by Benjamin Varlese
National security experts and the general populace most commonly associate Weapons of Mass Destruction (WMDs) with a chemical, biological, radiological, or nuclear (CBRN) dispersal device. However, most people overlook the potentiality of a devastating event caused by cyber terrorism. As the world becomes more technologically advanced and nations have developed a greater reliance on digital technology to run and maintain their infrastructure, the United States in particular. This reliance creates a dangerous situation in which a rogue state like North Korea, non-state actors such as Da’esh (ISIS or the Islamic State), or “lone-wolf” anarchist could cause a mass casualty event by attacking the network controlling one of these infrastructure components.
The electric power grid, water treatment and distribution systems, nuclear power facilities, telecommunications, financial markets and banking systems, government and defense, public and emergency services, transportation, and industrial processing are all considered part of a nation’s critical infrastructure. Most of these infrastructure systems are now controlled and operated using vulnerable digital technology. Understanding the reliance of the United States on digital technology and web-based systems to manage and operate all of its critical infrastructures, a significant cyber terrorism attack has the potential to cause a mass casualty event just as devastating as any other WMD. The event itself, in most cases, would not cause casualties. Still, the disabling or destruction of an essential service, particularly during a time of extreme weather, would undoubtedly result in a vast number of fatalities.
Additionally, there would likely be significant civil unrest and disorder that would increase casualties and further hinder the ability to restore services to the affected population. Examples of this would be if the power grid were shut down in Phoenix during a heatwave, or Chicago during a blizzard, or disabling the water treatment and distribution plants supplying ninety percent of San Diego’s potable water. Similarly, causing irreparable damage to the cooling system for the Catawba Nuclear Station near Charlotte, North Carolina, would itself cause a CBRNE event.
Any one of the scenarios mentioned above would have a catastrophic effect on the population of those areas resulting in thousands of casualties and a breakdown of order, further straining civil services in a manner no different from a WMD attack. The importance of addressing a cyber-terrorist attack in the same context as WMD terrorism is that it would be a far less challenging and far more likely method to be used by rogue states, non-state actors, or radicalized individuals against the U.S. The resources required for a cyber-attack are far less than any CBRN device. They also provide hardly any pre-attack indicators for law enforcement or the Intelligence Community to exploit to predict or prevent such a strike against the U.S. population.
The United States, more than any other state in the developed world, relies very heavily on digital networks and web-based technology to control and operate its critical infrastructure. Because of this, it is exceptionally vulnerable to the effects of cyber terrorism. The recent hacks on the Colonial Pipeline and the meat processing company, JBS, are prime examples of this vulnerability. Similarly, the massive power outage caused by the February 2021 blizzard across the southern U.S. demonstrates the potentially deadly impact of such a critical infrastructure failure. The U.S. is seeking to improve its cyber defense capabilities across both government and private industry but is still far behind the abilities of its adversaries in this field.
Additionally, there appear to be significant shortcomings in preparing how to mitigate, respond and recover from such an event; the prevailing mentality focuses on prevention and protection. Many targets are susceptible to a cyber-attack and could easily result in a mass casualty event akin to the wanton destruction caused by a traditional WMD. The most significant focus of priorities in cyber defense by both government and the private industry appears to be protecting sensitive or privileged information and not against intentional disruption or destruction of a network. The government and military have gone to great lengths to isolate and preserve its classified networks and personnel records from espionage in national security interests and secure its communications systems and strategic defense systems from intrusion.
There have been significant intrusions such as those recent incents mentioned above, the Office of Personnel Management breach several years ago, and numerous successful Denial of Service or ransomware attacks on government communications systems and public sites. However, there has not been an attack that could potentially cause direct physical harm to the civilian population. The private industry does not have any regulations placed upon it regarding the level of cybersecurity it is required to have. Most businesses and corporations do so to protect trade secrets and privileged information from competitors. Most organizations responsible for the U.S. infrastructure, such as power grids, telecommunications, and nuclear facilities, have a fair amount of network protection and cyber defense capabilities. However, many still have massive vulnerabilities and are susceptible to cyber-attack.
Additionally, many aspects of the infrastructure have an indirect effect on others. This ancillary impact means that interruption of one critical service could very well cause a disruption of another or several others. The best example of this is an attack on a regional U.S. power grid which would impact telecommunications, transportation, and anything else that requires an external electrical supply to function. The most dangerous course of action for a cyber-terrorist to undertake when attacking the U.S.’s critical infrastructure would be a large-scale disruption or irreparable damage to the network controlling a regional power grid.
This attack would be even more effective in producing mass casualties if done during a time of extreme weather conditions or another all-hazard event. The best example would be disabling the grid servicing the southwestern United States during a summer heatwave; many people would succumb to heat-related injuries under these conditions. Within a few days, other casualty-producing problems would rapidly develop if utility crews could not restore power. Transportation would be affected because of limited capabilities to access fuel or effectively manage rail systems. Food supply would quickly be exhausted primarily due to preservation issues and lack of transportation of goods into the afflicted areas.
Food shortages would almost certainly incite civil disturbances and large-scale violence within urban centers, further challenging emergency services already overburdened with a high volume of casualties. Loss of power would also disrupt communications making access and response to emergency services even more complicated. Medical care facilities would likely lose much of their ability to effectively treat casualties due to diminished emergency power alternatives (Stohl 2007). An event such as this could easily have the same catastrophic impact resulting in hundreds if not thousands of casualties as a WMD terrorist event in a large metropolitan area.
Another form of cyber-terrorism attack that would mimic a CBRNE attack would be against a nuclear facility or chemical plant, causing a type of accidental dispersal. An example of this would be a SCADA (System Control And Data Acquisition) manipulation resulting in a meltdown or other equally dangerous radiological conditions at the Catawba Nuclear Station on the Carolinas’ border. The Catawba facility is not only encircled by a couple of moderately densely populated cities, but it also sits on a significant waterway that supplies much of the surrounding area.
Several terror groups have already assessed the feasibility of attacking a nuclear facility as a method of WMD terrorism, and a cyber intrusion would be a far more realistic and achievable means of accomplishing such an operation. Other forms of CBRN events could involve a cyber attack on a chemical facility mimicking the effects of the 1984 Bhopal, India disaster or the derailment of a train transporting liquid chlorine through a populated area, not unlike what happened in Graniteville, South Carolina, in 2005.
Generally, a hacker with the skills necessary to accomplish a significant act of cyber terrorism requires several years of training and expertise, not unlike what would be needed for a terrorist to build an effective WMD. However, in the modern world, technical computer and internet technology skills are not hard to obtain and do not draw the same level of scrutiny as chemical or nuclear engineering would.
Also, unlike in creating CBRNE dispersal devices, very few resources, or finances are needed to execute a cyber terrorism attack. Often, all that is necessary is a computer and a removable storage device. Finally, there is far more anonymity in a cyber-attack, and there are very few traces for investigators to follow after a successful intrusion. There are digital signatures that law enforcement and the Intelligence Community can follow. Still, these certificates a skilled hacker can easily obscure and are more likely to be captured because of their ego over forensic evidence.
In closing, with the reliance on digital networks and web-based technology by the U.S. for all of its critical infrastructure operations and control, it is only a matter of time before a hostile actor exploits it in the act of cyber terrorism. Because of a lack of regulatory guidance on the amount of cybersecurity critical infrastructure networks should have, there is a dangerous exposure to a cyber incursion. Cyber-attacks are typically more of an inconvenience than a significant disruption.
Still, the likelihood of an escalation from a simple Denial of Service attack to something much more permanently damaging is increasing daily, as the Colonial Pipeline and JBS hacks have demonstrated. Many rogue states, non-state actors, and radicalized individuals see cyber terrorism as a means of leveling the battlefield against the U.S. by using its technological superiority against itself. To this end, a crippling blow to a critical infrastructure network could very easily result in a mass-casualty-producing event and subsequent civil disorder that would make mitigation, response, and recovery much more challenging to accomplish.
A successful cyber terrorism attack against a regional power grid, especially during a period of extreme environmental conditions such as a blizzard or heat wave, could potentially have the same catastrophic effects as a weapon of mass destruction. A cyber-attack has the additional benefit of being far easier in training and resources to perpetrate. There are far fewer indications and warnings beforehand to help law enforcement or intelligence professionals indict, and the attacker can more easily conceal their identity and source of the strike.
There is still a significant information gap on the potentiality of a cyber terrorism strike on the U.S.’s critical infrastructure; most academic research focuses on combating information warfare and protecting sensitive or privileged information. The material addressing the vulnerabilities of many of the networks operating and controlling the U.S. critical infrastructure but places a significant attack in the category of low probability.
However, current trends of escalating cyber warfare incidents point to an increased likelihood of an adversarial element exploiting the U.S.’s technological dependence and using cyber terrorism to inflict considerable civilian casualties akin to a WMD event.
Benjamin Varlese is a former U.S. Army Mountain Infantry Platoon Sergeant and he served in domestic and overseas roles from 2001-2018, including, from 2003-2005, as a sniper section leader. Besides his military service, Mr. Varlese worked on the U.S. Ambassador to Iraq’s protective security detail in various roles, and since 2018, he has also provided security consulting services for public and private sectors, including tactical training, physical and information security, executive protection, protective intelligence, risk management, insider threat mitigation, and anti-terrorism. Mr. Varlese earned a B.A. and an M.A. in Intelligence Studies from American Military University, a graduate certificate in Cyber Security from Colorado State University, and is currently in his second year of AMU’s Doctorate of Global Security program.
© Copyright 2021 by Benjamin P. Varlese
© 2021 The Havok Journal