60 Minutes’ recent NSA report has already drawn harsh criticism — but for computer security experts, one particular claim stands out. Stressing the importance of the US Cyber Command, General Keith Alexander put out a shocking idea: nations are using malware to try to bring down the US financial system, and if his agency doesn’t keep an eye on the web, they won't be able to stop it.
"It could literally take down the US economy."
NSA director of cyber defense Deborah Plunkett described the threat as a BIOS attack, kicking in as soon as a computer boots up and rendering every device it touches completely inoperable. It's the kind of thing antivirus companies like Symantec have been warning about since the '90s, often with the help of journalists — but Plunkett was saying she'd seen it in the wild. "One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability to destroy computers." She painted the attack as a cascade of destruction, laying waste the nation's technological infrastructure. "It could literally take down the US economy," Plunkett warned.
So, could it? NSA skepticism aside, should we be bracing for the kind of worst-case-scenario worm that Plunkett describes?
On some level, the idea isn't as implausible as it sounds. While most attacks focus on low-level fraud like identity theft, it’s still easy to imagine a state actor doing more damage. We've also seen a growing number of threats to stock exchanges, so it's not as if financial architecture is immune to malware. Plunkett's scenario is intentionally vague, meant to conjure up an abstract threat, but that doesn't mean weaponized malware isn't a real issue. China has already used the tactics to tap foreign ministries' devices, while legal malware-for-hire businesses make millions selling their wares to governments.
"The damage would be no more disruptive than a major east coast blizzard."
Still, it's just not clear the attack would inflict the apocalyptic levels of damage that the NSA would have you believe. Nicholas Weaver, a computer science researcher at ICSI, studied the so-called "worst-case worm" scenario for DARPA in 2004, and says the risk of "self damage" (that is, damaging their own networks with the worm) would be enough to dissuade any attackers. At the same time, an attack would need to infect a huge number of computers to be truly disruptive. Even if a quarter of all PCs were unrecoverable (a huge feat in itself), the result might be more of an inconvenience than a crisis. Even if the attack closed government offices and stock markets for a day, it's hard to say if it would have any long term effects. "In retrospect, I believe our damage estimates were high," Weaver says. "The resulting damage would be no more disruptive than a major east coast blizzard."
"If [China] crashed the US economy, they'd crash their own economy."
At the same time, the political logic behind the attack is even more confounding. Tracing the attack back to its source would be fairly easy, leaving would-be attackers with a lot of risk and very little reward. Even stranger, to many observers, has been the proposition that China would even want to crash the US economy. "They already have that ability in a way we can't really control, because they could crash the dollar really easily," says Marcy Wheeler, who has covered the NSA extensively at her blog Empty Wheel. "But they haven't done that, because if they crashed the US economy, they'd crash their own economy."
US Cyber Command isn't in the anti-virus business
In fact, we already know what state-sponsored malware looks like, and it's a good deal less splashy than 60 Minutes would have you believe. It's more espionage than warfare, whether it's stealing industrial secrets, peeking into journalists' emails, or targeting opposition-group activists. The goal isn't destruction, but surveillance. When the programs do turn violent (say, in an Iranian nuclear plant), it's more of a targeted strike than a carpet-bombing. If a country genuinely wanted to destroy the US economy, it would be better off using actual bombs. Computer warfare, for all its dangers, simply isn't that devastating.
But there's an even bigger question that Alexander hasn't come close to answering: in the event of such an attack, what would the NSA actually do? The US Cyber Command isn't in the anti-virus business, and there's no evidence that it has any capability or interest in defending the larger web. The US is the world's largest buyer of malware, and aside from government-owned infrastructure, it's a purely offensive program. It's not like conventional warfare, where soldiers fight other soldiers and planes shoot down other planes. Our malware and their malware can share the web quite easily, and private firms will be left to deal with the collateral damage. The claim is that these programs make Americans safer on the web, that we're better off as long as the US is winning the cyberwar — but it's not true. The only result is more victims, from Uyghur dissidents all the way up to The New York Times. And when they discover they've been targeted, the NSA will be nowhere in sight.