Last week the Wall Street Journal reported that government officials believed that the hacktivist group Anonymous might in a couple of years time acquire the capability to take down the power grid. The digerati did not care for such alarmism.
One critique of the report (mine) was that the paper’s reporting was third-hand and credulous. Another widely espoused criticism was that attacking critical infrastructure did not fit the modus operandi of Anonymous. It simply would have no motive to cause widespread damage; quite the contrary, Anonymous sees itself as fighting for the people against the powerful.
Now a new article by Thomas Rid of the War Studies Department at Kings College London makes me think that even the notion that Anonymous could acquire such a capability is highly questionable. Rid’s thesis is that the more destructive a cyber weapon is, the more expensive and difficult it will be to produce, especially in terms of the intelligence needed about the target. And as a consequence, such cyber weapons will be very specific to targets, not easily repurposed, and unlikely to cause collateral damage. He writes:
A thorough conceptual analysis and a detailed examination of the empirical record corroborates our hypothesis: developing and deploying potentially
destructive cyber-weapons against hardened targets will require significant resources, hard-to-get and highly specific target intelligence, and time to prepare,
launch and execute an attack. Attacking secured targets would probably require the resources or the support of a state actor; terrorists are unlikely culprits of an equally unlikely cyber-9/11. The scant empirical record also suggests that the greatest benefit of cyber-weapons
may be using them in conjunction with conventional or covert military strikes, as Israel did when it blinded the Syrian air defence in 2007. This leads to a second
conclusion: the cost-benefit payoff of weaponised instruments of cyber-conflict may be far more questionable than generally assumed: target configurations are likely to be so specific that a powerful cyber-weapon may only be capable of hitting and acting on one single target, or very few targets at best.
The record of cyber attacks, such as it is, seems to corroborate this idea. DDoS attacks are common, while cyber weapons like Stuxnet are rare and highly targeted. (So targeted, in fact, that over 100,000 computers have been harmlessly infected with Stuxnet.) Malware that can steal information or zombify computers to be used in DDoS is general purpose. Asa result, thousands upon thousands of machines are compromised. In contrast, SCADA systems used in critical infrastructure are so specific that known attacks are very few and very caveated.
If Rid is correct, it’s not clear to me how Anonymous could acquire the capability to successfully attack critical infrastructure. Anonymous would have to, in secret, select one specific target, then gather serious intelligence on its SCADA installation, then find a vulnerability to exploit, and do this in an environment in which critical infrastructure providers are taking greater notice of cyber risks. This is the sort of operation that would seem to require centralized planning and staunch discipline, two attributes that with all due respect I wouldn’t ascribe to Anonymous.