After reading the report, “A Widening Attack Plain,” by Brian David Johnson for the U.S. Army Cyber Institute, which looks at the world as it will exist in 2026 with regard to cyber threats, I’ve concluded that we have little to worry about because, if this report is correct, many of us won’t make it to 2027. At least that was my initial takeaway. You see, up until now, we have been largely dealing with physical attacks and cyberattacks as different and discrete, but threatcasting, a practice of collaboratively predicting the future, similar to the Delphi method, is now showcasing they won’t remain separate for much longer. In the near-term future, a cyberattack will be used in conjunction with a physical attack to increase the damage and delay or eliminate timely response.
Participating in the forecasting process for this report were a large number of folks from the Army Cyber Institute, U.S. Army Cyber Protection Brigade, Carnegie Mellon University, U.S. Military Academy, USAA, Citigroup, New York Police Department, and the author of X-Men. Science fiction authors participate in efforts like this because they are better at setting possible future scenarios for the study group to consider.
The scenario the group created was a distributed denial of service (DDoS) attack via Internet of Things (IoT) devices on a complex supply chain. The related failures of security protocols and the management of the artificial intelligence (AI) in the digital domain resulted in physical weaknesses that culminated in a dirty bomb attack on New York’s Manhattan Island. The goal was to come up with a plan to mitigate, and if that failed, recover from, such an event.
You can read the report yourself. Here, I’m going to focus on the critical need to use it before a reality like this hits and we discover that we can’t deal with the result any better than we did for 9/11 or the attack on Pearl Harbor.
9/11 and Pearl Harbor Lessons
9/11 was a disaster not just because of the attack, but because institutionally, the government knew it was coming, was unable to translate that knowledge into action, and when it finally responded, did so inadequately and then over-reacted, doing far more damage to itself than the terrorists were capable of alone.
We could see similar elements in Japan’s attack on Pearl Harbor in that the U.S., institutionally, knew an attack was coming and actually facilitated the attack, by placing planes where they could be easily bombed, and in discounting the radar reports of the attacking planes.
In both cases, as an organization, the U.S. military hadn’t gamed out a related attack, even though it knew, institutionally, that it was likely, and thus didn’t have the capability to aggregate the information it needed to alert in a timely manner, didn’t have a plan in place to respond in a timely manner, and lacked the infrastructure to adequately deal with the result. In the end, in both instances, the attacks happened and were made worse due to a severe lack of planning.
The Cyber Terrorist Future
Technology is a force multiplier and the big difference between the two attacks is that the first was done by the Japanese Navy and the second by a bunch of guys with box cutters. In the attack on Pearl Harbor, around 2,300 people lost their lives. On 9/11, it was closer to 3,000, with twice that injured. The only technology enhancements were the ability to coordinate over cell phones and the internet, and the availability of large commercial airliners that were inadequately secured. The anticipated attack this report group highlighted using blended cyber and physical resources would devastate and/or kill around 2 million people, projecting ahead to the population of Manhattan. And, be aware, there is no physical limitation to either size or number of cities, so 2 million could be massively conservative. We are also still talking a relatively small attacking force, far smaller than the army of a hostile nation and possibly smaller than the group that perpetrated 9/11.
Wrapping Up: We Won’t Survive If We Continue to Think Tactically
We are largely set up to respond to threats tactically. Even the Cold War “mutual assured destruction” rules were set up to assure a responding strike, not to fully anticipate and respond to an initial nuclear attack. But, at least then, we were dealing with a large nation, and that still almost didn’t end well. Efforts like threatcasting are critical to identifying potential threats and building up defenses against them and there are private companies and military organizations involved in this effort. That’s the good news. The bad news is that these are still more of an exception than a rule and, as big as this effort is, it is still a fraction of what it needs to be.
I’m writing about this so that you are aware of the exposure and the efforts to address it, in the hope that more will get involved and the forecast future does not occur.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+