Responses in reaction to the following statement
were assembled from a select group of 1,286 Internet stakeholders
in the fall 2004 Pew Internet & American Life "Experts Survey."
The survey allowed respondents to select from the choices "agree,"
"disagree" or "I challenge" the predictive
statement. Some respondents chose to expand on their answer
to this statement by accepting the invitation to write an explanation
of their position; many did not. Some respondents chose to indentify
themselves with their answer; many did not. We share some -
not all - of the responses here. Workplaces of respondents whose
reactions are listed below are attributed here only for the
purpose of indicating a level of internet expertise; the statements
reflect personal viewpoints and do not represent their companies'
or government agencies' policies or positions. Some answers
have been edited in order to share more respondents' replies.
Below is a selection of the many carefully considered responses
to the following statement:
Prediction on attacks on network infrastructure
At least one devastating
attack will occur in the next 10 years on the networked information
infrastructure or the country's power grid.
from the 1,286 respondents:
66 % of internet experts agreed
7 % challenged the prediction
16% did not respond
It will happen because such an attack would have devastating
effects on a country's economy. However, I see no reason for
confining such an attack to the United States. All that is necessary
is to show that it is possible and to demonstrate the magnitude
of the disruption. After that, all of the governments and businesses
will have to spend huge amounts of money to harden the target.
That will put an enormous strain on the respective economies,
and that is the primary goal of many terrorist organizations.
The attack on the World Trade Center was an attack on the economic
power of the United States. All military power is actually a
form of economic power. - Robert Lunn, FocalPoint Analytics/senior
researcher, 2004 USC Digital Future Project
It's already happened, several times, in the form of maliciously
disruptive viruses and worms. - Reid Ashe, CEO Media General
When World-Pay is off air for days on end does that count as
a devastating attack? When a major hub (and the region is serves)
is off air four hours on end does it matter that the fire/power
failure was accidental or terrorist? When your ISP is off air
for hours on end during a series of DOS/DDOS is that a devastating
attack? Those running 2-hour, just-in-time delivery services,
let alone life-support services, cannot afford to rely on the
Internet. It is too fragile (physical as well as logical). -
Philip Virgo, secretary general of EURIM, the UK-based Parliament
Industry Group/IMIS - UK-based professional body for management
of information systems
If we include economic devastation, it's inevitable that we'll
see a number of companies and industries up-ended by cracking
and by other (more ambiguous) forms of online activity (like
file sharing, which arguably has already had devastating economic
consequences). If we mean devastating in the sense of directly
causing loss of life or injury, it's much harder to predict.
To date there are no recorded instances of cyberterrorism (defined
by loss of life or harm to human health), which calls into question
all the dire predictions about potential online attacks. -
Alexandra Samuel, Harvard University, Cairns Project (New York
This cannot be disputed, and both the network and the power
grid will fall victim. In the case of the former, software attack
is as effective as attacking the hardware infrastructure. In
the case of both, there is a huge quantity of hardware infrastructure
and outside plant is particularly vulnerable. It is impossible
to be completely secure until after attack. The security of
the internet is too much reliant upon self policing and private
sector companies. Government-enforced minimum standards of security
are the answer, but I do not see governments having the will
or the means to do this. Attacking physical infrastructure has
been proven to be both easy and effective and terrorists have
targeted physical infrastructure for as long as there has been
such infrastructure. The troubles in Northern Ireland, the Basque
region, the Red Army Faction and the Red Brigades have all demonstrated
how easy it is for domestic terrorists to attack physical infrastructure
and foreign extremists, with no interest in self preservation
will find it even easier. Minimal in-country support is required.
Whilst the USA regards itself under attack, its experience of
terrorism is nothing in comparison with Europe; getting hold
of firearms and explosives is simple, and its security will
be easy to breach. - Steve Coppins, broadband manager, South
East England Development Agency, Siemens
This is the biggest vulnerability to Western lifestyles. But
the growth of grid computing may mitigate the risk to networked
information infrastructure. The weak link remains power generation.
- Kate Carruthers, Carruthers Consulting
These attacks occur daily from advertisers, malware, spyware
and other data-mining techniques. If left unabated, the most
influential "attacks" will be from businesses that prey on the
uninformed, slowing computers down with pernicious software
and turning Internet exploration into a dangerous activity.
- Andy Opel, Ph.D, Dept. of Communication, Florida State
The Internet experiences a multitude of attacks on a daily basis.
They come from hackers who enjoy disrupting the flow of information.
Some of these attacks have indeed been devastating to the targeted
individuals or institutions. However, attacking the flow of
information is different from attacking the power grid. The
power grid, while vulnerable to attack, also contains robustness
due to its immense size. - Jorge Reina Schement, Penn State
When I interviewed John Koskinen, President Clinton's Y2K advisor
in 1999, he was working overtime to see that the "rivets didn't
fall out of the Golden Gate Bridge of the nation's technology
infrastructure," both here and abroad, in those jurisdictions
in which he could assert any control or recommendations that
might be adhered to. Thinking about the consequences of a national
or international IT infrastructure blackout can be mind-boggling.
Being prepared and persistently vigilant can help. There are
some bad elements out there, they are a tiny percentage of the
general population, and over time, they have consistently wreaked
havoc on the rest, but need not ruin any forward progress we
achieve in humane directions. It's been five years since Y2K
scenarios washed over and you're not just now climbing out of
a mountain shelter, are you? What we need to keep a second eye
on is the effect that such scenarios create in terms of spooking
entire populations. Sure, there are wolves, but we need not
be sheep. - Victor Rivero, technology editor/writer/consultant
Not if "devastating" means something like "no internet for 24
hours." It's way too decentralized for that. - Fred Hapgood,
I'm not sure what you mean by "devastating." We see roughly
one devastating attack every 6-12 months. Do you mean an attack
with loss of life? - Simson Garfinkel, Sandstorm Enterprises/Technology
There will be many such attacks - the war on terrorism will
never be won and will always be fought. - Bob Metcalfe,
Polaris Venture Partners
Government has not taken a leadership role in safeguarding the
infrastructure, so that security measures are fragmented. Particularly
in the current political climate, I see no reason to expect
meaningful change in this area. It is not amenable to the self-coordinated
efforts of the private sector. It requires not only governmental
coordination, but intergovernmental cooperation. Furthermore,
the greatest threats to security are not technological, but
human. Creating environments and training programs that discourage
lapses in security procedures has not been a priority. I believe
it is security guru Bruce Schneir who has pointed out that security
all comes down to walls and guards and systems that "fail well."
Most of our systems have not been built with these factors prominently
in mind. - Lois Ambash, Metaforix Incorporated
The Internet is important enough to attack even now and will
be even more significant in the future. Terrorists, particularly
of the nihilist type now evident in places like Iraq, will see
the Internet as a good target for disrupting the Western economy
and society. - Stanley Chodorow, University of California,
Multiple attacks on the networked information infrastructure
over the coming decade will cause many people to disconnect
and disengage from today's Internet. This will be due to a wide
range of concerns, from privacy and security to erosion of their
trust in its availability and even to their boredom and declining
interest in needing to maintain breaking systems. - Dan
I don't think this is possible. Although there are many individual
organizations that are poorly protected from attacks, most have
good defense in place. The power grid is not directly related
to the Internet. The power grid is a national security manner.
It has always been subject to attack, and has always been heavily
fortified and defended by routing around breaks in the network.
In the U.S. specifically, the grid is not one grid, but about
six grids that are not interconnected. You could take out one,
but you would have to attack more than one to take out the country.
- Mike Weisman, Seattle attorney/Reclaim the Media
It might occur, but not with necessity. In assessing the accuracy
of such predictions, one needs to take into account the agenda
that they serve. They might want to increase the alertness of
those responsible to guard their systems against possible attacks.
And they might also want to nourish public fear, in order to
justify more restrictive handling of public liberties. -
Albrecht Hofheinz, University of Oslo
The Internet is by its nature robust, so the network will always
survive: ''The Net interprets censorship as damage, and routes
around it'' - John Gilmore. If the power grid is attacked, that
will not be the Internet's fault, but based on how the power
grid is established and managed such as positioning of mission
critical systems on an insecure intranet. The Internet itself
does not have any inherent weaknesses that would endanger the
power grid. - William Stewart LivingInternet.com
I'm concerned that most local governments (city/county level)
in the U.S., and around the world, are not cognizant of the
need to maintain cyber-security. Given the inter-connectedness
of government networks, I can visualize ways in which an attack
on a city system could cascade to take out utility or public
safety nets regionally or even nation wide. - Tom Foss,
UNC School of Government/Center for Public Technology
ELF, al-Qaeda, disgruntled ''patriots,'' enterprise crime groups
located outside the U.S., ''because we can'' hackers, and (hello
FirstEnergy; hello all you corporations whose web sites have
exposed Social Security and credit card numbers and other sensitive
data) sheer stupidity within the corporate world and its wholly-owned
subsidiary, government, are all suspects in the coming attacks.
The larger Goliath is, and the more we rely on him, the better
a target he is for sending a message. - Michael Buerger,
Bowling Green State University (Ohio), Police Futurists International/Futures
Forces in commerce and society fear the distributed nature of
the internet and are working diligently to layer centralized
control on top of the internet. It is the centralized structures
that are vulnerable to attack and will be the ones to topple.
Of course, the rest of the internet will merrily chug along.
- Scott Moore, Charles and Helen Schwab Foundation
This is too tempting a target, is used for so many commercial
transactions, and there are very motivated crazy people out
there who have demonstrated their intention to disrupt and/or
demolish our country. I completely belief it is just a matter
of time. I just hope everyone has a backup file! - Taryn
Tarantino, MarketSource, an Internet marketing company
Loss of power or information to tens or hundreds of millions
for days or weeks will be psychologically more terrifying than
the loss of tens or hundreds of thousands of American lives.
The magnitude of power or information failure for days or weeks
is so great, it is likely to destabilize the e-economy not to
mention bring social breakdown to an advanced information and
technology society such as ours. Consider what happened in New
York City when the lights went off for a day. - Stan Faryna,
president Faryna & Associates Inc. (technology, design, communications)
I challenge the way you ask the question. The networked information
infrastructure is not a national infrastructure - for the U.S.
or any nation. The power grid of the U.S. may be able to work
in isolation from the rest of the world, but the U.S. is unable
to meet the demands for all kinds of energy with domestic sources.
Thus, power is a border-crossing phenomenon as well. Strange
that it seems to be so hard for U.S. citizens to wrap their
minds around. So the real question is: Will one devastating
attack occur in the next 10 years on the networked information
infrastructure or an important source of energy. The answer
is that both are happening all the time. - Charlie Breindahl,
University of Copenhagen
Terrorism use a lot of networks and as communications will be
more and more important, they will attack in this new environment.
- Jerome Jolion, State of Geneva - CTI
With greater centralisation of internet networks and the continued
hegemony of software and other technology of a few super-companies
(including Google), a single big virus or other security blow
will be enough to bring down much of the internet. - Bornali
Halder, World Development Movement
I think there will be several different types ranging from more
sophisticated computer viruses, morally questionable content
bombarding youth, electronic ''bank robberies'' as well as attacks
on the networked information infrastructure or a country's power
grid. Not just one, but many. - Linda Hurt, systems analyst,
Office of Personnel Management
And the following are from predictors who chose to remain
anonymous: [Workplaces of respondents whose reactions are listed
below include the National Association of Regulatory Utility
Commissions, FAA, RAND, Microsoft, Harvard, the Open Society
Institute, MIT, Internet2, AOL, the National Center for Technology
and Law, IBM, Sapient Corporation, Netcraft, Consumer Reports
WebWatch, U.S. Court of Appeals, Resource Interactive, Venture
Growth LLC, Google, Stanford University, British Airways, Indiana
University, University of Michigan, Citigroup, Social Security
Administration, Navy, USDA Rural Development, U.S. Department
of Justice, Optiem, the University of Iowa and others.]
We have already seen the release of a "zero day" virus (a virus
for which no patch is available) whose aim was the theft of
personal financial information. Within the next decade, a "zero
day" virus will be launched which will compromise the financial
data of millions of users within a very short period of time
(a few hours or less). Banks will scramble to contain the damage.
Well, in a sense I agree: I have seen large attacks already
happen, e.g. against the Microsoft servers. But technology is
not sitting still, and our defenses are continuously improving.
I am an optimist, and I believe that defenses will improve quickly
enough to ensure the next attack is not "devastating".
I might disagree with the word "devastating." I think there
will be an attack, but I am not convinced that the impact will
be as great as we might fear it will be.
There may indeed be attacks, but I doubt that "devastating"
will be the result. The net is resilient - it was designed to
be so. Now the power grid may be a different story ...
Countries such as North Korea are already training hackers for
use in the national military.
Not if we can help it ... and we're trying.
As the value of the infrastructure increases, the power to use
it or disable it becomes a more politically palpable tool for
good or ill.
That's the next logical step for terrorism. Bring this country
to its knees with its cyberinfrastructure vulnerability.
Security, and correctness of implementation more generally,
is not taken seriously by the computer industry. Small wonder:
taking correctness seriously would increase the cost of everything
computer-related perhaps by an order of magnitude. Only catastrophic
attacks could change the attitude.
Definitely; probably on both.
There is considerable, and growing, redundancy and resilience.
An attack will very likely occur, but its severity will be more
like a typical hurricane or earthquake - troublesome, repairable,
but not "devastating."
Fundamental Islam understands how the West works and will seek
to attack key economic and profile targets.
Hundreds of thousands of attacks happen each week, "devastating"
means one is successful - one is not likely to lose money on
Terrorists these days are smart and will go for the basic infrastructures.
Also, while computers are great and help things work better,
we need to not forget how to survive without in the event of
such an emergency. We need a traditional non-computerized backup.
It's an obvious target for terrorits or hackers ... and as we
know, it will take such an attack for the "establishment" (especially
lazy tech/software companies) to fix the numerous security problems
that plague the net ... but ironically, without the net, it
is the small disenfranchised groups, like small cults or terrorists
who will be most harmed ... since it provides them with vast
power that would otherwise be reserved for massive corporations
or governments ... if they take it down, they are likely to
go down with it.
Not if the network is designed well and has numerous redundancies.
The current mesh network is very robust and was designed to
deal with many types of grievous attacks.
Given the current terrorist context we live in and the interest
in hackers to show off their skills this is inevitable - as
is the unfortunate human quality to only fix the problem once
it has occurred.
Depends on what you mean by devastating. If you mean very costly,
yes. If you mean a failure that cascades to other segments of
society, with widespread suffering or loss of life, then no.
The question, though, is how we'll weather it. Maybe it will
just cause a holiday where we come, blinking, out into the sunlight
for an afternoon.
There will be power grid failures without attacks.
There is no reason to assume that there will be a devastating
attack. The internet has already survived the worst attack (911)
on the U.S. Efforts continue to harden the infrastucture. The
power grid will also benefit from IP infrastructure, as broadband
over powerlines is providing an excellent way to monitor and
manage network elements in the power grid.
We have worked to harden the network. That said, the Internet
was built to withstand a decentralized attack. It remains an
open issue as to what might happen if the attack was more focused.
The country is so reliant on the network from a business and
financial perspective it is highly likely that such an attack
will be attempted. How effective it will be is another matter.
The redundancy that has been created will go a long way toward
diluting the potential impact.
I believe it will take that in order for governments, companies
and organizations to make the needed investment in security.
This has been predicted for many years without fulfillment,
especially by Richard Clarke. However, the same was true of
megaterrorist attacks prior to 9-11. I hope Clarke is wrong
this time, but he's probably not.
Well, it depends what you mean by "attack" and by "devastating."
We are just as vulnerable to system failures as in the blackout
of East Central U.S. in 2003. I believe similar outages are
likely, and will create the same kind of chaos. Will they be
deliberate - quite possibly, and as likely to be instigated
by mischievous "hackers" as any politically motivated group.
By attack, you may mean a technical meltdown (similar to what
we've seen in past decades) as well as a hostile assault. I
strongly agree that some problems will arise... chaos theory
almost assures such an attack in the Internet structure... tectonic
plates will shift!
Security is non-existent. - Anonymous security consultant
I think for those who are interested in carrying out devastating
attacks, there are easier, lower tech, and higher media-value
I'd modify that to be ''attack or event'' - I don't discount
devastation as the result of ineptitude or poor planning.
Control networks are not secure and they reflect monolithic,
siloed, closed, proprietary and centralized/decentralized architectures.
Control networks are our largest vulnerability in the U.S.,
in the WORLD: Critical Infrastructure Air, Sea, Land and Space.
4th-generation computing and regulation can help, but we have
to get moving. Industry needs to lead or be compelled.
These kinds of attacks, or at least the nascent form of them,
are probably already happening and we don't hear anything about
it for security reasons.
[It is] inevitable that terrorists will attack the infrastructure,
since it is becoming a symbol of Western cultural values.
The Internet, while it makes our lives so much easier and productive
makes us extremely vulnerable. When your way of life is fully
electronic...all one has to do is cut the power and watch us
flounder. A recent Yahoo! Internet deprivation study showed
how people ''lost'' their ability to manage certain life tasks
(like going to the phone book to look up a number - give me
a break!) when their access to the Net was gone. Extreme reliance
on the Net makes us less resourceful as human beings - beware,
this is scary.
Setting aside the obvious threat of terrorism, in terms of attempts
at political or economic disruption, I think it is highly likely
that a ''hacker'' will launch a significant attach to demonstrate
our vulnerability. My understanding is that of some members
of the hacker subculture are activists of a kind. They seek
to reveal the limitations of the technology in order to improve
Our society's security is built on a high level of trust. This
is especially true of our information infrastructure. If bitter
enemies (like Al Qaeda) do not succeed in attacking it, vandals
(like hackers) almost certainly will.
Power systems have already shown themselves to be vulnerable,
as seen in the 2002 power outage across the NE United States.
Communications systems are less obvious fragile, but the increase
in users of the internet, without infrastructure development
suggests to me that this is likely to happen soon.
This will of course foster more thought of fault tolerance and
I think the systems are sufficiently adept to avoid a situation
that would be termed ''devastating.'' There may be incidents
but the likelier near term stress will be on the capacity of
the systems themselves. This gradual pressure will be a greater
force and factor to reckon with than any single, momentary attack.
Whenever an unchecked power dominates, marginalized communities
take it upon themselves to challenge that authority. The network
infrastructure has become such a powerful tool.
My only disagreement might be that I think the ''or'' is optimistic.
I would predict significant and successful attacks on both.
The targets are as symbolically significant as the World Trade
Center or the Pentagon. Attempts to thoroughly disrupt, corrupt
or dominate the information infrastructure seem inevitable.
The vulnerabilities are too well documented and already seem
to invite sociopaths, egomaniacs and nihilists; how far behind
can the terrorists be? Power grids are tied to the nets, why
not a combined attack? The power grid is symbolic in another
way as well, reflecting the gluttony for energy and other natural
resources that is represented by the West. This attack could
come from Western ecoterrorists as easily as from foreign sources.
Considering information infrastructural ''protection'' is largely
left to the free market private sector, it seems likely that
there will be at least some big companies that fail to invest
in their network stability ... and, certainly the deregulated
power grids have shown no great capacity to keep up their technologies
for the public interest ... they'll let them rot as long as
there's more (short-term) profit in leaving them poorly serviced.
We already know the terrorists have been thinking about and
planning this. Our power grids are based on the 1890s infrastructure,
without advanced security updates for the modern information
age. We are vulnerable. And yet, congress and the president
still cannot agree on an energy policy to upgrade everything.
Both are too decentralized to make it worth it, and neither
makes great press. Blood and gore and death have greater emotional
impact. Besides, why attack the U.S.'s power grid when it is
so poor as to black out an entire section of the country on
its own? (If terrorists could figure out a weak point, sure,
but they want carnage.)
We have already seen a major problem with the country's power
grid; this one wasn't even an attack. Imagine what someone really
trying to cause harm could do. As for the network infrastructure,
anything that we become increasingly dependent on will be subject
It took 20-30 years for the theory of commerce warfare to be
implemented from theorization in France to implementation by
Germany in World War I. Ten years is about half that and is
Attacks on these structures may happen, but ''devastation''
is unlikely. I'm still much more frightened of a typical truck
bomb, which is much easier to construct and deliver than a complicated
attack on a power grid or information infrastructure - something
that would cause frustration and annoyance, rather than mass
My understanding is that disruption of the top-level DNS servers
could be devastating. If our top-level infrastructure is decentralized
and fail-over servers are available, one hopes that disruption
would be minimal. Organized crime/terrorists must certainly
be considering cyber crime since our society is so reliant on
There will be devastating attempts, but they will be prevented
by the InfoSec teams.
The toolsets are available to those who would like to do so
the monoculture of Microsoft environments does nothing but encourage
such an attack.
Commercial vendors have no interest in common security solutions.
The monopoly position of Microsoft will emphasize the ease by
which IT systems will be attacks or compromised on a large scale.
Devastating for some, but not all or not for a long time period,
however. I believe a power supply grid attack would likely devastate
a region, but if that region is later isolated, the rest would
function normally. A network information infrastructure attack
that was physical, would have similar impact as on the power
grid. A ''virtual'' network attack could devastate a larger
portion of the network, but probably for a shorter time period.
It's inevitable: the Internet is the Mount Everest of hackers,
and terrorists are bound to find it more irresistible the more
dependent we become on it.
Technology is simply moving to fast to allow for the proactive
protection of the infrastructure. Only catastrophes bring the
necessary attention to ''the grid,'' I wish it were otherwise,
but it's simple human nature.