Wired Science

How Vulnerable Is America to Online Attack?

The online assault that temporarily paralyzed the tiny Baltic nation of Estonia last spring may have been the first real battle inaugurating the era of cyber-warfare. But that attack was a relatively minor nuisance compared to what could be unleashed on the United States.

Experts are divided on how serious and how imminent the danger is, and even what form it might take. But no one disputes that our increasingly networked, digitally dependent society is vulnerable to online attacks that could have devastating real-world results. Malicious hackers and terrorist groups have already proved they can cause computer-based trouble - but the biggest threat by far is from other countries.

Estonia was hammered by a wave of what are called distributed denial of service attacks, which abundant evidence suggests were launched by Russian nationalists furious at the Estonian government's plans to take down a Soviet war memorial. In a DDoS attack, hackers use "botnets" - networks of surreptitiously commandeered computers - to bombard a target Web site with bogus requests for information, overwhelming its host computer and forcing the site to shut down.

The digital siege of Estonia was the first time that the Web sites of an entire country's government, media, and banking institutions had simultaneously come under such an attack. But DDoS onslaughts have been used many times for political ends. A rash of them hit American government sites after NATO bombed the Chinese Embassy in the former Yugoslavia in 1999. Hackers on both sides have struck enemy Web sites during the conflicts in Kashmir, Kosovo, Israel/Palestine, and elsewhere. Commercial sites are even more frequently targeted: In 2000, DDoS attacks by still-unknown assailants briefly shut down the Web sites of eBay, Amazon.com, and Yahoo.

Wreaking such online havoc doesn't require much technical know-how. "Since 1999 we've seen the rise of a very sophisticated cyber underworld," says Jeffrey Hunker, chief of digital security for the Clinton administration. "Today, if I want to attack some site, I can rent the botnet to do it and even hire someone to run the attack for me."

Ultimately, though, all a DDoS attack can do is close down a website. That's penny-ante stuff compared to what could happen if hackers broke into the computers controlling parts of the national infrastructure and turned them into weapons - by opening a dam's floodgates, for instance, or shutting down an electric grid.

Breaking into those kinds of complex, digitally protected systems is far more difficult than just lobbing a DDoS attack at a Web site. But it can be done. In fact, it's already happened: In the last 10 years, hackers have shut down the air traffic communication system at a Massachusetts airport, taken control of the software that regulates the flow of natural gas in Russian pipelines, turned off the safety monitoring system at an Ohio nuclear plant, and forced a water treatment facility in Australia to dump thousands of gallons of raw sewage into local creeks.

A serious cyberattacker might launch similar such disruptions not instead of a conventional attack, but on top of one. "If you set off a bomb and then take down the phone systems, that would do a lot to add to the panic," says Clay Wilson, a specialist in technology and national defense with the Congressional Research Service. 

Still, at this point, the possibility of a terrorist group like al Qaeda launching an attack through the Internet seems relatively remote. Such outfits do use the Net extensively to recruit members and spread propaganda, and there have been countless picayune attacks on Western Web sites by hackers claiming to be "e-jihadists." But no major terrorist outfit seems to have developed the skills to do much more than that - or perhaps just hasn't bothered to use them. "Terrorists' efforts are focused on explosives and other physical attacks," says Dorothy Denning, a cybersecurity expert at the Naval Postgraduate School. "That's where the emotional appeal comes from. You go to heaven for being a martyr. I don't know what you get for attacking Web sites."

The biggest potential threat is from other nations that have the human and technical resources to develop serious offensive digital capabilities. Russia, China and other countries acknowledge they are developing cyberwarfare methods (as is the US, of course). With that in mind, many of America's most critical government and military computer systems are kept physically disconnected from the Internet to keep them out of the reach of online intruders. Most of the rest are well protected, experts generally agree - but nothing's foolproof. "All systems run on software, and all software has defects and vulnerabilities," Hunker says.

Indeed, in 1998 US officials discovered that systems at NASA, the Pentagon and other federal agencies were being accessed from a computer in Russia. In 2005, the FBI found hackers prowling through hard drives at a number of military bases and defense contractors. Just last summer, the Pentagon shut down one of its computer networks for several days after it was penetrated by hackers widely believed to be connected to China's People's Liberation Army. Germany, France and Britain were also hit by digital intruders allegedly working for the Chinese military.

And those are just the cases we know about. "I doubt that China's cyberwarriors are just sitting around waiting for a war to start," says Richard Clarke, former top adviser on cybersecurity to President George W. Bush. "They could be exploring our systems and planting viruses without our knowing it. The difference between that and causing real world damage is only a few keystrokes."