Elon & Pew Research look at the chances of major cyber attacks

The latest research by Elon's Imagining the Internet Center and Pew Internet examines the threat to national security by cyber attacks.

A canvassing of 1,642 technology experts and analysts finds that most expect cyber attacks to increase over the next decade and many agree with the assertion that a major attack causing “widespread harm to a nation’s security and capacity to defend itself and its people” by 2025.

Experts responding to a question asked by the Pew Research Center and Elon University’s Imagining the Internet Center, said the growth of the Internet and its expanding influence exposes individuals and organizations to new dangers. As respondent Jay Cross, chief scientist at Internet Time Group, said, “Connectedness begets vulnerability.”

The report was released Oct. 29 at the “Future of the Web” symposium in Silicon Valley, part of the World Wide Web Consortium’s W3C20 Conference. The event included top world Internet and Web leaders, including Web inventor, Sir Tim Berners-Lee, Internet protocol co-inventor and Google executive Vint Cerf, and Fadi Chehade, CEO of the Internet Corporation for Assigned Names and Numbers (ICANN).

This report is a compilation of predictions and opinions from those who responded to an opt-in canvassing of experts to this query:

Major cyber attacks: By 2025, will a major cyber attack have caused widespread harm to a nation’s security and capacity to defend itself and its people? (By “widespread harm,” we mean significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars.)

Some 61% of those who responded to this canvassing answered “yes” and 39% of them said “no.” They were also asked to provide a written elaboration, explaining what vulnerabilities they see or why the level of threat has been hyped and/or why they believe attacks can be thwarted.

“There was considerable agreement among these experts that individuals could be more vulnerable and businesses could persistently be under attack,” said Lee Rainie, a co-author of the report and director of the Pew Research Internet Project. “They said essential utilities are a vulnerable target and theft and economic disruptions could be substantial.”

The expert participants said cyber attacks and theft are already occurring and they expect that trend will expand along with the Internet.

However, nearly 4 in 10 said they do not expect a “major” attack that causes “widespread harm.”

“Some confidently pointed out that the threat of counterattack might deter the worst,” said Janna Anderson, director of Elon University’s Imagining the Internet Center and a professor in the School of Communications. “And many used the Cold War as a metaphor, saying severe harm is unlikely due to the threat of mutually assured disruption. Some said cyber threats are being exaggerated by people who might profit most from creating an atmosphere of fear.”

Several broad themes emerged in the answers:

Yes’ respondents theme 1) Internet-connected systems are inviting targets. The Internet is a critical infrastructure for national defense activities, energy resources, banking/finance, transportation, and essential daily-life pursuits for billions of people. The tools already exist to mount cyber attacks now and they will improve in coming years—but the countermeasures will improve, too.

Joe Kochan of US Ignite, said, “Cyber attacks will become a pillar of warfare and terrorism between now and 2025. So much of a country’s infrastructure—commerce, finance, energy, education, health care—will be online, and gaining control of or disrupting a country’s online systems will become a critical goal in future conflicts.”

Mark Nall, a program manager for NASA, responded, “Current threats include economic transactions, power grid, and air traffic control. This will expand to include others such as self-driving cars, unmanned aerial vehicles, and building infrastructure. In addition to current methods for thwarting opponents, growing use of strong artificial intelligence to monitor and diagnose itself, and other systems will help as well.”

Geoff Livingston, author and president of Tenacity5 Media, responded, “Cyberwar is the battlefield of now. Don’t kid yourself. Battlefields in Sudan, Afghanistan, and Syria are real, but there is a new battlefield and every day wars are won and lost between individuals, businesses, and countries. The Pentagon and China military are regularly engaged in digital spats. We really have no idea how deep this goes, but we are much closer to William Gibson’s vision in the seminal cyberpunk novel Neuromancer than any of us would like to admit.”

Herb Lin, chief scientist for the Computer Science and Telecommunications Board at the National Research Council of the US National Academies of Science, replied, “More likely is cyber sabotage of individual enterprises. On a large scale, cyber attacks may be combined with kinetic attacks and the combination may cause large-scale damage.”

Stewart Baker, a partner at Steptoe & Johnson, a Washington law firm, wrote, “Cyberwar just plain makes sense. Attacking the power grid or other industrial control systems is asymmetrical and deniable and devilishly effective. Plus, it gets easier every year. We used to worry about Russia and China taking down our infrastructure. Now we have to worry about Iran and Syria and North Korea. Next up: Hezbollah and Anonymous.”

Lee McKnight, a professor of entrepreneurship and innovation at the Syracuse University’s School of Information Studies, said, “Cyber security extortionists just made $100 million in 60 days (see ‘Cryptolocker’). So on one hand it is easy to extrapolate and imagine significant harm done to individual users and institutions given the black hats’ upper hand in attacking systemic vulnerabilities, to the extent of tens of billions in financial losses; and in loss of life. But security systems are progressing as well; the white hat good guys will not stop either.”

Patrick Tucker, futurist and author of The Naked Future: What Happens In a World That Anticipates Your Every Move? said, “Today, cities around the world use supervisory control and data acquisition (SCADA) systems to manage water, sewage, electricity, and even traffic lights. Independent analysis has found that these systems suffer from 25 different security vulnerabilities. That’s bad enough, but then consider how human error and incompetence makes these common systems even less secure. Many of the IT managers that use these systems haven’t changed the manufacturer-installed security codes. As writers Indu B. Singh and Joseph N. Pelton have pointed out in The Futurist magazine, that failure to take even the most basic security precautions leaves these systems open to remote hacking.”

‘Yes’ respondents theme 2) Security is generally not the first concern in the design of Internet applications. It seems as if the world will only wake up to these vulnerabilities after catastrophe occurs. 

Jeremy Epstein, a senior computer scientist working with the US National Science Foundation as program director for Secure and Trustworthy Cyberspace, said, “Damages in the billions will occur to manufacturing and/or utilities but because it ramps up slowly, it will be accepted as just another cost (probably passed on to taxpayers through government rebuilding subsidies and/or environmental damage), and there will be little motivation for the private sector to defend itself. Due to political gridlock and bureaucratic inertia, the government will be unable to defend itself, even if it knows how. The issue is not primarily one of technical capability (although we’re sorely lacking in that department). The primary issue is a lack of policy/political/economic incentives and willpower to address the problem.”

Elena Kvochko, manager for IT industry at an international organization based in New York, noted, “The possibility of a widespread cyber attack on national critical infrastructure is a major concern for many governments. The scope and the consequences of such attacks may be different for different nations. However, a large portion of critical infrastructure facilities still rely on software and technology created decades ago and which has not be upgraded. The level of sophistication of adversaries generally progresses much faster, therefore, it is important to implement adequate measures to ensure a proper protection of critical assets and capabilities.”

‘Yes’ respondents theme 3) Major cyber attacks have already happened, for instance the Stuxnet worm and attacks in nations where mass opposition to a regime has taken to the streets. Similar or worse attacks are a given.

Jason Pontin, editor in chief and publisher of MIT Technology Review, wrote, “There has already been a ‘Pearl Harbor’ event: the Stuxnet computer worm that was used to attack Iran’s nuclear capabilities. Do we really believe that the infrastructure of a major industrial power will not be so attacked in the next twelve years? The Internet is an insecure network; all industrialized nations depend on it. They’re wide open.”

Stowe Boyd, lead researcher for GigaOM Research, said, “A bellicose China might ‘cyber invade’ the military capabilities of Japan and South Korea as part of the conflict around the China sea, leading to the need to reconfigure their electronics, at huge cost. Israel and the United States have already created the Stuxnet computer worm to damage Iran’s nuclear refinement centrifuges, for example. Imagine a world dependent on robotic farm vehicles, delivery drones, and AI-managed transport, and how one country might opt to disrupt the spring harvest as a means to damage a neighboring opponent.”

Judith Perrolle, a professor at Northeastern University in Boston, wrote, “The US government’s series of cyber attacks on citizens, economic entities, and governments around the world has already done this. People have died from faulty equipment producing gas pipeline explosions and from drone bombings of civilians. US companies have lost billions worth of business as foreign customers no longer trust their products and services. One way to counter such attacks is by diplomacy and respect for international law, especially by the United States. As one of my students once titled a paper on Stuxnet: ‘People who live in electronic houses shouldn’t throw worms.’ A second line of defense is to design computer and information systems to be more secure. Our current systems are incredibly vulnerable, by design. US cyber security efforts seem dedicated to breaking into computer systems, not securing them.”

Maurice Vergeer, an assistant professor at Radboud University Nijmegen in the Netherlands, replied, “Estonia was one of the first countries that suffered a major cyber attack some years ago. If an agency can create something like Stuxnet to sabotage Iranian nuclear facilities, it’s a question of time for another agency to come up with another piece of malware to sabotage essential infrastructure. The problem is that because of the Internet of things, this is even more likely because most computers and machines will be connected to the Internet. Even when security is tight, the human factor is probably the weakest link.”

‘Yes’ respondents theme 4) Cyber attacks are a looming challenge for businesses and individuals. Certain sectors, such as finance and power systems, are the most vulnerable. There are noteworthy divides between the prepared and the unprepared.

Henning Schulzrinne, Internet Hall of Fame member and a technology developer and professor at Columbia University, said, “Primarily financial services (both trading and financial transactions) and maybe the power grid seem vulnerable and their disruption is most likely to inflict large collateral damage. Both are dominated by legacy systems, with a limited willingness to make the necessary investments in upgrades and, particularly for utilities, limited technical depth in their staff.”

Jim Warren, longtime online freedom and privacy advocate and editor publisher of microcomputer periodicals, responded, “It seems likely that there will be far more cyber-attacks for the purpose of theft and/or economic harm to their targets, than for the purpose of causing physical harm to individuals or groups.”

An employee of the Network Information Center who remained anonymous observed, “The biggest vulnerabilities are in financial, energy, and transportation sectors—which represent the soft underbelly of our society and are increasingly under siege from thwarted cyber attacks. In the end, I believe we can keep opponents at bay, but it will require a significantly larger investment by government and industry and the cyber security industry will become a significantly larger employer as a result.”

No’ respondents theme 1) There is steady progress in security fixes. Despite the Internet’s vulnerabilities, a distributed network structure will help thwart the worst attacks. Security standards will be upgraded. The good guys will still be winning the cyber security arms race by 2025.

Bill Woodcock, executive director for the Packet Clearing House, responded, “Indirect and intangible losses from large attacks may easily top tens of billions of today’s dollars, or even relative value accounting for enlargement of the economy between now and then. We’re at least 25 years in to cyber attacks now, and although they get larger, and the economy and population becomes more dependent upon the resources that are vulnerable to them, they still don’t have the effect on physical assets and infrastructure that doomsday-predictors have always worried they would. I’m not sure that problem will get worse as people become more sophisticated. I think we’re already over that hump.”

Glenn Edens, director of research in networking, security, and distributed systems within the Computer Science Laboratory at PARC, a Xerox Company, responded, “Maybe I’m being optimistic but there is steady progress in security. Again, the basic architecture of the Internet is wrong on so many levels—so much needs to be fixed. The loss of financial gains is more likely than a loss of life.”

Isaac Mao, chief architect of Sharism Lab, said, “New security standards will help out.”

Paul Jones, a professor at the University of North Carolina and founder of ibiblio.org, responded, “Nations and others who hold necessarily secure information are getting better and better about protecting their essential assets. Yes, a bunch of credit card numbers and some personal information will leak. Yes, you may not be able to place an order for a few hours. But it’s less and less likely that say all pacemakers in a major city will stop at once or that cyber attacks will cause travel fatalities. I expect increased tension between individual needs, commercial needs, and national needs for privacy, mobility and security. TOR everywhere? Perhaps.”

Robert Bell, of IntelligentCommunity.org, responded, “While the possibility of such widespread disruption certainly exists, it has become a priority among most industrialized nations to understand and respond to the threat. I expect smaller-scale incidents but not large-scale loss of life or billions of dollars of property loss.”

‘No’ respondents theme 2) Deterrence works, the threat of retaliation will keep bad actors in check, and some bad actors are satisfied with making only small dents in the system so they can keep mining a preferred vulnerability and not have it closed off.

David Clark, a senior research scientist at MIT’s Computer Science and Artificial Intelligence Laboratory, noted, “The nation-states with the capability to deliver such an attack do not have the motivation to do so. While there will be some actors (e.g., terrorist organizations) that might have the motivation, they currently do not have the skills, and there are easier ways to cause this sort of damage. However, the odds of this outcome are not zero, only low in my view.”

Bob Briscoe, chief researcher in networking and infrastructure for British Telecom, wrote, “There will have been major cyber attacks, but they are less likely to have caused widespread harm. They will be stealth attacks to extract information and exploit it for commercial and political gain. Harm to an enemy is only a desire of less-sophisticated individuals. Anyone who amasses the ability to mount a major cyber attack, better than their opponent, also doesn’t want to lose their position of advantage. They are likely to shift to strategies of gain for their own position, rather than explicit harm to their victim, which would alert their victim and close off their channels of attack, and set back their advantageous position.”

Justin Reich, a fellow at Harvard University’s Berkman Center for Internet & Society, responded “yes” to the question, but said, “The potential of threat is as real as the potential of nuclear annihilation. It hasn’t happened because mutually-assured destruction works, or at least it has for 70 years. We will have this constant, relatively low-grade probing, piracy, and state-sponsored cyber-terrorism.”

Fred Hapgood, a science and technology writer, responded, “On this level, the tens of billions of dollars mark, the risk is very low. A loss on this level will trigger serious retaliation and the hackers responsible can never be 100% certain that they haven’t left a trail somewhere. So they will wait for the worst case, and the worst case will probably not arise. Maybe in the context of a shooting war. The stakes would have to be very high.”

Garland McCoy, president and founder of the Technology Education Institute, said, “Mutually-assured destruction worked then, works now, and will work in cyberspace.”

‘No’ respondents theme 3) Hype over cyber attacks is an exaggeration of real dangers fostered by the individuals and organizations that will gain the most from creating an atmosphere of fear.

Jonathan Grudin, principal researcher at Microsoft Research, responded, “Perhaps I am optimistic, but this concern seems exaggerated by the political and commercial interests that benefit from us directing massive resources to those who offer themselves as our protectors. It is also exaggerated by the media because it is a dramatic story. President Eisenhower worried that we would suffer if we had leaders who would not rein in the military-industrial complex, and it is clear our leaders are powerless to rein in the military-industrial-intelligence complex, whose interests are served by having us fearful of cyber attacks. Obviously there will be some theft and perhaps someone can exaggerate it to claim tens of billions in losses, but I don’t expect anything dramatic and certainly don’t want to live in fear of it.”

Mike Caprio, a software engineer for a consulting firm, wrote, “Cyber attacks are a boondoggle invented by military-industrial contractors to bilk governments out of billions of dollars. The infrastructure is not as fragile or attackable as they would claim.”

Additional expert predictions

Vint Cerf, Google vice president and co-inventor of the Internet Protocol, responded, “Yes, while it has been predicted for a long time, there is no question that intellectual property theft is an increasingly serious problem and the potential hazard of data pollution looms. Estonia is the prototypical example. A lot will have been done by 2025 to increase security and safety online but there will still be exploitable vulnerabilities. Systems that observe their own behavior and the behavior of users may be able to detect anomalies and attacks. There may well be some serious damage in the financial sector especially (identity theft is still a problem, etc.). The use of things like Bitcoin, if prevalent, will produce wildly gyrating values and high risks.”

David Brin, author and futurist, wrote, “We must move from the 1990s obsession with ‘efficient’ production—e.g., just-in-time manufacturing. That proved disastrous after Fukushima. In nature, resilience is just as important as efficiency. If we work on it, our resilience will make a crucial difference making such attacks futile.”

Joel Halpern, a distinguished engineer at Ericsson, wrote, “Any response to this is very much a guess, as what will happen depends both on what can happen and on what people choose to do. I would not be surprised if there was a network-based event which caused tens of billions of dollars in damage. I would expect that it is more likely to occur by accident than it is by deliberate action. This is based on the observation that random coincidental failures are much harder to plan for than human intention.”

Paul Saffo, managing director at Discern Analytics and consulting associate professor at Stanford University, replied, “It is a close call, but I think we will have a bunch of scares, but will squeak through. More generally, my fear is that we are neglecting the risk of ‘cyber errors’ in creating wild disruptions. Stupidity is always more common than evil.”

Seth Finkelstein, a programmer, consultant and EFF Pioneer of the Electronic Frontier Award winner, wrote, “In general, for critical infrastructure, I’d say there’s enough low-level threat from ongoing minor attacks to make it difficult to pull off a really major attack. Much of this entwines with credit card security. Grabbing a bunch of credit card numbers is both far more profitable and far easier to do than massive disruption. So defending against that type of ongoing crime is sort of like an immune system challenge that helps guard against even more harmful attacks.”

Bob Briscoe, chief researcher in networking and infrastructure for British Telecom, wrote, “There will have been major cyber attacks, but they are less likely to have caused widespread harm. They will be stealth attacks to extract information and exploit it for commercial and political gain. Harm to an enemy is only a desire of less sophisticated individuals. Anyone who amasses the ability to mount a major cyber attack, better than their opponent, also doesn’t want to lose their position of advantage. They are likely to shift to strategies of gain for their own position, rather than explicit harm to their victim, which would alert their victim and close off their channels of attack, and set back their advantageous position.”

Jeff Jarvis, director of the Tow-Knight Center for Entrepreneurial Journalism at the City University of New York Graduate School of Journalism, wrote, “There will be continuing attacks bringing continuing damage. The question is how big an industry that will spawn in securing systems against such danger and mitigating risk. But security comes not only from government and industry. It also comes from the huge forces of collaboration and volunteerism that can coalesce around open source as a means of assuring that many eyes will watch for vulnerabilities and many hands will fix the faults that are found.”

Tiffany Shlain, filmmaker, host of the AOL series The Future Starts Here and founder of The Webby Awards, observed, “There will be attacks, but just as quickly as they happen, we will figure out how to combat them. The Web is merely an extension of us as humans. We are good and bad and everything in between. But ultimately, I believe we are good. The Web will at some point have large-scale manipulation with malicious intent, but we will learn from it and overcome it.”

Complete sets of credited and anonymous responses to this question, featuring many dozens of additional opinions, can be found on the Imagining the Internet site:

> Credited responses

> Anonymous responses

The five previous “Digital Life in 2025” reports released by Pew Research and Elon University in 2014 examined additional questions tied to Internet development over the next decade.

  • A March 2014 Digital Life in 2025 report issued by the Internet Project in association with Elon University’s Imagining the Internet Center focusing on the Internet’s future more broadly. Some 1,867 experts and stakeholders responded to an open-ended question about the overall future of the Internet by 2025.
  • A May 2014 Digital Life in 2025 report on the Internet of Things from Pew Research and Elon University examining the likely impacts of the Internet of Things and wearable and embedded networked devices. A majority of the more than 1,600 respondents said they expect significant expansion of the Internet of Things, including connected devices, appliances, vehicles, wearables, and sensor-laden aspects of the environment.
  • A July 2014 Digital Life report on Threats to the Open Internet from Pew Research and Elon University canvassing a number of experts and other stakeholders on what they see as the major threats to the free flow of information online. A majority of these experts expect the Internet to remain a place where people can freely access and share content, even as they anticipate a number of potential threats to this freedom in the coming years.
  • An August 2014 Digital Life report on Artificial Intelligence and Robotics from Pew Research and Elon University gathered opinions from experts about the roles that robots and many forms of artificial intelligence (AI) – including digital agents that perform programmed tasks – will play in our lives by 2025. The results were an even split, with 52 percent envisioning a future in which robots and digital agents do not displace more jobs than they create and 48 percent saying they will displace significant numbers of both blue- and white-collar workers.
  • An October 2014 Digital Life report on “Killer Apps in the Gigabit Age” from Pew Research and Elon University about the potential new digital activities and services that will arise as gigabit connectivity—50 to 100 times faster than most Americans now enjoy—comes into communities.