Cybersecurity Myths: Beware the Hype
& Zachary Katznelson, Senior Staff Attorney, ACLU National Security Project
Much current cybersecurity discourse is inspired by a vivid and compelling image: terrorists remotely taking over dams, nuclear power plants or other critical infrastructure in order to wreak havoc and kill large numbers of Americans. In one revealing incident, congressional staffers pushing for new government powers argued that their legislation was needed to prevent cyber attackers from accessing a system that could “cause the floodgates to come open at the Hoover Dam and kill thousands of people.” There’s only one problem: officials at the Dam told reporters that “Hoover Dam and important facilities like it are not connected to the internet.” The incident shows that threat inflation combined with the power of a vivid image or narrative can override facts and drive policy. Congress should be aware of the facts before charging forward with privacy-busting legislation like the Cyber Intelligence Sharing and Protection Act.
Alarming cybersecurity stories continue to appear in the media. Even an attentive reader of the news over the past half-decade could be forgiven for believing that hackers have infiltrated the U.S. electricity grid, caused blackouts, and vandalized a local U.S. utility. When examined closely, however, none of those incidents holds up as an example of the dangers of cybersecurity vulnerabilities:
•In repeated statements – mostly vague hints and claims by unnamed security agency officials – government agents have suggested that power grids have been targeted by spies , and that two U.S. blackouts were caused by hackers. Some cybersecurity officials reportedly claimed that the massive 2003 blackout that cut power across 8 U.S. states had been traced to China. But, a detailed 228-page investigation by the North American Electric Reliability Corporation pointed to numerous sources of the problem, a list that did not include hackers.
•The CIA and President Obama have claimed that cyberattacks caused a blackout overseas, apparently in Brazil. However, Brazilian government experts who investigated the blackout for a year concluded that online attacks had nothing to do with the outage (the real cause was negligent maintenance by a power company) – and that the control systems for Brazil’s grid are (smartly) not even directly connected to the internet.
•Another set of scary headlines made the rounds after the failure of a utility’s water pump outside Springfield, Illinois. Computer logs indicated that system computers had been “hacked into” from a computer located in Russia. Breathless reports claimed it “could be the first known foreign cyber attack on a U.S. industrial system.” However, it soon emerged that the whole story was whipped up by overexcited analysts at the Illinois Statewide Terrorism and Intelligence Center (aka the Illinois “fusion center”). In fact, the pump failure was a routine burnout, and it was an American contractor vacationing with his family in Russia who had logged into (not hacked) the Illinois computers remotely.
Unfortunately, in most of these cases, the number of people who saw the original, scary story probably far exceeds the number who saw and had the context to understand the correction or the fine print setting it in proper perspective. That does not mean the threat is not out there; a future cyberattack could be destructive and we should be taking common sense steps to try to prevent it. But the truth is no one knows just how real this risk is. Let’s have a cybersecurity debate based on the real facts, not hyperbole.