By William Tucker
When a massive power outage struck Florida in 2008 it left millions of people in the dark. Investigators eventually attributed the problem to human error – a field technician had disabled two levels of protection leading to the shutdown of two nuclear power plants at Turkey Point in south Florida.
Prior to that incident, hackers working for China’s PLA had infiltrated the U.S. power grid at several points. That led to speculation that the hackers had triggered the outage. In testimony before Congress, Tim Bennett, the former president of the Cyber Security Industry Alliance, backed the claims of Chinese infiltration, but the U.S. government did not.
Although this outage occurred 13 years ago, U.S. infrastructure still remains vulnerable to cyber threats. The recent hack exploiting a vulnerability in SolarWinds software struck systems of the U.S. government and private industry alike, demonstrating the problems that remain in securing U.S. infrastructure. Tripping power grids and stealing information are one thing, but a recent attempt to poison a Florida city’s water supply over the Super Bowl weekend is quite another.
Spotting a Hacker’s Cursor Was Lucky
Pinellas County, Florida, Sheriff’s Office on Feb. 8 revealed an attempt to poison the water supply of Oldsmar, a city near Tampa. It appears that by happenstance a supervisor on duty caught a cursor move across a computer screen and change a setting to the chemical components used to treat the water supply. The hacker increased the amount of lye used to remove acidity from the water by a factor of 100. Fortunately, the supervisor stepped in to reverse the changes and, all told, the hacker was in and out of the system in five minutes.
The Sheriff’s Office stated that the public was never in danger. A secondary chemical checks would have alerted officials to the problem had the hack gone unnoticed. Federal authorities are investigating, but so far, there has been no explanation how this anonymous hacker breached the system. It is also unknown whether this was a state-sponsored operation or something undertaken by a non-state group or individual. What is clear, however, is the need for national standards on infrastructure protection, and an ultimate response to these types of attacks.
Is a Cyberattack an Act of War?
In most cases, cyberattacks do not go beyond information theft or sabotage of systems, leaving most of these incidents in the criminal realm. Yet the question remains regarding the threshold beyond which a nation would feel compelled to respond with military force to a cyberattack that results in a mass casualty event. In essence, at what point does a cyberattack constitute an act of war?
Literature on this question abounds, yet it is posed only when such attacks dominate a news cycle. Indeed, the question was hotly debated following news of the SolarWinds breach. The best way of approaching this problem would seem to be preventing the situation from escalating to that point to begin with by ensuring robust security and by providing commensurate funding to smaller municipalities.
In many ways, the U.S. has been fortunate that these numerous attacks have not escalated to the point of severe economic disruption or mass casualties. But that will not last indefinitely. This problem requires attention sooner rather than later.