WASHINGTON — Most media reports of cyberattacks and cyberwar are inaccurate and sensationalized, the veteran security researcher known as Space Rogue told the ShmooCon hacker conference here yesterday (Jan. 13).
The threat of computer-based attacks upon the United States' critical national infrastructure is real, he said. But the constant, dire predictions of massive cyberattacks, especially concerning the North American electrical power grid, are exaggerated and misleading. The predictions and warnings are themselves dangerous because they make political leaders too ready to start real wars over what may be imagined attacks.
Instead, Space Rogue said, there is a far more prevalent, more easily apparent threat to power lines and electrical networks around the country: squirrels. Yet we're so worried about "cyber Pearl Harbor" that we're losing our grip on reality.
"The best definition of cyberwar that I've seen is, 'Actions by a nation-state to penetrate computer systems for purposes of causing damage,' said by [former National Security Adviser] Richard Clarke," said Space Rogue, who was part of the 1990s Boston hacker collective the L0pht, testified to Congress about cyberattacks in 1998 and goes by the name Cris Thomas in his day job.
That definition eliminates many of the reports of cyberattacks in the past few years, he said. Space Rogue cited the Iranian "attack" upon a flood-control dam in Rye, New York, in 2014. Someone in Iran did perform a "port scan" of the dam's internet-connected control systems, roughly equivalent to walking around a building looking for possibly open windows and doors. Yet the U.S. indicted an Iranian national for this seemingly sinister, yet ultimately harmless "attack."
Likewise, a purported series of cyberattacks upon power systems in Brazil a decade ago was in fact caused by poorly maintained equipment, Space Rogue said, even though the story was aired on CBS News' "60 Minutes." A 2011 water-pump failure in Illinois was blamed on Russian hackers, but it turned out that the pump simply burned out on its own, and that a contractor for the water utility had happened to remotely log into the system while on a family vacation in Russia.
There have been real cyberattacks, Space Rogue said, most significantly the 2010 U.S.-Israeli Stuxnet attack that badly damaged Iran's nuclear-processing capability. More recently, there have been real as well as imagined attacks upon Ukrainian power systems.
But, he said, that doesn't justify the hysteria. At a security conference last year, famous news anchor Ted Koppel said "a cyberattack on our infrastructure is a greater threat than nuclear war" and that the internet is a "weapon of mass destruction." Two weeks ago, The Washington Post mistakenly reported that Russian hackers had attacked a power company in Vermont. Last week, the U.S. Department of Energy said the U.S. electrical grid "faces imminent danger" from cyberattacks.
"Cyberwar has been prophesized for 35 years," Space Rogue said. "But any hacking nation-state — such as China, Russia or Iran — will want to keep our power ON so that they can know what we're doing online. Minor threat actors such as ISIS, North Korea or hacktivists don't have the money, time or motivation to cause a Black Swan event of the kind we've been warned about."
Meanwhile, Space Rogue said, he and fellow researcher Jericho, aka Brian Martin, determined that animals, especially squirrels, are the cause of dozens of electrical blackouts across the U.S. every year, yet no one reports on the constant peril caused by small furry rodents.
"We've had power outages caused by squirrels in all 50 states," Space Rogue said. "That includes Hawaii, where they don't even have squirrels, but they do have chickens."
"The North American power-grid attack surface is huge," Space Rogue said, referring to the vast number of ways in which the grid could be attacked. "But the number-one threat is still squirrels — and then birds, snakes and raccoons."
The reason we don't worry about squirrels, he pointed out, is that electrical service is usually restored within hours of an animal-triggered power outage. Likewise, he said, even if hackers were to turn off the lights somewhere, they would have a hard time keeping them off — electric utilities have decades of experience in recovering rapidly from blackouts.
"Causing a power outage and keeping the power off are different things," Space Rogue said. "Yes, there is a risk of cyberattacks upon the electrical grid, but the risk is nowhere near the level of hype that the cyberwar hawks have been spouting."