'Cyber 9/11': Serious Risk Or Inflated Threat?
Ten years after the Sept. 11 attacks, many lawmakers and intelligence officials say they fear the next such attack could be triggered with the click of a mouse. They warn of a potential "cyber 9/11" caused by terrorists hijacking the nation's critical infrastructure, plunging cities into sustained blackouts, halting trains and planes or wiping out banks' financial data.
"When the terrorists get smarter, they won't even need to come to our shores to create the kind of havoc and turmoil they did by flying planes into the Twin Towers. They will be able to do it from their laptops from overseas," Michael McConnell, the former National Security Agency director and current executive at defense contractor Booz Allen Hamilton, said in a 2009 interview.
But some experts have grown skeptical of the warning, questioning whether terrorists have the skills to carry out a cyberattack and saying there are parallels to the hyped intelligence reports of weapons in Iraq.
Jerry Brito and Tate Watkins, researchers at George Mason University, argue that "the rhetoric of 'cyber doom'" used by many officials is not supported by clear evidence and may be used to drum up funding for an emerging cyber-industrial complex.
"The United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War," Brito and Watkins wrote in a paper published earlier this year.
Others also see similarities to previous national security debates, but take the opposite view. In a speech last month at the Black Hat security conference in Las Vegas, former top CIA counterrorism official Cofer Black said there was "a lack of appreciation" among some government officials over the threat level from al Qaeda before the Sept. 11 attacks.
Now, despite rising fears over the potential of cyberterrorism, "the decision makers of today are still sort of in that boat. They hear it but they don't believe it," Black said.
Increasingly, officials say they do believe it, issuing warnings and preparing for a potential cyberattack against the nation's power grid, transportation system or financial sector.
"Al Qaeda and other terrorist groups have spoken of their desire to unleash a cyberattack on our country -- attacks that are harder to detect and harder to defend against," President Obama said in a 2009 cybersecurity speech.
Later that year, Steven Chabinsky, deputy assistant director for the Federal Bureau of Investigation's Cyber Division, said the agency was investigating al Qaeda sympathizers who were trying to develop hacking skills to attack the United States’ infrastructure. In July of this year, British authorities said they were bracing for an increase in cyberterrorism after al Qaeda called for "cyber jihad" following the death of Osama bin Laden.
Since 2006, the Department of Homeland Security has conducted a regular exercise called “Cyberstorm," in which federal, state and local governments and the private sector test the nation's ability to respond to a cyberattack. In Congress, lawmakers have introduced cybersecurity legislation to shore up the nation's digital infrastructure from cyberattacks.
In a Washington Post op-ed published in July, , Sens. Joe Lieberman, Susan Collins and Tom Carper advocated for legislation that gives DHS authority to work with the private sector to help secure power plants, electric grids and pipelines, "all of which, if hacked, could lead to human and physical destruction and economic havoc."
Without legislative action, "the alternative could be a digital Pearl Harbor -- and another day of infamy,” the senators wrote.
But some experts say only a few nations, including Russia and China, have the ability to launch cyberattacks and that they seem more interested in spying than terrorism. They question whether terrorists are able to wreak havoc in cyberspace -- at least for now.
"No terrorist group has demonstrated that capability yet, but that doesn’t mean they won't," Paul Rosenzweig, a fellow at the Heritage Foundation who helped craft policy and strategy inside the Department of Homeland Security, told The Huffington Post.
Terrorist groups are likely not interested in cyberterrorism because it would not have the same visual effect as hijacking planes and blowing up buildings, said James Lewis, director of technology and public policy at the Center for Strategic and International Studies.
"Cyberattacks are just not that damaging in terms of casualties and physical destruction," Lewis said in an interview. "Terrorists love drama and bloodshed, and making the lights blink on and off doesn’t do that."
Some say the threat is being over-hyped by officials who implement alarmist terms like "digital Pearl Harbor," which has been used as far back as 1993 to suggest the United States could be taken by technological surprise.
"The discussion of threats in this country has always been driven by who has the scariest story and who can shout the loudest," said George Smith, a senior fellow at GlobalSecurity.org, a defense research organization. "Electronic Pearl Harbor' lends itself to scary stories, but no one comes up with any evidence or proof that’s substantial."
And one example repeatedly cited as evidence of cyberterrorism is inaccurate, skeptics say. In his best selling book "Cyber War," former counterterrorism czar Richard Clarke mentioned the 2007 blackout in Brazil to bolster his argument that a hacker could sabotage the power grid. That same blackout was also cited in a "60 Minutes" report on cyberterrorism, and in Obama's 2009 cybersecurity speech.
But an investigation later found the blackout was caused not by hackers, but by deposits of dust and soot that had accumulated on transmission lines. In fact, there is no evidence that a cyberattack has ever caused a power grid to shut down anywhere in the world, experts say.
Still, many experts argue the threat has become more plausible after the 2009 discovery of Stuxnet, a powerful computer worm used to attack Iran's nuclear program. The worm damaged Iran's nuclear centrifuges by causing them to spin too fast and give false information to the plant operators. The worm's creator has not been officially identified, though reports have alleged that the United States and Israel were behind the attack.
Stuxnet could have a similar effect on other industrial control systems, experts say. And now that its code has been made public, U.S. officials are concerned the worm could be rewritten and used against the nation's critical infrastructure.
"Stuxnet demonstrated something that five years ago we thought was just theory," Rosenzweig said.
Maybe that is one reason why officials hesitate to dismiss the threat of cyberterrorism. If a theoretical cyber weapon can become reality in five years, the possibility of a cyberattack will only become more legitimate with the passage of time, Rosenzweig said.
"It is real and it will become more real as time goes by," he said, "but it isn’t yet an existential threat."