It’s early on a weekday morning, in the not-too-distant future, and a packed commuter train is speeding toward a large North American city when the Internet cuts out. It’s more than just an inconvenience for riders checking their email. This train and the tracks are part of the Internet, too—fitted with computers and sensors to monitor and control the location and speed of trains, and linking every bit of transport infrastructure across the continent to the web. With the system disabled, the train is suddenly out of control.
In the city, the water supply system, automated and synched to a central, digital command centre, also fails in the Internet outage. Switches—built to shut off water when there’s a leak—spring into action and taps everywhere run dry. Above ground, the online network linking every car, truck, bus and taxi malfunctions, as do the sensors that turn lights red and green depending on traffic flows, plunging roads into gridlock. Police cars, ambulances and emergency services, each reliant on the city’s suddenly blacked-out information network, remain parked and useless.
Across the city, people are locked out of (or even in) their homes. The web-enabled security systems that people use to lock and unlock their doors have also failed. At the grocery store, there’s no way to buy food without cash: Internet payment systems go black.
This is the next “big one.” Not an earthquake, but a collapse of the digital network that is increasingly becoming a critical part of day-to-day life, linking together every item and service we use. And while such a failure may sound improbable, security and technology experts say that few people realize just how vulnerable society has already become.
The Internet is now being wired into everything. Cisco estimates 50 billion “things” will be linked to the web by 2020. “When I walk around the street, all I see are networks,” says Cisco senior vice-president and head of the company’s enterprise networking group, Rob Soderbery. “Every electronic billboard, every roadside sensor, every toll booth, every vehicle, every truck, every police car. Think about everything you see in that daily life as being integrated into the network.” Networked trains, web-enabled cars that rely on downloadable software fixes, and smart homes that are run via iPad are already a reality. “Everything around us is acquiring CPUs and communications,” adds Ross Anderson, a professor of security engineering at Cambridge University. “Pretty well everything you buy for more than 10 bucks and don’t eat or drink will be ‘smart’ in some sense.”
We have already seen how even minor glitches in these systems can cause big headaches. In 1999, Internet service, phone lines, payment systems and traffic lights across a large swath of downtown Toronto crashed for a day—all because a technician at a Bell switching centre dropped a wrench, which started a fire, which also brought down power to a hospital and stripped an estimated $1 billion in trades at the Toronto Stock Exchange.
In the past year alone, a cut cable triggered a Sprint Internet outage that grounded Alaska Airlines flights in the western U.S., payment processing problems brought down Visa services in Canada, and Netflix’s hugely popular system crashed due to a software bug. Last week, American Airlines’ entire fleet was grounded for hours due to a glitch in the company’s reservation system.
Malicious attacks are just as common, targeting everything from newspapers, including the New York Times and companies like Telvent, which provides control systems for Alberta oil and gas pipelines. In March, a hacker attack simultaneously crippled South Korea’s main broadcasters and biggest banks, and earlier this month, police in Egypt arrested three men who were allegedly trying to sabotage a critical undersea Internet cable.
Last October, the U.S. secretary of defense said American infrastructure is vulnerable to a “cyber Pearl Harbor.” “This is the pre-9/11 moment,” Leon Panetta said at a gala in New York. “An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
The risks of a breakdown (whether by simple failure or sophisticated hacker attack) are rising exponentially as more services are shifted to the web. Cloud computing, in which companies outsource hardware and some software needs to server farms all over the world, was a $60-billion industry in 2012, says the research company IDC. Microsoft’s cloud-computing customers reportedly include Aer Lingus, Dow Chemical and the University of Georgia. The New York Stock Exchange and NASDAQ use cloud computing. Even governments are getting on board: Canada has been examining ways to grow reliance on cloud computing, and in March, reports surfaced that Amazon is building a “private” cloud for the CIA.
But cloud computing, like the rest of the digital world, has its vulnerabilities. The European Union’s security agency, ENISA, issued a report this year warning that cloud computing is a double-edged sword. “If an outage or a security breach occurs, the consequence could be big” across critical sectors like finance, energy, transport and even government services, the report cautioned. It called on the EU to monitor attacks and require companies to report outages and security breaches. Andrew Rose, a security analyst for the research firm Forrester, has argued that this hyper-networked future will lead to “unprecedented security challenges.”
Carlo Ratti, the director of the SENSEable City Lab at MIT, argues the nature of security challenges is not changing, just their effect. “The impact of possible security breaches can be more devastating because it’s not only digital, but it’s digital and physical,” he says. “If your computer catches a virus, you might not work for one day. But if your car, which is getting more and more like a computer on wheels, catches a virus, just a simple one that switches the pedal with the brake, then you’re in trouble.”
Given the speed that our reliance on the web is growing, we may not grasp the risks until it’s too late, Ratti says. But governments are trying. Leon Panetta’s fiery warning last fall was followed up with a cybersecurity executive order from U.S. President Barack Obama, announced during the state of the union address in February, which will result in sharing information between public and private sectors to increase cybersecurity.
In 2010, the Canadian government allocated $155 million over five years to beef up cybersecurity efforts, much of which went to the Canadian Cyber Incident Response Centre (CCIRC). But last year, a critical report by the auditor general found that the centre, seven years after it was formed, “cannot fully monitor Canada’s cyberthreat environment” because various departments and companies aren’t fully co-operating with the centre, or even aware of its mandate. There’s a “tremendous fragmentation” between government departments and industry, which hold the Internet traffic data, and the CCIRC, which needs access to it, says Rafal Rohozinski, one of the country’s leading cybersecurity experts.
The audit didn’t examine the government’s response or recovery plan for a cyberattack, which alongside earthquakes, floods and pandemics falls under the public safety department’s Government Operations Centre. Rohozinski questions whether there is such a national plan for a massive digital failure. He says Canada “lags behind” other nations.
At a cybersecurity conference in October, Public Safety Minister Vic Toews told delegates his government has “worked closely with our partners to enhance the resilience of critical infrastructure like power grids, financial systems and transport networks.” Meanwhile, the CCIRC doesn’t even operate on a 24-7 basis—it’s open 15 hours, seven days a week. Rohozinski says Canadians are blind to their reliance on this infrastructure. “We don’t realize our dependence.”
Other countries do. Thanks in part to the Stuxnet virus, which infiltrated an Iranian nuclear facility in 2010, “Iran has a better overall government plan for dealing with cyberincidences than does Canada,” he says. But waiting for the “big one” in order to act carries its own risk. “What’s going to be the effect of a catastrophic effect in cyberspace?” he asks. “No one knows.” But it’s pretty scary to imagine.