cyberwar infrastructure

Critical Infrastructure Protection: As Cyberwar Scenarios Fail to Materialize, Are We Focusing on the Wrong Threats?

A number of recent high-profile attacks on critical infrastructures in several countries have raised concerns about protecting vital public assets. While many experts have long predicted a “Digital Pearl Harbor” involving high-tech cyberattacks, these operations have been carried out as low-tech attacks using angle grinders and explosives. Are we preparing for the wrong threats, mesmerized by the prospect of extremely sophisticated low-likelihood, high-impact incidents?

For decades, some security experts and media alike have been touting the specter of “cyberwar” – the disruption or destruction of critical assets essential to the functioning of society by operatives who exploit vulnerabilities in digital networks. Such scenarios often envisage shadowy actors, directly or indirectly controlled by hostile state agencies, burrowing into another nation’s vital systems over time, only to suddenly shut them down in an instant without warning when their governments order them to do so during a crisis or military confrontation, bringing the targeted country to its knees through the failure of its infrastructure backbone.

At this point, the narrative goes, the hackers will open dams and floodgates, delete crucial data, overload energy transmission networks, or hijack command and control systems for airports, hospitals, and similar facilities, while their governments avoid accountability due to the difficulty of attributing such operations to state actors. For several decades, these fears have been summarized in the notion of a “Digital Pearl Harbor” – a sudden, violent, devastating attack in the virtual battlespace, carried out at low cost, low risk, and with little effort thanks to the pervasiveness and vulnerability of computer networks.

Four fallacies about cyberattacks

Myriam Dunn Cavelty, Senior Lecturer for Security Studies and Deputy for Research and Teaching at the Center for Security Studies (CSS) at ETH Zurich in Switzerland, thinks that such scenarios are too simplistic. “The assumption that all cyberattacks are cheap and easy – and therefore the logical weapon of choice – is wrong,” she told Supertrends.

In a recent paper titled “Goodbye Cyberwar: Ukraine as Reality Check”, which she co-authored with her colleague Lennart Maschmeyer, she criticizes the prevalent “cyberwar” narrative and lists four fallacies about the ”Digital Pearl Harbor” scenario.

“The assumption that all cyberattacks are cheap and easy – and therefore the logical weapon of choice – is wrong.” Myriam Dunn Cavelty

First of all, the idea that every vulnerability will be exploited is wrong. In reality, the authors argue, the existence of a vulnerability reveals nothing about why, how, and when it would make sense for an adversary to exploit it.

Second, contrary to popular belief, a network intrusion in and of itself is not proof of success. Rather, the success of any operation depends on the political or strategic effects that it achieves.

Third, while it may appear that digital cyberwar tools are cheap and easy to use, the fact is that realizing strategic goals with controlled, targeted attacks is “hard, complicated, and risky,” as Dunn Cavelty and Maschmeyer argue. The final fallacy is that cyberwar operations can be deployed at short notice, like conventional weapons. In reality, they take months, if not years, to prepare and deliver, and must be integrated into chains of command. The perpetrator cannot simply “pull the trigger”.

‘Largely unnoticed’ incidents

These fallacies may explain why threat scenarios of widespread cyberattacks have mostly failed to materialize since the beginning of the invasion of Ukraine by Russia, which had been regarded as having some of the most formidable capabilities in this field. So far, these appear to be largely overblown. While the threat against critical infrastructures is real, and should certainly not be discounted, it has not materialized as predicted, neither on the expected scale nor in terms of sophistication.

Cyberattacks have occurred, for example in Estonia, where the banking sector was targeted in August 2022 in a campaign for which Russian actors were blamed, but which came nowhere close to crippling the economy or bringing society to its knees. Those cyberattacks were described by Luukas Ilves, undersecretary for digital transformation at Estonia’s Ministry of Economic Affairs and Communications, as “the most extensive cyber attacks […] since 2007”. However, as Ilves clarified: “With some brief and minor exceptions, websites remained fully available throughout the day. The attack has gone largely unnoticed in Estonia.”

Other events that were initially reported as serious attacks by Russian hacker groups against critical infrastructure proved, upon closer examination, to be exaggerated, such as a reported cyberattack against several US airports in October 2022. As later transpired, all that happened was that websites providing flight information had been subjected to denial-of-service attacks, creating a minor inconvenience for travelers while the airports’ operations remained unaffected.

‘Brute-force’ attacks

This is not to say, however, that there have been no attacks on critical infrastructure at all. For example, since Russia invaded its neighbor in February 2022, it has inflicted countless strikes, including with artillery and drones, on the country’s civilian energy infrastructure. Meanwhile, Germany – a supplier of arms and equipment to Ukraine – has experienced two of the most serious attacks on its national infrastructure in recent memory.

On 26 September 2022, the Nord Stream 2 underwater pipeline, which had been built at a cost of €9.5 billion to convey Siberian gas from Russia to Germany via the Baltic Sea but was never commissioned due to Moscow’s war of aggression, was hit by a series of explosions attributed to sabotage by unknown actor. The resulting damage to the pipeline rendered it unusable, and most likely also irreparable.

On 26 September 2022, the Nord Stream 2 underwater pipeline was hit by a series of explosions attributed to sabotage by an unknown actor. (Right: Drone view of an underwater explosion and gas leak on the sea surface)

Less than two weeks later, on 8 October, Germany’s national railway operator Deutsche Bahn experienced a large-scale failure of its GSM-R communications network, a key element of the European Train Control System (ETCS). This caused a complete breakdown of rail traffic across northern Germany and adjoining European networks. As soon became clear, this was not an accident: In quick succession, the unknown perpetrators had targeted a digital transmission hub as well as its backup facility, in two different locations over 500 kilometers apart. In both cases, they gained access to cable ducts covered by heavy concrete slabs and sliced through the cable bundles with an angle grinder.

Distracted by cyber-doom

It’s notable that these attacks against critical infrastructures involved low-tech “kinetic” weapons rather than highly sophisticated penetrations or manipulations of digital networks. Instead of relying on high-tech tools to exploit hidden digital vulnerabilities, the perpetrators relied on “brute-force attacks” in the literal sense. Have we therefore been preparing for the wrong threats? Instead of focusing on low-likelihood cyberwar scenarios with potentially devastating impacts, should we spend more effort on hardening our facilities and infrastructures against bad actors wielding bombs, hammers, backhoes, and angle grinders?

“Mounting evidence shows that cyber-attacks are relatively slow, ineffective, and unreliable.” Myriam Dunn Cavelty

Myriam Dunn Cavelty certainly thinks so. When it comes to attacks in the digital sphere, “targeted and destructive effects, delivered at a specific time, are very hard to pull off, and the likelihood that something goes wrong during the operation is very high. Using old-fashioned means like bombs or explosives is much more efficient,” she told Supertrends. “Mounting evidence shows that cyber-attacks are relatively slow, ineffective, and unreliable.”

The rise of digital technology was accompanied from the start by “cyber-doom” scenarios. Societies increasingly dependent on networked elements, such as supervisory control and data acquisition (SCADA) control systems, in critical infrastructures like energy generation and transmission facilities, potable and wastewater systems, hospitals, etc. seemed suddenly vulnerable to new threats and risks.

Prompted by fears of future cyberwarfare operations that could disable or destroy key elements of daily life, governments built up both defensive and offensive capabilities.

However, experts may have consistently underestimated the practical difficulties of carrying out cyberattacks on a massive scale, while at the same time overestimating the value of such attacks in terms of achieving strategic aims. As Dunn Cavelty and Maschmeyer note, cyber operations can be useful for intelligence-gathering and influence operations to amplify divisions in society. However, the threats to critical infrastructures are more likely to come from elsewhere.

“The hyperbolic term “cyberwar” has distorted the debate for almost 30 years. It is high time to stop waiting for a cyberwar that will not come,” they conclude.

If you enjoyed this article, we invite you to discover our upcoming Supertrends Platform, conceived to give you access to trends and innovation impacting your areas of interest directly from one place.


Chris Findlay

I'm a journalist, editor, and translator based in Zurich, Switzerland. I write about technology and future timelines at supertrends.com, where I also help expand the community as Expert Relationship Manager.

Leave a Reply

Join us

    

Sign up for our Newsletter

Subscribe

Supertrends AG, Erlenstrasse 16, 6300 Zug