Brian Lee CrowleyFrom driverless cars to “smart” electricity grids, the roots of information technology dig deeper into our society than ever. Macdonald-Laurier Institute Managing Director Brian Lee Crowley, writing in the Globe and Mail, says it’s time that we took the threat of cyber attacks seriously.

By Brian Lee Crowley, July 24, 2015

Based on the media coverage of the story, you might think that the most significant story illustrating the dangers and vulnerability technology creates for ordinary people is the hacking and theft of information on would-be adulterous spouses on the Ashley Madison website.

Of vastly greater significance, however, is the relatively less-noticed story about how hackers took control of the electronics in a modern car. After controlling the windshield wipers and audio volume they got more ambitious. They disabled the brakes, interfered with the transmission and in the end drove the car into a ditch. And these were good guys drawing attention to the vulnerability inherent in the technology-laden life we now take for granted.

The vulnerability of the automobile fleet is only going to grow as cars come to rely more on electronics. Moreover as we move increasingly to driverless vehicles that will require instantaneous access to local navigational and other information, vehicular IT will by definition have to be more open, not less, meaning increased vulnerability.

This opens the possibility that every car could eventually become a weapon, available to be used at a moment’s notice by sophisticated hackers. No more spies with poison-tipped umbrellas, or Mafia hitmen nicking your brake line. How passé.

That’s a tiny example of the dangers created on a personal level by high levels of reliance on technology. At the level of whole societies the vulnerabilities become truly frightening.

Consider the electric grid. We are moving away from the rather outmoded approach of a few central generators that flood a static system with electricity to a system with widely distributed generation capacity (rooftop solar panels, wind turbines, small combined heat and power generators). Large numbers of people will both take power from the system and feed it back in at different times. Managing such a vast array of demands on the system requires a “smart grid”, which means one even more reliant on information technology than before.

What can be programmed, however, can be hacked. To gain insight into how serious this could be, consider the consequences of a rather low-tech attack that knocked out a substation in 2013 in San Francisco. In what security authorities consider to have been a dry run for an attack on a much larger scale, the substation was first isolated by cutting its telephone connections to the outside. A few moments later, snipers opened fire on the substation and over exactly 19 minutes systematically took down 17 transformers that supply power to Silicon Valley. One minute before the police arrived, the snipers disappeared and have not yet been brought to book.

Because the grid has a lot of flexibility built into it, the authorities were able to re-route power and maintain service. On the other hand, it took them a month to fix the substation.  Now consider what might happen to the grid in the face of a widespread and sustained cyber-attack that used the smart grid’s necessary openness to data collection as a way in. Remember that a few years ago a few no-tech tree branches falling on power-lines in Ohio caused a cascading power failure that took out electricity service to 50 million North Americans for days.

According to the Wall Street Journal, 13 “cyber incidents” were reported by power companies in the U.S. in the last three years, but companies declined to say whether there were any power outages as a result. It is not fanciful to think that at least some of these incidents were a cyber-probing of system vulnerability as part of preparations for a larger attack.

The mother of all system vulnerabilities inherited from our love of technology, however, is the electro-magnetic pulse, or EMP. A pulse generated by a nuclear explosion high in the atmosphere, the EMP’s reach far exceeds that of the gut-wrenching conventional effects of a nuclear explosion with which we are all familiar. The EMP basically fries everything electronic that it touches. A relatively small nuclear device launched on a relatively unsophisticated rocket from a ship near the coast could easily knock out a major part of the North American grid, plus all the smart phones, computers, automobiles and other electronics it touched. The resulting systems and communications outage would last a long time and by devastating. Hospitals, transport and police would be out of commission.

It is possible to harden the grid to survive an EMP attack. On the other hand it would have been possible to “harden” the air transport system in a way that might well have prevented 9-11. But it would have been expensive and no one took the risk seriously. We know how well that worked out. To quote the oil filter guy, you can pay me now or pay me later. Later costs more.

Brian Lee Crowley (twitter.com/brianleecrowley) is the Managing Director of the Macdonald-Laurier Institute, an independent non-partisan public policy think tank in Ottawa: www.macdonaldlaurier.ca.