Elon University

The 2004 Survey: Prediction on attacks on network infrastructure

Responses in reaction to the following statement were assembled from a select group of 1,286 Internet stakeholders in the fall 2004 Pew Internet & American Life Predictions Survey. The survey allowed respondents to select from the choices “agree,” “disagree” or “I challenge” the predictive statement. Some respondents chose to expand on their answer, writing an explanation of their position; many did not. Some respondents chose to identify themselves with each answer; many did not. We share some – not all – of the responses here. Workplaces of respondents whose reactions are listed below are attributed here only for the purpose of indicating a level of internet expertise; the statements reflect personal viewpoints and do not represent their companies’ or government agencies’ policies or positions. Some answers have been edited in order to share more respondents’ replies. Below is a selection of the many carefully considered responses to the following statement.

At least one devastating attack will occur in the next 10 years on the networked information infrastructure or the country’s power grid.

Compiled reactions from the 1,286 respondents:
  66% of internet experts agreed
  11% disagreed
  7% challenged the prediction
  16% did not respond

It will happen because such an attack would have devastating effects on a country’s economy. However, I see no reason for confining such an attack to the United States. All that is necessary is to show that it is possible and to demonstrate the magnitude of the disruption. After that, all of the governments and businesses will have to spend huge amounts of money to harden the target. That will put an enormous strain on the respective economies, and that is the primary goal of many terrorist organizations. The attack on the World Trade Center was an attack on the economic power of the United States. All military power is actually a form of economic power. – Robert Lunn, FocalPoint Analytics/senior researcher, 2004 USC Digital Future Project

It’s already happened, several times, in the form of maliciously disruptive viruses and worms. – Reid Ashe, CEO Media General

When World-Pay is off air for days on end does that count as a devastating attack? When a major hub (and the region it serves) is off air four hours on end does it matter that the fire/power failure was accidental or terrorist? When your ISP is off air for hours on end during a series of DOS/DDOS is that a devastating attack? Those running 2-hour, just-in-time delivery services, let alone life-support services, cannot afford to rely on the Internet. It is too fragile (physical as well as logical). – Philip Virgo, secretary general of EURIM, the UK-based Parliament Industry Group/IMIS – UK-based professional body for management of information systems

If we include economic devastation, it’s inevitable that we’ll see a number of companies and industries up-ended by cracking and by other (more ambiguous) forms of online activity (like file sharing, which arguably has already had devastating economic consequences). If we mean devastating in the sense of directly causing loss of life or injury, it’s much harder to predict. To date there are no recorded instances of cyberterrorism (defined by loss of life or harm to human health), which calls into question all the dire predictions about potential online attacks. – Alexandra Samuel, Harvard University, Cairns Project (New York Law School)

This cannot be disputed, and both the network and the power grid will fall victim. In the case of the former, software attack is as effective as attacking the hardware infrastructure. In the case of both, there is a huge quantity of hardware infrastructure and outside plant is particularly vulnerable. It is impossible to be completely secure until after attack. The security of the internet is too much reliant upon self policing and private sector companies. Government-enforced minimum standards of security are the answer, but I do not see governments having the will or the means to do this. Attacking physical infrastructure has been proven to be both easy and effective and terrorists have targeted physical infrastructure for as long as there has been such infrastructure. The troubles in Northern Ireland, the Basque region, the Red Army Faction and the Red Brigades have all demonstrated how easy it is for domestic terrorists to attack physical infrastructure and foreign extremists, with no interest in self preservation will find it even easier. Minimal in-country support is required. Whilst the USA regards itself under attack, its experience of terrorism is nothing in comparison with Europe; getting hold of firearms and explosives is simple, and its security will be easy to breach. – Steve Coppins, broadband manager, South East England Development Agency, Siemens

This is the biggest vulnerability to Western lifestyles. But the growth of grid computing may mitigate the risk to networked information infrastructure. The weak link remains power generation. – Kate Carruthers, Carruthers Consulting

These attacks occur daily from advertisers, malware, spyware and other data-mining techniques. If left unabated, the most influential “attacks” will be from businesses that prey on the uninformed, slowing computers down with pernicious software and turning Internet exploration into a dangerous activity. – Andy Opel, Ph.D, Dept. of Communication, Florida State University

The Internet experiences a multitude of attacks on a daily basis. They come from hackers who enjoy disrupting the flow of information. Some of these attacks have indeed been devastating to the targeted individuals or institutions. However, attacking the flow of information is different from attacking the power grid. The power grid, while vulnerable to attack, also contains robustness due to its immense size. – Jorge Reina Schement, Penn State University

When I interviewed John Koskinen, President Clinton’s Y2K advisor in 1999, he was working overtime to see that the “rivets didn’t fall out of the Golden Gate Bridge of the nation’s technology infrastructure,” both here and abroad, in those jurisdictions in which he could assert any control or recommendations that might be adhered to. Thinking about the consequences of a national or international IT infrastructure blackout can be mind-boggling. Being prepared and persistently vigilant can help. There are some bad elements out there, they are a tiny percentage of the general population, and over time, they have consistently wreaked havoc on the rest, but need not ruin any forward progress we achieve in humane directions. It’s been five years since Y2K scenarios washed over and you’re not just now climbing out of a mountain shelter, are you? What we need to keep a second eye on is the effect that such scenarios create in terms of spooking entire populations. Sure, there are wolves, but we need not be sheep. – Victor Rivero, technology editor/writer/consultant

Not if “devastating” means something like “no internet for 24 hours.” It’s way too decentralized for that. – Fred Hapgood, Output Ltd.

I’m not sure what you mean by “devastating.” We see roughly one devastating attack every 6-12 months. Do you mean an attack with loss of life? – Simson Garfinkel, Sandstorm Enterprises/Technology Review

There will be many such attacks – the war on terrorism will never be won and will always be fought. – Bob Metcalfe, Polaris Venture Partners

Government has not taken a leadership role in safeguarding the infrastructure, so that security measures are fragmented. Particularly in the current political climate, I see no reason to expect meaningful change in this area. It is not amenable to the self-coordinated efforts of the private sector. It requires not only governmental coordination, but intergovernmental cooperation. Furthermore, the greatest threats to security are not technological, but human. Creating environments and training programs that discourage lapses in security procedures has not been a priority. I believe it is security guru Bruce Schneir who has pointed out that security all comes down to walls and guards and systems that “fail well.” Most of our systems have not been built with these factors prominently in mind. – Lois Ambash, Metaforix Incorporated

The Internet is important enough to attack even now and will be even more significant in the future. Terrorists, particularly of the nihilist type now evident in places like Iraq, will see the Internet as a good target for disrupting the Western economy and society. – Stanley Chodorow, University of California, San Diego

Multiple attacks on the networked information infrastructure over the coming decade will cause many people to disconnect and disengage from today’s Internet. This will be due to a wide range of concerns, from privacy and security to erosion of their trust in its availability and even to their boredom and declining interest in needing to maintain breaking systems. – Dan Ness, MetaFacts

I don’t think this is possible. Although there are many individual organizations that are poorly protected from attacks, most have good defense in place. The power grid is not directly related to the Internet. The power grid is a national security manner. It has always been subject to attack, and has always been heavily fortified and defended by routing around breaks in the network. In the U.S. specifically, the grid is not one grid, but about six grids that are not interconnected. You could take out one, but you would have to attack more than one to take out the country. – Mike Weisman, Seattle attorney/Reclaim the Media

It might occur, but not with necessity. In assessing the accuracy of such predictions, one needs to take into account the agenda that they serve. They might want to increase the alertness of those responsible to guard their systems against possible attacks. And they might also want to nourish public fear, in order to justify more restrictive handling of public liberties. – Albrecht Hofheinz, University of Oslo

The Internet is by its nature robust, so the network will always survive: ”The Net interprets censorship as damage, and routes around it” – John Gilmore. If the power grid is attacked, that will not be the Internet’s fault, but based on how the power grid is established and managed such as positioning of mission critical systems on an insecure intranet. The Internet itself does not have any inherent weaknesses that would endanger the power grid. – William Stewart LivingInternet.com

I’m concerned that most local governments (city/county level) in the U.S., and around the world, are not cognizant of the need to maintain cyber-security. Given the inter-connectedness of government networks, I can visualize ways in which an attack on a city system could cascade to take out utility or public safety nets regionally or even nation wide. – Tom Foss, UNC School of Government/Center for Public Technology

ELF, al-Qaeda, disgruntled ”patriots,” enterprise crime groups located outside the U.S., ”because we can” hackers, and (hello FirstEnergy; hello all you corporations whose web sites have exposed Social Security and credit card numbers and other sensitive data) sheer stupidity within the corporate world and its wholly-owned subsidiary, government, are all suspects in the coming attacks. The larger Goliath is, and the more we rely on him, the better a target he is for sending a message. – Michael Buerger, Bowling Green State University (Ohio), Police Futurists International/Futures Working Group

Forces in commerce and society fear the distributed nature of the internet and are working diligently to layer centralized control on top of the internet. It is the centralized structures that are vulnerable to attack and will be the ones to topple. Of course, the rest of the internet will merrily chug along. – Scott Moore, Charles and Helen Schwab Foundation

This is too tempting a target, is used for so many commercial transactions, and there are very motivated crazy people out there who have demonstrated their intention to disrupt and/or demolish our country. I completely belief it is just a matter of time. I just hope everyone has a backup file! – Taryn Tarantino, MarketSource, an Internet marketing company

Loss of power or information to tens or hundreds of millions for days or weeks will be psychologically more terrifying than the loss of tens or hundreds of thousands of American lives. The magnitude of power or information failure for days or weeks is so great, it is likely to destabilize the e-economy not to mention bring social breakdown to an advanced information and technology society such as ours. Consider what happened in New York City when the lights went off for a day. – Stan Faryna, president Faryna & Associates Inc. (technology, design, communications)

I challenge the way you ask the question. The networked information infrastructure is not a national infrastructure – for the U.S. or any nation. The power grid of the U.S. may be able to work in isolation from the rest of the world, but the U.S. is unable to meet the demands for all kinds of energy with domestic sources. Thus, power is a border-crossing phenomenon as well. Strange that it seems to be so hard for U.S. citizens to wrap their minds around. So the real question is: Will one devastating attack occur in the next 10 years on the networked information infrastructure or an important source of energy. The answer is that both are happening all the time. – Charlie Breindahl, University of Copenhagen

Terrorism use a lot of networks and as communications will be more and more important, they will attack in this new environment. – Jerome Jolion, State of Geneva – CTI

With greater centralisation of internet networks and the continued hegemony of software and other technology of a few super-companies (including Google), a single big virus or other security blow will be enough to bring down much of the internet. – Bornali Halder, World Development Movement

I think there will be several different types ranging from more sophisticated computer viruses, morally questionable content bombarding youth, electronic ”bank robberies” as well as attacks on the networked information infrastructure or a country’s power grid. Not just one, but many.– Linda Hurt, systems analyst, Office of Personnel Management

And the following are from predictors who chose to remain anonymous: [Workplaces of respondents whose reactions are listed below include the National Association of Regulatory Utility Commissions, FAA, RAND, Microsoft, Harvard, the Open Society Institute, MIT, Internet2, AOL, the National Center for Technology and Law, IBM, Sapient Corporation, Netcraft, Consumer Reports WebWatch, U.S. Court of Appeals, Resource Interactive, Venture Growth LLC, Google, Stanford University, British Airways, Indiana University, University of Michigan, Citigroup, Social Security Administration, Navy, USDA Rural Development, U.S. Department of Justice, Optiem, the University of Iowa and others.]

We have already seen the release of a “zero day” virus (a virus for which no patch is available) whose aim was the theft of personal financial information. Within the next decade, a “zero day” virus will be launched which will compromise the financial data of millions of users within a very short period of time (a few hours or less). Banks will scramble to contain the damage.

Well, in a sense I agree: I have seen large attacks already happen, e.g. against the Microsoft servers. But technology is not sitting still, and our defenses are continuously improving. I am an optimist, and I believe that defenses will improve quickly enough to ensure the next attack is not “devastating”.

I might disagree with the word “devastating.” I think there will be an attack, but I am not convinced that the impact will be as great as we might fear it will be.

There may indeed be attacks, but I doubt that “devastating” will be the result. The net is resilient – it was designed to be so. Now the power grid may be a different story …

Countries such as North Korea are already training hackers for use in the national military.

Not if we can help it … and we’re trying.

As the value of the infrastructure increases, the power to use it or disable it becomes a more politically palpable tool for good or ill.

That’s the next logical step for terrorism. Bring this country to its knees with its cyberinfrastructure vulnerability.

Security, and correctness of implementation more generally, is not taken seriously by the computer industry. Small wonder: taking correctness seriously would increase the cost of everything computer-related perhaps by an order of magnitude. Only catastrophic attacks could change the attitude.

Definitely; probably on both.

There is considerable, and growing, redundancy and resilience. An attack will very likely occur, but its severity will be more like a typical hurricane or earthquake – troublesome, repairable, but not “devastating.”

Fundamental Islam understands how the West works and will seek to attack key economic and profile targets.

Hundreds of thousands of attacks happen each week, “devastating” means one is successful – one is not likely to lose money on this bet!

Terrorists these days are smart and will go for the basic infrastructures. Also, while computers are great and help things work better, we need to not forget how to survive without in the event of such an emergency. We need a traditional non-computerized backup.

It’s an obvious target for terrorits or hackers … and as we know, it will take such an attack for the “establishment” (especially lazy tech/software companies) to fix the numerous security problems that plague the net … but ironically, without the net, it is the small disenfranchised groups, like small cults or terrorists who will be most harmed … since it provides them with vast power that would otherwise be reserved for massive corporations or governments … if they take it down, they are likely to go down with it.

Not if the network is designed well and has numerous redundancies. The current mesh network is very robust and was designed to deal with many types of grievous attacks.

Given the current terrorist context we live in and the interest in hackers to show off their skills this is inevitable – as is the unfortunate human quality to only fix the problem once it has occurred.

Depends on what you mean by devastating. If you mean very costly, yes. If you mean a failure that cascades to other segments of society, with widespread suffering or loss of life, then no.

The question, though, is how we’ll weather it. Maybe it will just cause a holiday where we come, blinking, out into the sunlight for an afternoon.

There will be power grid failures without attacks.

There is no reason to assume that there will be a devastating attack. The internet has already survived the worst attack (911) on the U.S. Efforts continue to harden the infrastucture. The power grid will also benefit from IP infrastructure, as broadband over powerlines is providing an excellent way to monitor and manage network elements in the power grid.

We have worked to harden the network. That said, the Internet was built to withstand a decentralized attack. It remains an open issue as to what might happen if the attack was more focused. The country is so reliant on the network from a business and financial perspective it is highly likely that such an attack will be attempted. How effective it will be is another matter. The redundancy that has been created will go a long way toward diluting the potential impact.

I believe it will take that in order for governments, companies and organizations to make the needed investment in security.

This has been predicted for many years without fulfillment, especially by Richard Clarke. However, the same was true of megaterrorist attacks prior to 9-11. I hope Clarke is wrong this time, but he’s probably not.

Well, it depends what you mean by “attack” and by “devastating.” We are just as vulnerable to system failures as in the blackout of East Central U.S. in 2003. I believe similar outages are likely, and will create the same kind of chaos. Will they be deliberate – quite possibly, and as likely to be instigated by mischievous “hackers” as any politically motivated group.

By attack, you may mean a technical meltdown (similar to what we’ve seen in past decades) as well as a hostile assault. I strongly agree that some problems will arise… chaos theory almost assures such an attack in the Internet structure… tectonic plates will shift!

Security is non-existent. – Anonymous security consultant

I think for those who are interested in carrying out devastating attacks, there are easier, lower tech, and higher media-value avenues.

I’d modify that to be ”attack or event” – I don’t discount devastation as the result of ineptitude or poor planning.

Control networks are not secure and they reflect monolithic, siloed, closed, proprietary and centralized/decentralized architectures. Control networks are our largest vulnerability in the U.S., in the WORLD: Critical Infrastructure Air, Sea, Land and Space. 4th-generation computing and regulation can help, but we have to get moving. Industry needs to lead or be compelled.

These kinds of attacks, or at least the nascent form of them, are probably already happening and we don’t hear anything about it for security reasons.

[It is] inevitable that terrorists will attack the infrastructure, since it is becoming a symbol of Western cultural values.

The Internet, while it makes our lives so much easier and productive makes us extremely vulnerable. When your way of life is fully electronic…all one has to do is cut the power and watch us flounder. A recent Yahoo! Internet deprivation study showed how people ”lost” their ability to manage certain life tasks (like going to the phone book to look up a number – give me a break!) when their access to the Net was gone. Extreme reliance on the Net makes us less resourceful as human beings – beware, this is scary.

Setting aside the obvious threat of terrorism, in terms of attempts at political or economic disruption, I think it is highly likely that a ”hacker” will launch a significant attach to demonstrate our vulnerability. My understanding is that of some members of the hacker subculture are activists of a kind. They seek to reveal the limitations of the technology in order to improve it.

Our society’s security is built on a high level of trust. This is especially true of our information infrastructure. If bitter enemies (like Al Qaeda) do not succeed in attacking it, vandals (like hackers) almost certainly will.

Power systems have already shown themselves to be vulnerable, as seen in the 2002 power outage across the NE United States. Communications systems are less obvious fragile, but the increase in users of the internet, without infrastructure development suggests to me that this is likely to happen soon.

This will of course foster more thought of fault tolerance and redundancy.

I think the systems are sufficiently adept to avoid a situation that would be termed ”devastating.” There may be incidents but the likelier near term stress will be on the capacity of the systems themselves. This gradual pressure will be a greater force and factor to reckon with than any single, momentary attack.

Whenever an unchecked power dominates, marginalized communities take it upon themselves to challenge that authority. The network infrastructure has become such a powerful tool.

My only disagreement might be that I think the ”or” is optimistic. I would predict significant and successful attacks on both. The targets are as symbolically significant as the World Trade Center or the Pentagon. Attempts to thoroughly disrupt, corrupt or dominate the information infrastructure seem inevitable. The vulnerabilities are too well documented and already seem to invite sociopaths, egomaniacs and nihilists; how far behind can the terrorists be? Power grids are tied to the nets, why not a combined attack? The power grid is symbolic in another way as well, reflecting the gluttony for energy and other natural resources that is represented by the West. This attack could come from Western ecoterrorists as easily as from foreign sources.

Considering information infrastructural ”protection” is largely left to the free market private sector, it seems likely that there will be at least some big companies that fail to invest in their network stability … and, certainly the deregulated power grids have shown no great capacity to keep up their technologies for the public interest … they’ll let them rot as long as there’s more (short-term) profit in leaving them poorly serviced.

We already know the terrorists have been thinking about and planning this. Our power grids are based on the 1890s infrastructure, without advanced security updates for the modern information age. We are vulnerable. And yet, congress and the president still cannot agree on an energy policy to upgrade everything.

Both are too decentralized to make it worth it, and neither makes great press. Blood and gore and death have greater emotional impact. Besides, why attack the U.S.’s power grid when it is so poor as to black out an entire section of the country on its own? (If terrorists could figure out a weak point, sure, but they want carnage.)

We have already seen a major problem with the country’s power grid; this one wasn’t even an attack. Imagine what someone really trying to cause harm could do. As for the network infrastructure, anything that we become increasingly dependent on will be subject to danger.

It took 20-30 years for the theory of commerce warfare to be implemented from theorization in France to implementation by Germany in World War I. Ten years is about half that and is likely appropriate.

Attacks on these structures may happen, but ”devastation” is unlikely. I’m still much more frightened of a typical truck bomb, which is much easier to construct and deliver than a complicated attack on a power grid or information infrastructure – something that would cause frustration and annoyance, rather than mass casualties.

My understanding is that disruption of the top-level DNS servers could be devastating. If our top-level infrastructure is decentralized and fail-over servers are available, one hopes that disruption would be minimal. Organized crime/terrorists must certainly be considering cyber crime since our society is so reliant on online systems.

There will be devastating attempts, but they will be prevented by the InfoSec teams.

The toolsets are available to those who would like to do so the monoculture of Microsoft environments does nothing but encourage such an attack.

Commercial vendors have no interest in common security solutions. The monopoly position of Microsoft will emphasize the ease by which IT systems will be attacks or compromised on a large scale.

Devastating for some, but not all or not for a long time period, however. I believe a power supply grid attack would likely devastate a region, but if that region is later isolated, the rest would function normally. A network information infrastructure attack that was physical, would have similar impact as on the power grid. A ”virtual” network attack could devastate a larger portion of the network, but probably for a shorter time period.

It’s inevitable: the Internet is the Mount Everest of hackers, and terrorists are bound to find it more irresistible the more dependent we become on it.

Technology is simply moving to fast to allow for the proactive protection of the infrastructure. Only catastrophes bring the necessary attention to ”the grid,” I wish it were otherwise, but it’s simple human nature.