Jan. 29, 2008 at 9:00 AM ET
From the moment U.S. top cybercop Richard Clarke uttered the words "digital Pearl Harbor" in 2000, the technology world has been engaged in bitter debate: Could hackers really cause as much chaos with computers as terrorists armed with bombs and guns? Or are security experts simply spreading fear and trying to sell products when they talk about cyber attacks?
The discussion had died down until recently, owing to the fact that no digital Pearl Harbor ever occurred.
But then came reports late last year that Chinese nationals were actively attacking computers run by the U.S. government and private British companies, all of which were vehemently denied by the Chinese government.
Now security expert Alan Paller has fanned the flames, quoting a CIA agent as saying that hacker-profiteers had carried out the mother of all hack attacks -- taking power plants offline and extorting their owners for cash.
Paller, who is director of the SANS Institute computer security training firm, said he had no details of the attacks, except that they allegedly occurred in unidentified overseas cities.
Here's precisely what the agent, CIA analyst Tom Donahue, said at a SANS training seminar for utility system security experts in New Orleans:
"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
Paller, who's also part of a task force devoted to shoring up power grid computer systems, rushed out an e-mail to reporters and to 185,000 security experts detailing the dramatic CIA statement.
A message from the CIA?
In an interview, Paller said that the CIA clearly wanted to get out the message that time is running out to secure U.S. power plants and other major critical infrastructure systems. A year ago, he noted, that same CIA agent had chastised him for talking in public about such sensitive national security issues.
"It means something that the man who got mad at me a year ago when I was talking about this said this in public," Paller said.
Paller said Americans should not dismiss the purported attacks as isolated, or the byproduct of low-budget computer security in a poor country.
"We have no reason to believe these plants have poorer security than ours,' he said.
The problem with Paller's story, according some cyberthreat skeptics, is there is no reason to believe it is true.
Rob Rosenberger, who runs Vmyths.com, a Web site devoted to debunking cybercrime rumors, said Paller's notice contained so few details about what might have happened that it isn't much more than an urban legend.
'Who did it? ... When did it occur?'
"SANS director confirms the CIA confirmed ... absolutely nothing," Rosenberger wrote in a stinging rebuke. "Who did it? Paller doesn't know. When did they do it? Paller doesn't know. Where did it occur? Paller doesn't know. Why did they do it? Paller doesn't know."
Asked about the dearth of information last week, Paller said the CIA has clamped up and is offering no additional information.
"It is very thin on data," he conceded. "But clearly (the CIA) thinks things need to be fixed for some reason."
The CIA, for its part, wouldn't offer additional comment on the reports, other than to confirm Donohue's quote as accurate.
But one thing is clear: We are in for another round of digital Pearl Harbor discussions.
The revival is at least partly grounded in reality: The big back-end computers that run power plants – known as SCADA systems, short for Supervisory Control And Data Acquisition – are increasingly linked to front-end business systems.
A decade ago, these systems were isolated and arcane, making them virtually impervious to outside hacker attack. But even with the increased scrutiny on homeland security after the Sept. 11 attacks, SCADA systems are increasingly connected to the outside world. That makes them a much easier mark for hackers.
The temptation of connectivity
The temptation to connect SCADA systems to the Internet is just too great, according to one Department of Homeland Security official, who spoke on condition of anonymity. Many utilities own plants spread over wide distances, making Web access important if they want to monitor their facilities remotely.
Since about 85 percent of utility computers are owned by private industry, there is constant pressure to implement cost-saving s like remote monitoring, the official said. But the more wired power plants are, the greater the risk.
Counterpane security expert Bruce Schneier says far too much is made of most cyberterror warnings.
"There's nothing like a vague unsubstantiated rumor to forestall reasoned discussion," he wrote on his blog, Schneier on Security. As for the CIA-sourced extortion plot, he wrote, "I'm more than a bit skeptical."
That doesn't mean the threat's not real, he added in an interview. And he's glad national infrastructure security is now getting extra attention, whatever the reason.
"Talk of cyberterrorism is often the just hype. But is getting the right things for the wrong reason good or bad?" he asked. "I like this kind of security to get more attention. ... The reality is these systems are vulnerable."
Critical infrastructure computers were getting more attention even before the recent rumors surfaced, said Will Pelgrin, director of the New York State Office of Cyber Security. A working group, including hundreds of professionals and the Idaho National Laboratory, is constantly probing utility systems for potential weaknesses. They've also developed security specifications and designed sample purchase orders to help smaller utility companies build security directly into their products.
Experts welcome the attention
Pelgrin wouldn't discuss the CIA report, but essentially echoed Schneier's point of view.
"Regardless of the fact or fiction we need to make sure these computers are secured," he said.
Just last week, The Federal Energy Regulatory Commission issued strict new guidelines for cybersecurity at power facilities. Some point to that news as possible motivation for the CIA to call out utility firms and call attention to the risks.
Regardless of the latest truth-or-hype debate, computer security experts have a delicate job to do, one not unlike dentists who warn about the ill-effects of infrequent checkups or mechanics who urge frequent oil changes.
Warnings of potential disasters can come across as fear-mongering -- until something genuinely bad happens, at which point it's too late to heed the advice. So those who issue such warnings about cybersecurity must walk a delicate line between talking about worst-case scenarios to motivate security improvements without sounding too melodramatic.
The phrase “digital Pearl Harbor,” which once motivated the White House to create the position of national cyberczar, is now generally treated as a bad joke by security professionals.
But the best way to judge the success or failure of those experts trying to keep these power grid systems safe might be this: Years from now, when someone says digital Pearl Harbor, we will still be laughing?