It is a devastating prospect. Terrorists electronically break into the computers that control the water supply of a large American city, open and close valves to contaminate the water with untreated sewage or toxic chemicals, and then release it in a devastating flood. As the emergency services struggle to respond, the terrorists strike again, shutting down the telephone network and electrical power grid with just a few mouse clicks. Businesses are paralysed, hospitals are overwhelmed and roads are gridlocked as people try to flee.
This kind of scenario is invoked by doom-mongers who insist that stepping up physical security since the September 11th attacks is not enough. Road-blocks and soldiers around power stations cannot prevent digital terrorism. “Until we secure our cyber-infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives,” Lamar Smith, a Texas congressman, told a judiciary committee in February. He ended with his catchphrase: “A mouse can be just as dangerous as a bullet or a bomb.” Is he right?
It is true that utility companies and other operators of critical infrastructure are increasingly connected to the Internet. But just because an electricity company’s customers can pay their bills online, it does not necessarily follow that the company’s critical control systems are vulnerable to attack. Control systems are usually kept entirely separate from other systems, for good reason. They tend to be obscure, old-fashioned systems that are incompatible with Internet technology anyhow. Even authorised users require specialist knowledge to operate them. And telecoms firms, hospitals and businesses usually have contingency plans to deal with power failures or flooding.
A simulation carried out in August by the United States Naval War College in conjunction with Gartner, a consultancy, concluded that an “electronic Pearl Harbour” attack on America’s critical infrastructure could indeed cause serious disruption, but would first need five years of preparation and $200m of funding. There are far simpler and less costly ways to attack critical infrastructure, from hoax phone calls to truck bombs and hijacked airliners.
On September 18th Richard Clarke, America’s cyber-security tsar, unveiled his long-awaited blueprint for securing critical infrastructure from digital attacks. It was a bit of a damp squib, making no firm recommendations and proposing no new regulation or legislation. But its lily-livered approach might, in fact, be the right one. When a risk has been overstated, inaction may be the best policy.
It is difficult to avoid comparisons with the “millennium bug” and the predictions of widespread computer chaos arising from the change of date to the year 2000. Then, as now, the alarm was sounded by technology vendors and consultants, who stood to gain from scaremongering. But Ross Anderson, a computer scientist at Cambridge University, prefers to draw an analogy with the environmental lobby. Like eco-warriors, he observes, those in the security industry — be they vendors trying to boost sales, academics chasing grants, or politicians looking for bigger budgets — have a built-in incentive to overstate the risks.
In addition to those quoted in the text, the author would like to thank the following people for their help with the preparation of this survey: Gordon Eubanks of Oblix, Patrice Rapalus of the Computer Security Institute in San Francisco, Cory Doctorow, Linda Stone, Neal Stephenson and Stephan Somogyi.
For information on obtaining a reprint of this survey, please visit the Economist web site.
Copyright © 2002 The Economist Newspaper and The Economist Group. All rights reserved.