The cyber-ruffians who briefly tanked the stock market recently by faking a news tweet about an attack at the White House showed how much damage can be done with a few well-placed keystrokes. Those who hacked into a Department of Labor website earlier this week could have wreaked even more havoc, say, if they successfully tweaked the monthly jobs report.
Neither seemed particularly sophisticated, or malicious. But they do beg the obvious question: How much damage could a group of well-trained hackers do, economic and otherwise, if they really wanted to?
Paul Rosenzweig
It doesn’t take Rosenzweig long to come up with some unsettling scenarios. Most involve either disruption or disinformation, like the Associated Press Twitter account hack.
Here are just a few of them:
- Spreading disinformation through trusted sources about a dangerous escalation of a geopolitical flashpoint, prompting a plunge in global markets that lasts for days before it’s corrected. North Korea’s Kim Jong-Un launches ICBMs at the United States, for instance, or Israel attacks Iran’s nuclear program, squeezing the global oil supply.
- Hacking into the Industrial Control Systems (ICS) that run so many government and private sector systems, disrupting dams, oil refineries, the power grid, utility companies—or the global banking system known asSWIFT. (A Chinese hacker is suspected in a recent intrusion into a US government database cataloging dam vulnerabilities, according to the Washington Free Beacon.)
- Disrupting trading on the New York, London or Tokyo stock exchanges, or finding a way to wipe out, or corrupt, the vast database of prior trades.
- Messing with the space-based satellite navigation system that provides location and time information for just about everything these days. “Think of this,’” Rosenzweig says. “What if someone started degrading the information that GPS runs on? It’s just data, ones and zeros that come down from satellites. You could make our missiles less accurate, our planes less able to fly or less safe. You could intercept, degrade it, or spoof it—send false signals, and make the planes think they are somewhere else.”
How serious are these threats? “All of these are very, very real vulnerabilities,” says Rosenzweig. ”There are people who would love to do these to us but don’t have the capability, yet, like Al Qaeda. There are others, like Russia, China and Iran, who could do much of it, and they might do it at some point. But when, and why, we don’t know.” One question is whether state actors like Russia, China and Iran would authorize something that could be construed as an act of war, or certainly a serious provocation that could prompt a US military cyber-response.
Rosenzweig, who now runs the Red Branch Law & Consulting firm, wouldn’t talk about the work he did on highly-classified “Red Teams” tasked by the government to think up such scenarios as a way of thwarting them. But he says such efforts are becoming increasingly urgent as cybersecurity experts try to anticipate what kind of hacks could really do serious damage.
This post first appeared on QZ.com, for which the author is a contributor.
Josh Meyer is director of education and outreach for the Medill National Security Journalism Initiative. He spent 20 years with the Los Angeles Times before joining Medill, where he is also the McCormick Lecturer in National Security Studies. Josh is the co-author of the 2012 best-seller “The Hunt For KSM; Inside the Pursuit and Takedown of the Real 9/11 Mastermind, Khalid Sheikh Mohammed,’’ and a member of the board of directors of Investigative Reporters and Editors.
