On Tuesday, Feb 25, 2003, I was chatting with Bret Michael and Dorothy Denning at the Naval Postgraduate School when Dorothy asked me to write a paper documenting what I was discussing so she could cite it. This is that paper. It is about the reality of the vulnerabilities of critical infrastructures to computer network attack. The central thesis of this paper is that, while such attacks are indeed important to consider and could cause serious harm, the overall consequences are quite limited when compared to things we normally associate with weapons of mass destruction or major natural disasters.
I have done a lot of work on issues related to critical infrastructure protection, specifically in the issues related to information protection. I did consulting dealing with the detailed issues associated with protection of many leading companies in critical infrastructure areas as a livelihood for many years. This included telecommunications and financial companies, companies in manufacturing of different sorts, companies with large global infrastructures, and some elements of military and governmental organizations. I studied the issues of critical infrastructure protection as part of government funded research in the early 1990s, one of which coined the term 'information assurance' as it is now used. I subsequently wrote a book on this topic called "Protection and Security on the Information Superhighway" that was published in 1995. During these studies and in this book I outlined many of the issues we hear about today and I did some more detailed analysis of these issues and the reality of their impacts.
In the mid-1990s I started working with a variety of companies specifically in areas related to critical infrastructure protection, which was getting increased national awareness. This included specific studies for electrical power infrastructure elements, work with NSTAC and some of their member telecommunications companies, studies of national capacity for defense against information attacks, and a wide range of other similar work. I have worked with law enforcement and government agencies related to protection of critical information infrastructures and helped various critical infrastructure areas plan for and deal with Y2K issues. I have done analysis for infrastructure water providers and had lengthy discussions of the details of similar issues with experts in natural gas and fuel oil areas.
I have heard many of the claims coming from government agencies, their contractors, the media, and others who assert they are experts, and I have come to believe that the vast majority of the claims and conclusions I hear that predict doom and despair or things like an electronic Pearl Harbor fail to pass the test of credibility. When I read news stories about this or statements made by people in political positions, I try to evaluate them based on my understanding of these issues, and I almost always find them wanting. Particularly daunting is the outrageous and nonsensical leveling by comparison of a cyber attack to an attack by nuclear, biological, or chemical weapons. To be clear, any comparison between these should be viewed with extreme skepticism.
There are many real issues in critical infrastructure protection that I believe should be addressed, and it would be a mistake to interpret this paper as claiming that this protection is not important or serious. However, I hope in this paper to clear up some of the major misunderstandings that seem to dominate this subject matter and that are used to create unnecessary and irrational fear.
With that as background and with Dorothy anxious for her citation, I will now walk through different elements of what are commonly called critical infrastructures. For each element, I will try to briefly describe the limits that I have found of the consequences associated with information-based (a.k.a. cyber) attack against these infrastructures and why these limits are what I claim them to be.
As a starting point to this discussion, I want to mention that risks come from the simultaneous combination of threats, vulnerabilities, and consequences. Threats are actors who are motivated (or in the case of nature behave without specific motive) and able to do something, vulnerabilities are things that threats can exploit to produce consequences, and consequences are the outcomes of interest. Unless there simultaneously exists a specific threat capable of exploiting a specific vulnerability to produce a specific consequence, the presence of these three elements cannot produce risk. As you will see, a lack of understanding of this principal is often at the heart of why risks are misperceived.
Nightmare Scenario: If electrical power throughout the United States or major regions thereof go out and stay out for a long time, the consequences could be dire. For example, having no power in the Northeastern US for a month or winter could cause a substantial number of people to lose their lives, cost a lot of money, displace a lot of people, etc. This is largely because power is needed for heat and for most sorts of profitable work that people engage in. If there is no such outage, the consequences are not only far less, but well within the normal experience we have due to nature. For example, outages of several days to a week or more are fairly common because of winter storms, regional outages have happened several times in the Northeastern US as well as across the Pacific, and rolling blackouts have happened many times. None of these have produced dire outcomes of the magnitude of interest requiring unusual precautions.
Even really long-term outages may not be as bad as we imagine them to be, and creative responses can often mitigate harm. The capitol of New Zealand had a power outage for several months a few years back, and the country is still there without massive harm as many might imagine. A massive power outage in Hawaii some years ago resulted in a nuclear powered submarine having to dock and attach its power output to the Hawaiian power grid. So it is not really all that clear that a massive attack that damaged large portions of our power grid would be all that devastating. And of course we have a lot of people that would be working to counter these outages - power engineers - linesmen - generators - and ultimately the military, government, and people of the country and the region.
So from a consequence standpoint, the damage is limited - unless - somehow - someone uses the power of computers to disrupt all of the capability to recover! Ahah - massive cyber attack or better yet - knowing just the right things to hit in just the right way! It sounds amazing and mysterious - but of course it is not and there is no such thing that can really happen. Why do I say this? Simple.
The power grid and the generating stations are not so computer dependent that they cannot work without all of these computers being operational. Example 1: Suppose I use a computer controlled power grid element to shut off a critical feeder line into a major city? Solution: A linesman shows up at the junction where the power has been disabled and switches that station to manual override, turns the power back on, and power is restored! The grid is not as efficient this way, but the power works just fine. Example 2: By exploiting a cascade failure similar to the ones that occurred in California in the mid 1990s (twice) we disable a region and use computer attacks to keep it down! Solution: In a few days, linesmen restore all of the power using manual overrides, some of the power stations don't come up as soon, but most power is restored in a few days - and the automated controls are not operated until the problem is found and fixed. There are a few other examples, and some cause some permanent physical damage to select parts of infrastructures, but none keep major portions of the power grid out of service for very long or can be repeated many times.
Nightmare scenario: The water is poisoned for a major city by a cyber attack changing the chemical mix put in to the water supply (too much chlorine for example) - or water supplies are cut off to a region of the country by computers disabling the flow of water. The nightmare result of the former is that millions of people get poisoned with a resulting panic that causes everyone to fear with every drink. For the former everyone has to leave the city within a few days for lack of water. Of course it doesn't take an expert to doubt that these things can work and there have been plenty of power outages at different places in the country at different times and we are still here, but we will act as if it is possible to have these consequences if the attack could be carried out.
Problem 1: Other than the chemicals already in the water or in the water purification system, without physical attack, there is no way to add poisons by computer program. Maybe you are convinced you could break into some supplier computer and change the chlorine order or manufacturing process to send out LSD or something, but I think that the quality control is a bit better than this both at the water companies and at the suppliers. And chlorine (or other chemicals used to purify drinking water) have a tendency to kill almost anything you put in the water. If you put too much chlorine in the water it starts to smell of chlorine and people tend not to drink it. If you prevent the chlorine from going in to allow other agents to get through, the water also starts to smell bad.
Problem 2: How is a cyber attack going to stop water from flowing downhill? You probably didn't know it but there is a reason that reservoirs are on hills and water storage tanks are on stilts. It's because the vast majority of water supply is fed by gravity. Other than closing valves through the SCADA system, computers are unlikely to counter the effects of gravity. And those computer controlled valves all have manual overrides - and the computers are easily disabled and the valved manually controlled. It is not quite as efficient, but the water will still flow. Even the pumps used to move water from lower points to higher points can be manually operated. In fact, the water systems used to be operated manually and the operators occasionally have to do it anyway because of computer outages.
It turns out that a cleaver attacker could probably damage some pipes here and there using computer-based attacks, but pipes are damaged in earthquakes and similar events all the time, and yet we have not yet abandoned any of those cities because of lack of drinking water. There is a far greater ground water crisis facing us, but it has nothing to do with computer network attacks.
Nightmare scenario: A cyber attack causes the release of all gas from the gas pipelines - or magically sets the pipeline on fire.
The latter is ridiculous of course. The safety measures in gas pipelines are not so weak that there is a way to get a computer to ignite the pipeline.
A release event could potentially happen from opening a valve to vent to the air or perhaps the excess packing of gas into the pipeline creating an overpressure and a pipeline burst. In either case the drop in pressure is rather obvious and results in an investigation before too long. Pipe repairs are commonplace and lots of pipes have leaks all the time without a disaster taking place. Shutting the gas off then on will not cause lots of local fires because of the safety valves now in almost all gas end points. Pipes burst from weather, earthquakes and similar natural phenomena all the time without disastrous results.
If gas is shut off near the source the residual pressure in the pipe will allow continued flow for hours to days, depending on the specifics. In this time the source will be repaired and service restored. If gas is shut off near the destination relatively few people will be affected and this is not much different from normal events in gas pipe maintenance.
Nightmare scenario: No gas can be delivered to local filling stations (or no fuel oil to residences) for an extended period of time, causing loss of transportation capacity and spiraling collapse of the economy, eventually food shortages and starvation, etc. Nobody can really explain how computer attack can cause this of course... so we will simply move on.
Nightmare scenario: 911 service is disabled by modems dialing 911 due to a computer virus - OR - breakin to 911 computers causes misinformation to the attendants inducing poor or lost service and inability to coordinate in disasters.
Of course both of these have already happened and we are still here. Several cases of 911 outage have resulted from computer failures (and some from computer attacks such as those described above). On 2001/09/11 there was a 911 service failure related to the loss of the telecommunications in the basement of the World Trade Centers. This was in conjunction with a very large scale emergency event, and yet the information outage effects were not so disastrous as we might have been led to believe. We will use this as a financial example as well later on.
Emergency response typically includes radio backups, digital links for computer-relayed information, and of course the primary communications radios or land lines. In addition, local phone service is usually available in case someone has to make a call for help. Disaster recovery centers exist for most 911 services at the state level so that a massive failover uses redundant systems, circuits, and people to handle calls.
While serious problems can be induced by this sort of attack, a common technique for mitigation is increased telephone bandwidth and call screening by telecommunications providers. This has been successful in all recent large-scale attacks on 911 and similar services. In the case of misinformation in emergency response systems, this has happened with resulting loss of life. A small number of people died in the new emergency response systems installed in London several years ago, and a very recent failure may have contributed to the loss of life of boaters in Long Island Sound. Nevertheless, this is not exactly a massive disaster.
Nightmare scenario: All financial records are lost for all bank accounts in the US - and while we're at it - all brokerage accounts and stock records.
Before we go on it is important to put things in perspective. Some people hear about losses of a few hundred million dollars here and there and think they are important. To you and I as individuals this seems like a lot of money, but in context it's not really that much. The US has an annual deficit of thousands of times this amount. Many years ago, Citibank failed to make a clearance electronic exchange with the Federal Reserve one day resulting in a loss of hundreds of millions of dollars in lost interest. For an operation of that size, a few hundred million dollars is just not that much, and it is certainly not a matter of collapse. By contrast, the theft of less than $10M from Citibank via electronic means only a few years ago resulted in larger overall financial losses because of negative publicity. At one stock trading house I worked with the risk management lead indicated that losing a few hundred million dollars due to an electronic funds fraud in a day didn't even make their risk charts. They regularly lose several times this in a day from trades - and they regularly make it up the next day in similar trading. My point is that the overall financial system is relatively unaffected by a billion dollars here and there, so any large-scale effect will have to be very large scale indeed relative to my paycheck and yours. And of course some of the richest folks in the world lose this much from stock value changes in a day or two.
Unlike water that runs downhill and power that is generated by that water running downhill, financial systems are really and truly dependent on computers. In essence, there are no meaningful paper financial records to speak of any more. Sure - you may have actual stock certificates - but if all financial records were lost from the computers of the world, it would be unrealistic to believe that we would reconstruct the situation from paper records. And yet some things do really work this way.
When the World Trade Centers were attacked, the telephone outages caused ATM machines to be unable to communicate with their banks. As a result, the machines fed out money without checking. There was a substantial fraud-related loss (some small number of millions of dollars in all I understand), but the system didn't collapse. And even though the New York stock exchange ceased to exist for a week, the rest of the global financial systems continued to operate, the Chicago mercantile exchange did not collapse, and all records were not lost. If you wonder why, you need to read about disaster recovery planning. The question remains as to whether a large-scale cyber attack could somehow change this. I will assert that the answer is, practically speaking, no. Of course theoretically it is possible, so let's see where it goes.
The theory is that all of the redundant systems of many of the major financial institutions in the US are simultaneously disrupted in such a way that records are corrupted and unrecoverable for long enough to lead to economic collapse. If some of the redundant systems are still operating properly, the content is recoverable relatively quickly and they can go on. If only a few of the companies collapse it will be a problem but not a total disaster. Recent monthly statements and records from other banks and records given to the government in response to their reporting requirements and similar records will allow much of the lost content to be recovered, but it will be painful for a few million citizens. And yet the system will compensate - one way or another.
In addition, financial institutions, despite their appearance of incompetence now and then, are really quite good at detecting and countering frauds and corruptions - even by insiders. After all, they have been under constant attack by insiders for hundreds of years - long before computers come into play. And they handle very large sums of money every day under constant attacks without collapsing in the large. Sure a Barings will occasionally collapse from a risk management failure, but overall, the combination of redundant systems and massive diversity combined with the global nature of the market and the redundant nature of the records makes it very hard to collapse.
In this case the problem is not that the potential for the consequence does not exist or that the vulnerabilities do not exist to allow such a consequence to occur. The problem is that in order for so many things to simultaneously be affected in so many different ways as to produce a massive collapse requires a threat that does not exist. Yes - strange as it sounds, there is no threat today that has the capability of achieving such a large scale consequence to the global financial systems that we depend on. I won't debate this in detail because it gets down to thousands of specifics, but before you take this scenario as feasible ask the person who proposes it how many people it requires to carry out such a massive attack and over what period of time and with what expertise and how they avoid being detected along the way. If they really understand the issue they will be able to give you the factual answers to those questions and when you analyze those answers and examine the real capabilities for information operations of the potential threats you may find that the total capability does not exist.
Before leaving this subject I want to cover one other issue. It is what would realistically happen if such a worst case scenario were to take place. I think it is likely that we would move in short order to an emergency management situation with cash and barter running the system. It turns out there are substantial barter networks already in existence today and a fairly large underground economy. Many of the largest real assets do have credible paper backups and don't change hands very often - such as houses and cars and buildings and so forth. But before you go there, first remember that not only would banks have to be attacked - it would require attacks on stock markets and stock brokers, the federal reserve bank and its various diverse locations around the US, the credit card system which can exist for at least 30 days without collapse, and even this would not stop barter and the cash in hand from continuing.
Nightmare scenario: Total government collapse results from information system attacks and outages. Never mind that this is senseless drivel because nobody ever tells us how exactly all of these computer failures and attacks are going to prevent the government from functioning - at least over the short run. Of course a considerable part of the country is probably hoping for such a scenario to take place and get the government off our backs, but we will discount this for now.
The best worst case scenario is that the vote counting is affected. Those who live in the US today know exactly how this can shift power - just look at the last Presidential election... but even that only substitutes one set of candidates for another. It takes at least a few years before we lose our system of government.
Nightmare Scenario: If a cyber attack disables most of the national telecommunications capacity and keeps it disabled for a period of weeks, commerce will grind to a halt, emergency services and other safety related failures will happen, and other side effects will ripple through the world we live in. Outages of a day or two for large portions of the infrastructure will not mean collapse, and this has happened before without collapse. Two good examples were loss of all telephony in major cities and all long distance telephony in the early 1990s. These were both due to a few bit errors in telephone system control software. The net effect was negligible.
Problem 1: While taking out a telephone switching system or two might be feasible by cyber attack, there are many thousands of these systems in the US, and taking out a few here and there will not have much real effect. There is no commonality that would allow large numbers of them to be disabled without a large number of simultaneous attacks. This means lots of attackers well coordinated, but of course they can only coordinate for cyber attacks as long as they have telecommunications operating. In some senses cyber attack against these systems is self-limiting. The more of them you take down the less connectivity you have to attack the rest.
Problem 2: A large portion of telephony runs through leased lines which are more or less physically controlled at thousands of switching centers. While there is electronic equipment involved, changing many of the circuits involves moving a physical fiber or wire from one place to another. This can not be done by cyber attack. Things like perception management won't do it either because humans are involved and while you could probably fool them into switching a wire here or there, you will not get them to quickly switch the hundreds to thousands of them in every local switching center.
Problem 3: There are other things besides switching centers. Like there are cell sites that are physically distributed throughout urban areas, and there is Internet telephony that runs over cable systems, and there are radio communications for emergency services, and so forth.
Problem 4: There are hundreds of thousands of dedicated professionals that run these systems. They are not perfect but they will try very hard to restore services and they do know what they are doing. It took a few hours to a few days to identify and resolve the problems that have had large-scale effects on telephony in the past and the magnitude of effects has gone down with telephone diversification resulting from deregulation.
As with financial systems, the number of actors that would be required to carry a large enough scale outage and sustain it would be so high that there is no such threat, even though there are vulnerabilities and consequences that in the aggregate could produce worst case consequences.
Nightmare Scenario: A 'zero-day' virus with a highly destructive payload takes out all of the susceptible systems in the Internet in a matter of an hour or less and does damage that cannot be repaired for weeks to months. For example, one recent virus spread to many of the Internet's Windows systems in only an hour or so, and it disrupted services to some extent. If it had a combination of the ability to delete all of the files on all of those systems, a trigger to deny services by sending out packets on all interfaces at maximum bandwidth, and exploited vulnerabilities on several types of systems at once, it could have disabled most of the Internet. But... as usual, this will only partly work.
Problem 1: The Internet operates in a distributed manner - in fact it evolved from the original ARPA-net which was designed to be able to withstand nuclear attack. That means that when you take part of it out, the rest of it just keeps going. Even if you could completely destroy all of the infrastructure between organizations, the 'intranets' within organizations would be largely unaffected for at least days and more likely weeks. The problem of making a virus that penetrates deeply enough into all of the hundreds of thousands of intranets is one that has never really bee solved.
Problem 2: The mechanisms of attack are programs, not people. As cleaver as programmers may be, they are still no match for people. Once launched, lots of people can spend lots of time figuring out what the virus does and finding ways to defeat it. Of course attackers can start virus after virus in a running battle, but while tracking a single virus release to its source may not be very easy, as the pressure on the continuity of the Internet grows, efficiency will be sacrificed and IP address forgery will be prevented, even at the expense of some bandwidth. Large numbers of sensors will be placed and focussed within days, and the response to new viruses will be the harsh and rapid shut down of the assets that induced them. It will not take long before the weaker systems are weeded out and the stronger ones will continue to operate. And don't imagine that there are no strongly defended systems on the Internet.
Problem 3: Destruction is limited by the presence of backups. Restoration of most systems takes less than a day, and the loss of data from one day is typically not that extensive. For systems where loss of such data is critical and the consequences are high there are typically adequate real-time backup and restoration processes in place to mitigate most such attacks. And each system owner does things their own way. As a result, systems without backups will collapse until forensic restoration is done, but systems with reasonable disaster recovery plans in place will recover rapidly and have the services causing the problems disabled.
And of course the final problem always remains that we have hundreds of thousands of trained experts who have a great deal invested in keeping the Internet operating. In times of crisis they come together and fix things. In fact, the student program I used to run produced about 5 students a year that, on their own, could rebuild everything required to recreate a functional Internet in a matter of days. I have bootable CD-ROMs that can create functional Internet capabilities in minutes from bootup. The notion that any threats that exist will be able to defeat the efforts of all of these people is simply unrealistic.
The Internet is perhaps the weakest of the critical infrastructures - probably because it is the newest and in the rush to develop it the usual engineering expertise was abandoned in favor of time to market. Reduced cost was selected over increased assurance with the result of large-scale weaknesses that can be exploited in serious ways. And yet total Internet collapse is simply a pipe dream.
I was one of the first people to publish on the issues related to the growing interdependencies of critical infrastructures in the United States. Of course military planners have understood this since the days of Sun Tzu and in World War 2 it was grown into a mathematical discipline called operations research, but the increased use of information technology and its widespread embedding in critical infrastructure operations caused this to become a far more serious issue in the 1990s. The fundamental questions to be asked are these; (1) How do the interdependencies of infrastructures change the nature of what we have been discussing, and (2) How can information technology be used to amplify effects and to what extent does this change the nature of what has been discussed here?
Interdependencies: The interdependencies of critical infrastructures have a substantial meaningful effect on the analysis of how attacks on infrastructures can work. It makes it a lot more complicated to understand the precise effects of combined simultaneous attacks on different infrastructure elements. For example, if there is a power failure induced by a cyber attack, the loss of power may disable the control systems for water systems, causing a loss of water to hospitals and resulting in patient deaths. These questions are very complex to analyze when you are considering small-scale or effects, but they simplify greatly when you only consider high magnitude consequences.
In essence, the scenarios above show that very few of these interactions can have really high consequences. For example, if the power goes out for a few days, this will not prevent water from flowing. In fact, many water systems have their own power generation stations to recover energy from the gravity-fed water flow. These systems don't need external power at all and become energy providers. Similarly, local water outages will not prevent power from flowing because power is sent across entire regions on a continual basis to balance the generation capacity with the use across seasonal variations (more power for heat in the Winter to the colder areas, more power for air conditioning in summer to the hotter areas). Telecommunication depends heavily on power, but as a result, major telecommunications systems like the telephone system have their own backup power, as do major Internet hubs and switching stations. That's why you can make a phone call during a power outage to get power restored. Unless you can keep power out for several days to a week, you cannot degrade these capabilities. It turns out that there are combinations of things you can attack that cause more damage than others, and as a result, a really skilled attacker can optimize effects by using combinations across infrastructures, but it also turns out that the limits on consequences described above for each infrastructure are essentially unaffected by attacks on other infrastructures.
Amplification: Amplification of effects by information attack is a much more interesting area. The notion here is that a physical attack could have its effects amplified by well-timed information attack. This is a very real issue and amplification is often possible through information attack. A good non-technical example is the degradation of civil rights (governmental effects) generated by information 'attacks' (perception management via the media) in association with the airliner hijacking attacks of 2001/09/11. Many of the components of the US Patriot Act were already in the list of desirable legal changes for many in the nation before the attacks took place, but once the attacks happened, the barriers to getting these legal changes made were greatly reduced, and thus there was a synergistic effect. It turns out that the reduction in civil rights in the US is a desirable side effect for those who practice terrorism. The new alert system in the US magnified the terror effect by keeping the presence of the threat on our minds day after day, and the news media uses fear to keep more eyes glued to their shows. It creates a positive feedback effect that increased viewing which increases fear which increases viewing - the net effect being an increase in revenue for the media. The increased fear also increases the ability to create more governmental changes that in turn induce more fear, and so forth. In case anyone claims that this is basically a political statement and that it reflects some particular view about the Patriot act, check again. People on all sides of this issue agree on all of the facts presented here. While there is a debate about the rationality of where the current balance is set, there is no doubt that informational methods amplified the physical attack to produce rapid political changes.
This paper is an example of how you counter this amplification effect. It should have a damping effect on the exaggerated claims about an electronic Pearl Harbor, that effect being achieved through some more in-depth examination of the facts. The effect of this paper can also be amplified, for example by others choosing to cite it or it becoming popular in the media. Actually, there has been some recent trend in this direction as more and more experts have come out to say that the current claims are being exaggerated.
Amplification is possible in every system described above. For example, by combining cyber attack with poisoning of a water system it is possible to increase the effects of a poisoning, by combining a cyber attack on the telephone system with blowing up some of the key switching centers, its effects can be prolonged, by disrupting the 911 emergency telephone system via cyber attack while doing a series of bombings, the response process can be impacted, and so forth. But while informational amplification can increase the effects of other attacks, those increases do not change the fundamentals of the limits on consequences. Water will still flow, electricity will still be repaired, financial systems will still function, and so forth.
Amplification and Interdependencies Combined: When you combine the interdependencies with amplification effects, it has a tendency to increase effects, but there are also feedback systems that kick in and tend to limit the amplification and inherent limits on rapid interdependency effects. In addition, for an attacker to exploit the combined effects in a controlled manner is likely beyond the current capacity of any threat. A major technological breakthrough and a large-scale research and development effort would be required to get a handle on really prediction and control of such an attack, and it would necessarily involve characterizing human behavior beyond the current capacity to do so.
In any case, even the combination of amplification and interdependencies cannot rapidly drive things to the point where gravity will not send water to drinkers and power plants will no longer be able to get power transmitted to users. The use of the term 'rapid' here is intended to indicate that attacks over days to weeks will certainly not be able to produce these consequences. Indeed only political changes which take a long time to effect these sorts of infrastructure changes have any hope of producing such a situation, and today they are trending toward reducing such potentials.
Before concluding I want to put all of this in context by comparing these scenarios to the ones associated with weapons of mass destruction - nuclear, biological, and chemical weapons. I do this because all of these cyber attack scenarios are somehow put into direct comparison with the serious consequences of these other sorts of attacks in order to get the cyber threat to be taken seriously. Here's how it stacks up:
Nuclear attack: Nominal consequences of a single nuclear attack using a common weapon of today set off at the same place as the planes hit the World Trade Center are on the order of 1,000 times as bad in every way. Estimate 3 million dead or injured, most of Manhattan gone and not reusable for a long time, major - perhaps 10-20% effect on the US economy for years.
Biological threat: In natural disease outbreaks, up to 30% of the population of densely populated regions have been killed in the past. AIDS exceeds this in some areas of Africa and the Influenza epidemic of the early 20th century in America and the Plague in Europe are examples of what a biological weapon could do.
Chemical threat: This is the least lethal of all - with potential for killing up to hundreds of thousands of people in the area near the release.
Each of these are single uses of a weapons system of its sort. The biological is extreme compared to likely effects of modern bio-weapons against modern medicines and methods, but not unrealistic. Now if we look back at the impacts of cyber attack, in what rational way can we compare even the worst case scenarios - if they could even happen at all - to the deaths of hundreds of thousands to many millions of people? The answer is simple. Cyber weapons are not weapons of mass destruction - or disruption - or even worthy of comparison to nuclear, biological, or chemical weapons.
I should start by indicating that this was not as thorough and documented as I normally do such papers, but of course if I did that it would take 100 pages and have thousands of citations and examples along with details of equipment specifications, etc. There was no need. If you don't believe me you can check it out for yourself. You will find what I have found. The sky is not falling.
There will no doubt be many who proclaim that I have missed some scenario or another - and I have no doubt they are right. But my missed scenarios do not change the underlying facts of the matter and nature of the world. There is a reason that things are as they are, there are reasons that people throw around nightmare scenarios, and there are reasons that these scenarios are almost always unrealistic or downright impossible.
For the most part, the fear folks forget about at least one really important thing - the response of the 300 million or so people living in the United States. We have literally hundreds of thousands of professionals who are expert at each of the systems that can be attacked and who not only know how to operate them under failure conditions, but in many cases, do so on a regular basis as a result of natural disaster, computer failures, or planned exercises. Ignoring response always results in total collapse of life as we know it - and taking it into account almost always restores life, liberty, and the pursuit of happiness - in short order.
Finally, the comparison of cyber attack to attack by nuclear, biological, and chemical weapons is utterly ridiculous and whenever the comparison comes up, cyber issues should be dismissed as laughable. It's not that cyber attacks is not important or serious - it's that in the relative sense, it is not in the same class.