Infrastructure systems face threat of cyberattacks

As the four-month anniversary of the most devastating surprise attack on the U.S. since Pearl Harbor approaches, security experts are beginning to piece together a puzzle that nobody wants to see completed.

Had the terrorists that struck on Sept. 11 been able to launch a simultaneous cyberattack against the nation’s critical private-sector infrastructure, the ripple effect of the initial attacks could have been far more devastating, experts said.

The attacks “could have been a lot harder on the nation’s economy had a cyberattack accompanied them,” Bill Crowell, CEO of Santa Clara, Calif.-based Cylink Corp., said last week. Crowell, a former deputy director of the National Security Agency, added, “We were just lucky that these guys were so focused on this one gigantic, horrible event.”

Jeff Morris, a member of the Washington State House of Representatives, said the events of Sept. 11 should be enough to make every state government and private business begin to think about the vulnerability of the computer systems and networks that support critical infrastructures.

The nation’s electric power grid, telecommunications networks, gas and oil pipelines, and emergency services “were built by the private sector for efficiency, not redundancy,” said Morris, who is also president of the Pacific Northwest Economic Region (PNWER), a partnership formed between the governments and businesses of five U.S. states and three Canadian provinces.

Although many large companies have been “fairly responsive” to the effort to protect key systems, others, such as some small telecommunications firms, are just now opening their eyes, said Morris. “It never occurred to them that the power grid might fail because there’s no natural gas,” said Morris, referring to the fact that natural gas powers many of the generators that produce the nation’s electricity.

“The reality is that some companies didn’t even have a security officer on staff before Sept. 11,” he said. “It would have been far worse if a cyberattack had occurred.” Such a disruption at power plants in the Canadian province of Alberta, for example, could have created a ripple effect throughout the U.S., making Sept. 11 a bicoastal emergency.

Canada supplies most of the natural gas and a large percentage of the electricity consumed in the U.S. The loss of one specific core switching station, the identity of which can’t be disclosed for security reasons, could severely impact the flow of natural gas in the U.S., said Matt Morrison, vice president of PNWER. The same is true for power plants in the Quebec area, which provide critical services to the northeastern U.S.

The PNWER plans to hold a second infrastructure protection planning conference in Seattle in March, following one held in November. The goal is to create a list of the most important systems and the impact on the region if they were to fail due to an attack, said Morris. Moreover, PNWER plans to deploy software developed by the Argonne National Laboratory in Argonne, Illinois, that would alert state officials to infrastructure failures in Canada and predict the impact on U.S. systems.

In addition, the states and companies involved in PNWER plan to form a limited liability corporation to facilitate security data sharing. The corporation will coordinate with regional emergency management offices.

Still, the window of opportunity to fix glaring security holes in the nation’s defenses is rapidly closing, said Frank Cilluffo, an analyst at the Center for Strategic and International Studies in Washington.

“Bits, bytes, bugs and gas will never replace bullets and bombs as the terrorist weapon of choice,” Cilluffo told the Senate Government Affairs Committee a month after the terrorist attacks. However, “while [Osama] bin Laden may have his finger on the trigger, his grandson may have his finger on the mouse.”