Experts say it's not time for cyber panic

PHOTOGRAPHER: Marc Schultz

Frank Wicks, professor of mechanical engineering at Union College, doesn't agree with the dire warnings in Ted Koppel's book 'Lights Out.'

Share on Facebook

Save

A science-fiction author tells a story about a giant asteroid that strikes Earth and decimates society.

A horror writer develops a series about the walking dead and a zombie apocalypse that wrecks humanity.

A former television newsman writes a book about a massive cyberattack — an assault on computer systems — that knocks out the nation’s power grids for months. Evacuations, food shortages and panic follow.

Astronomers say there’s a small chance a quarter-mile wide asteroid will come near Earth in 2032, but NASA scientists have said they are 99.998 percent sure the big rock will not make a crash landing.

And most horror writers, if pressed, would probably admit there is a 100 percent chance the dead will always remain in their graves.

But Ted Koppel, the former anchorman of television’s well-regarded “Nightline” late-night news show, does not back down: He’s worried about cyberattacks.

Koppel’s book “Lights Out,” which was released last fall, talks about computer attacks that will knock down power grids for a long period of time. Koppel has said he has talked to U.S. emergency management and Homeland Security officials, and some have told him it’s not a question of “if” but a question of “when” such attacks take place.

The full title of Koppel’s book is “Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath.” Among the author’s recommendations: Stock foods that will last a family three months.

Ongoing battle

Local cyber security and engineering experts don’t believe in any cyber panic. James Hendler, director of the Rensselaer Institute for Data Exploration and Applications, and a recent appointee to the Homeland Security Science and Technology Advisory Committee, thinks it’s inevitable cyber events are going to take place.

“I don’t think it’s inevitable that it’s lights out, strike three, that kind of stuff,” he said last week in an interview from Washington, D.C.

What Hendler expects is an ongoing battle between computer system criminals and computer system protectors.

“I use the analogy of home security when I talk about computer security,” said Hendler, the tetherless world professor of computer, Web and cognitive sciences at Rensselaer Polytechnic Institute. “I’m sure there was a time when people were scandalized if there was a robbery anywhere in their town, but nobody had locks on their doors, early cars didn’t have keys. It was just inconceivable that anyone would steal one, and that’s sort of how we are about our computers now.”

Over time, Hendler said, people must realize they’re going to have to live with a certain level of cyberspace crime. And they’re going to have to be more focused on protection.

“Just as you’re probably comfortable in your home with one or two locks on the door, if you start to have more valuable stuff, then you’d put in an alarm system,” Hendler said. “If you have really valuable stuff, a museum or something, you start to have guards. So people will start to realize it’s not a one-size-fits-all thing.”

Hendler says such lessons are important because he believes Koppel is right about the inevitability of some cyber woes.

“But what he’s saying is, if we don’t protect the infrastructure tremendously and quickly, we’re going to see this huge-event stuff, and I’m less convinced of that,” Hendler said.

Power outage

Small cyber-based scenarios have already occurred. The most recent was this past Dec. 23, when a cyberattack on Ukraine’s power grid knocked out power to hundreds of thousands of homes. Ukraine officials blamed Russia.

Frank Wicks, professor of mechanical engineering at Union College, has scanned the Koppel book. He does not agree with the warnings.

“He is advising us all to become survivalists,” Wicks said. “It is somewhat like the Y2K fears [of 1999 going into 2000] that did not amount to much.”

Wicks knows about cyber-based attacks and electromagnetic pulses that could be delivered via a nuclear explosion high in the sky.

“A cyberattack is possible,” Wicks said. “The use of a nuclear weapon from high above would require missiles and a nuclear warhead that would not be available to a rogue element. It is doubtful they would use it for a ‘shot across the bow’ rather than using it for some real physical destruction.”

Wicks said his experience says electrical systems are always vulnerable to short-term outages. But they recover quickly.

“A cyberattack could trip some circuits,” Wicks said. “A nuclear pulse could also trip protective relays. It has happened occasionally by solar storm particles reaching Earth.

“However, the generating equipment and transmission would have minimal damage,” Wicks added. “The outage would be regional. It would be mostly a matter of resetting the system. Recovery would be in terms of hours or a few days.”

Ultimate nightmare

Wicks would be far more concerned if cyberspace terrorists decided to take a shot at the nation’s banking and finance systems. “The ultimate nightmare would be to attack the banking system,” he said, adding that it could be difficult to ascertain ownership of assets and debts.

Officials at the New York state Division of Homeland Security and Emergency Services declined an interview request. Instead, agency spokeswoman Kristin Devoe sent The Daily Gazette a statement in which she said state agencies continuously train for a potential man-made disasters and cyberattacks on the energy infrastructure.

“Additionally, the state has worked with the public through the New York State Citizen Preparedness Corp. Training Program,” Devoe said in the statement. “This program provides guidance and resources so New Yorkers can prepare their homes, families and businesses for any type of natural or man-made disaster while also having ample emergency supplies on hand.”

Trumping panic

Like Wicks, RPI’s Hendler believes the power grid is resilient. And even if terrorists attack programs that run utilities, he does not think they’ll be able to pull off a doomsday scenario.

If some parts of the state or country went dark through cyberspace meddling, Hendler believes cooperation would trump panic.

“If Syracuse went down but Utica was fine, or if Schenectady went down but Albany was fine — let’s put it in our own backyard — right now if we had a big storm, electrical crews from Albany would eventually come help Schenectady,” Hendler said. “If you could manage to take down the whole country in a horrible way and take out all things, you could see the beginning of a bad situation. I don’t think it will come to that as long as people start paying attention. At least, people in government and many people in academia are starting to pay attention, so I hope the Koppel book will help the general public realize there’s a problem.”

It took Hendler a few seconds to ponder this question: Are people paying enough attention now?

“Believe it or not, that’s a very hard question to answer,” he said. “The answer is, in some circles, enough attention is being paid. The fact that most people don’t understand the technology, the real risks, and there are things you can do about it, like locking your door on regular crime, makes me worry. But certainly at the level of the federal government and many of the states, people understand the problem. There are many other states and most municipalities that are still assuming someone else is going to come fix the problem.”

Tyler Cohen Wood also believes in education, Wood, a cyber security expert and advisor with the San Antonio-based Inspired E Learning group, which provides security awareness and compliance training, said people have to understand that even simple computer applications can open the door to trespassers.

“It’s in their cars, it’s in their Fitbits [devices that track personal data],” said Wood, a former senior intelligence officer for the U.S. Defense Intelligence Agency. “There are now smart refrigerators that collect information on you and are connected to the Internet. Your smart TVs are connected to the Internet. If you have it connected to your corporate network in such a way, it could be used as a hopping point to other devices.”

Wood added that she believes the Target department store chain has one of best security teams in the world. Yet, store customers have had their credit card numbers hacked in the past. Hackers found ways into the system through point-of-sale machines, devices into which credit cards are swiped.

“You could conceivably say the weakest link, the way into the power grids or any corporation, anything, is through humans not understanding, somebody downloading something they didn’t quite get,” Wood said. “But if that person is educated, they’re not going to fall for that.”

Act of war

Jon Heimerl sounds a little more worried about a cyberattack.

“I think most of us know that, realistically, the U.S. infrastructure has been under ‘soft attack’ for years,” said Heimerl, senior security strategist for Solutionary, a Nebraska-based managed security services provider, in an email note. “Most of us probably suspect that parts of the power grid and other elements of critical infrastructure are essentially compromised, or at least, subject to compromise.”

Heimerl believes significant portions of the power grid, and other important infrastructure, were built to work. But much less was built to survive.

“A whole-scale attack of a magnitude which could cripple the U.S. would truly be an act of war,” Heimerl said. “It would be an attack that would escalate our retaliation and would surpass the U.S. simply ‘taking down a server’ someplace. It really is a measure of a balance of terror.

“If an attack was able to truly cripple the U.S., the impact on the world economy would be catastrophic,” he said. “Everyone would suffer, since our relationships with other countries are so close. That may sound a little self-important, but given the participation of the U.S. in the world economy, it cannot be understated.”

Hendler knows some people have an answer to end cyber-based threats — eliminate the targets. That would mean no computers, no smartphones, no smart television, no Internet.

But that’s not realistic.

“There are certainly people saying that, and I’ll bet you there were people saying that the first time a bank ever got robbed, the first time a car ever got stolen, the first time gangs started to form in some cities,” Hendler said. “But we’ve learned to live with that as a resilient society and we must learn to live with this one, too.”