There is no debate in the security community that the nation needs to protect its critical infrastructure (CI) from cyber attacks. But not everybody agrees that all infrastructure sectors are equally critical.
According to the most recent Presidential Policy Directive on cyber security, the U.S. has 16 CI sectors, ranging from transportation to energy, food, water, financial services and others.
But Mark Sparkman, a former CIA officer and now a senior international affairs analyst with the RAND Corporation, argued in a recent post on CNN that "cyber Armageddon" scenarios focused on physical infrastructure are overblown. Major sections of the U.S., he noted, have gone without electricity and water for days or weeks following natural disasters, and life has returned to normal.
However, that, he said, would not be the case with finance.
"Want real chaos? Destroy confidence in the banking system (or even a part of it), and just stand back and watch," he wrote, adding that a major attack that manipulated or destroyed the assets of depositors would "establish a new field of warfare & (I)f the attacks persist, target nations must be ready to escalate by returning fire at a rate and magnitude that will deter further attacks."
But that brought a retort from Joe Weiss, an industrial control systems (ICS) expert, who said Sparkman's post simply means that "even former CIA officers don't understand ICS cyber security."
Weiss, a managing partner at Applied Control Solutions, is not arguing that a major attack on the country's financial system would be trivial. But he insists that a similar attack on the power grid would be just as bad, or worse. After all, financial institutions need power to operate. As "marcBlackmer," a commenter on Weiss' blog post put it, "If I may point out the obvious --no power, no banks."
It is not a given, Weiss said, that life would return to normal in a few days or weeks after a major cyber attack on the power grid.
"Cyber attacks can damage or destroy critical equipment such as transformers, boilers, turbines," he said.
These are custom equipment & many of these large components are not even made in the U.S. anymore. A targeted attack against this equipment can cause outages of up to nine to 18 months or more."
James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), made the same point on the CBS show 60 Minutes in November 2009, when he told correspondent Steve Kroft, "The big generators that we depend on for electrical power are one, expensive, two, no longer made in the U.S., and three, require a lead time of three or four months to order them."
Sign up for Computerworld eNewsletters.