Though right now the notion of a digital Pearl Harbor -- a malicious attack that cripples the Internet -- is merely a theory, an event such as the northeastern blackout in August 2003 demonstrates the real probabilities. The blackout, which cut off electricity to 50 million people in the Northeastern United States and Canada, resulted from one company's reliance on a computer that failed.
Similar incidents can be expected in the future. Experts warn that chances for disruption are increasing because of the Internet's growth and our reliance upon it for critical tasks, such as power grids, air traffic control and 911 services, to name a few. Add the Internet's openness and the prevalence of defect-laden software, and disruptions become all but inevitable in the face of so many threats.
"The problem with the Internet is we developed it so fast and furiously, and didn't take a step back and build it foundationally with security in mind," said Phyllis Schneck, chairwoman of the national board of directors for the FBI's InfraGard. "We're in the process of correcting that now, but everything done thus far has been a Band Aid."
In the short term, there is no real solution except to reduce the number and severity of interruptions. "I'm of the school that says something is going to happen," said John McCarthy, executive director of the Critical Infrastructure Protection Project at the George Mason School of Law. "You're not going to stop everything."
Threats range from electrical sabotage by terrorists, to accidental cutting of cables by construction crews, to perhaps the most likely culprit, a virus. Nearly 80 percent of e-mails businesses receive are spam, according to Schneck. "Every piece of electronic content I intended to send and you didn't intend to receive is a potential attack."
Walter Tong, senior information security adviser for the Georgia Technology Authority (GTA) sees hackers as the biggest near-term threat. "That's what's on my mind. It can get scary."
What's scary is the potential for a hacker to exploit the Internet's vulnerabilities and cause a major disruption. Those vulnerabilities might not be yours; they could be your neighbor's, but everyone is at risk.
"We're all virtual now, so it doesn't matter," Tong said. "I could have a super-duper security policy and my technologies lined up to it supertight so nobody can get in, but if I have connectivity to somebody who's not [protected], that's my vulnerability."
It's easy for hackers to find holes in software because it's so defective, said Watts Humphrey, a fellow at the Carnegie Mellon University Software Engineering Institute.
"We've got basically terrible practices today being practiced by software developers, even software researchers," he said, adding that even good quality software has plenty of defects and can create havoc like in the Northeast blackout.
In that instance, Ohio-based FirstEnergy Corp. neglected to trim trees that encroached over power lines, which started the chain of events that led to the blackout. A software bug, however, was responsible for the alarm system's failure to alert FirstEnergy to the problem until it was too late.
The chaos that followed included darkness for 50 million people in seven states and parts of Canada. At least 10 major airports and nine nuclear plants were shut down; thousands of people were stranded on subways; hospitals, prisons and emergency service providers had to switch to generators; ATMs stopped working; and the Mets game was canceled.
Some have warned that the Northeast blackout could serve as a blueprint for a hacker wanting to disable an infrastructure.
Internet Nodes Vulnerable
Systems fail because of defective software and careless policies, but the extent of damage an intruder or an accidental disruption could cause is being debated. Studies done at Ohio State University suggest that housing key Internet routing information in a few locations (nodes) is cause for alarm.
"There's the potential to target Internet hotels, as they're called, where there's a concentration of equipment," said Morton O'Kelly, an Ohio State University researcher and professor studying what a major disruption of the Internet might mean.
The studies examined how growing commercialization of the Internet has built on the concentrations of Internet equipment that form Internet nodes in a few big cities across the country. In a sense, the nodes are the few baskets in which we've put our eggs. O'Kelly described the nodes as a "certain number of network access points or exchange points where the networks crisscross or come together at a convergent point."
There are 12 or 13 nodes somewhat hidden in larger cities across the country, which experts say are protected by ignorance more than anything. Some worry one of these hubs could become a target. "Nobody puts a sign out saying, 'This is an Internet hotel, we have a billion dollars worth of Internet cyber-technology inside,"' O'Kelly said. "These things are fairly anonymous and should be kept that way."
The Internet is like other infrastructures, including physical infrastructures, according to Schneck. "If you look at the power grid, there's the same type of vulnerability," she said. "Knock out one part, and you can essentially get other parts. It's really infrastructure vulnerability. The Internet is another infrastructure."
The studies found that crippling just one node could have profound effects on commerce elsewhere, just like closing a major airport could disrupt travel in other parts of the country.
"There's no single controlling entity of the Internet," O'Kelly said. "It's an organically meshed together set of nets that have particular points where interchanges take place. They're places where you have convergence of infrastructure and hence a vulnerability."
What the virtual attacks conducted by researchers showed was that the Internet might continue to function in big cities, but access to outlying areas would probably be cut because those areas lack redundancy, according to O'Kelly.
"In some sense, all our eggs are in more than one basket, but there are a lot of eggs in some baskets, so clearly big cities with lots of infrastructure are potential weak points," O'Kelly said. "But the fact that there are lots of those networks convergent on that city is at the same time a source of resilience because they're not all in the same building, they're spread across the metro area or in different parts of the city or meshed together themselves."
So the biggest cities with large net hubs and several connections to the Internet, such as Los Angeles, New York, Atlanta, Dallas, Chicago and Washington, D.C., may be best equipped to survive an attack, O'Kelly said. Smaller cities that rely on large hubs are at a greater risk. "We've suspected that the most vulnerable cities and local governments are the ones that are not really at the crossroads but out there at the end of the line on the hub and spoke system."
"Always Cyber"
A troubling consequence of an Internet breakdown is the connection to critical physical infrastructures and the probable impact on them.
"When you look at infrastructure protection," Schneck said, "and look at the different sectors -- water, transportation, emergency services -- the connection with them is always cyber."
So what to do?
There is no quick, near-term solution to fix Internet vulnerabilities. It will take years, maybe decades, of education and development of technologies such as defect-free technology to possibly secure the Internet or create a parallel Internet made of secure routers. In the interim, steps must be taken to protect the physical critical infrastructures linked to the Internet.
McCarthy suggests a government and industry partnership to conceptualize a framework to first recognize what the true critical infrastructure is and then take steps to protect it. As part of that effort, government and the private sector must communicate about vulnerabilities.
"It ain't an easy thing, or it would have been done a long time ago," McCarthy said.
But such communication is taking shape in some areas, including a project between Maryland, Virginia, Washington, D.C., and the Department of Homeland Security to develop plans to protect those states' critical infrastructures.
Since everything cannot be protected, McCarthy, who is involved with the partnership, said the initial phase of the project is to "visualize" the key infrastructures. By modeling or mapping infrastructures, interdependencies between sectors can be tested without a real-world disruption.
Currently, McCarthy said, the most prevalent model of protecting critical infrastructures is similar to the one he and his wife use when they try to find the switch that cuts electricity to the living room. "I ask my wife to go down to the fuse box and start flicking switches. That's really what we're doing with a lot of our infrastructures, we're waiting for a real-world event to come, and we're flicking switches to see what happens."
Computerized models of infrastructure are needed, he said, adding that the same geo-spatial tools state and local emergency responders use for mapping natural disasters, such as earthquakes and floods, can be used for developing an infrastructure protection framework.
Each sector must understand its role in protecting the infrastructure, McCarthy said. Since the public sector claims "ownership" of 15 percent to 20 percent of critical physical infrastructures, it's vital for state governments to determine which physical infrastructures are most important and take proactive steps to protect them. It's also important to not overlap responsibilities and know what other sectors are doing and tap into that expertise if necessary.
"Cyber-security is really understanding where you are on that continuum," he said. "It becomes kind of a mosaic. If everyone starts putting their piece on the wall you soon get an integrated picture."
McCarthy cited a recent alert covering trains hauling chemicals. He said information sharing between the railroads and government was good, but chemical plants were left out and thrown for a loop when train schedules were modified.
The situation took another wrong turn when it was found that water treatment chemicals were among the cargo traveling by train. That wasn't known at first, but it was critical because water treatment plants keep only a 72-hour supply, so delaying the shipment was a problem, he said.
That was a clear case of insufficient communication. It also demonstrated the importance of planning strategies and mapping critical infrastructures for protection.
"This interdependency and having the capacity to visualize that [interdependency] helps you anticipate, and this gets into the modeling and simulation that the government and industry and academia have a role in."
A Common Wavelength
As states tackle the task of mapping critical infrastructures and planning for emergencies, they also are becoming part of the national framework developing at the federal level with the National Cyber Security Division (NCSD), a part of the Department of Homeland Security (DHS). The NCSD offers subscribers security bulletins, tips and alerts.
Information is gleaned from the private sector in a partnership called US-CERT (United States Computer Emergency Readiness Team). The data is analyzed and presented to the public in the form of warnings and advice.
States also should adhere to federal standards already in place, Schneck said. The Health Insurance Portability and Accountability Act (HIPAA) addresses the security of health data and the Gramm-Leach-Bliley Act will go a long way toward safeguarding data and holding the private sector accountable for the security of financial data and thus, help develop better security practices.
As the nation builds a framework for security, it is imperative to develop even more standards and policies to which all sectors adhere. "Without those things, it's a hodgepodge," said the GTA's Tong, adding that Georgia keeps the phone lines open to the local FBI InfraGard chapter and a local electronic power association to keep tabs on threats. "The idea is that you don't know what the other person is doing and what level of security they're supplying to their systems."
Complying with federal guidelines, such as HIPAA, is a minimum step toward getting everyone on the same page, Tong said. "When we all have an understanding of what the standards and policies are, then we can build our infrastructure and build technologies to meet standards."
The DHS has been criticized for being in disarray, but Schneck is confident the recent efforts put the department on the right track. Schneck specifically mentioned the Homeland Security Presidential Directive No. 7 issued last December, which establishes policy for identifying and prioritizing critical infrastructure. She said along with the NCSD's work, this will help facilitate progress in all sectors.
"Now you have good security in the private sector, good security policy in the public sector and a good basis for sharing of information, and that should start to improve very soon."
None too soon for McCarthy, who stresses that movement now is critical to being prepared a decade or two down the road when an attack from overseas might be possible. "Look how long we've been involved in the critical infrastructure discussion; 1996 [President Clinton's Presidential Decision Directive 63] and we're still talking about how to identify our vulnerabilities and secure them," he said.
"Cyber is part of that next piece we need to be looking at as we're building physical protections. Right now, cyber-systems are relatively open."
