand of ruffian and maverick — the hackers who work out of their basements late at night to disrupt, steal and pillage. Many of them are based in North America.
The U.S. military is clearly worried about a major cyberattack of 9/11 proportions or bigger, one that could come from abroad or from within. Former U.S. defense secretary Leo Panetta sounded the tocsin shortly before he left office in a series of highly publicized speeches.
Our own military is also waking up to the problem — although it’s not yet clear yet how it plans to tackle it, beyond speechifying.
But the problem can’t simply be left to our defense and security establishment to deal with. Most of Canada’s critical infrastructure is in the hands of the private sector, including banks, utilities and the companies that operate our oil and gas pipelines and major road, rail and air links.
Many business leaders don’t really understand the true depth and gravity of the problem. Many see it as so much techno-babble. They tend to view cyberattacks as something for their IT people to deal with, as a problem for their competitors — or as something to keep quiet about if their own companies come under attack. They also don’t want to make the kinds of investments required to “harden” their own IT systems and protect them from a growing array of cyber-threats.
Canada’s Department of Public Safety recently introduced its own Cyber Security Strategy to deal with such threats — but the details on how this new strategy is being implemented remain vague.
The proliferation of different email systems, data centres and network services (3,000 in all) in Canada’s federal agencies creates its own vulnerabilities. The fact that computer networks at Canada’s Department of Finance and Treasury Board were breached suggests we have a long way to go to protect sensitive data storage systems, consolidate internal communications and develop a coherent, whole-of-government approach to the problem.
Private citizens also have to be much better informed about the dangers that lurk on the Internet, since their own home computers can be turned into weapons of war.
The simple act of getting people to change their passwords regularly may be one of the best defenses against hackers and others who seek to do us harm. But how many Canadians actually practice this kind of good housekeeping? Not very many.
Preventing the next 9/11-style attack from hitting us on our Internet blind-side is not going to be easy. It will require the engagement of all levels of government, the business community and ordinary citizens.
It’s also going to have to involve a major cultural and behavioral shift as we come to recognize that the Internet is more than just a benign tool for social media, commerce and communication. In the wrong hands, it’s a weapon of mass destruction.