
Here are the 'cyber 9/11' scenarios that really worry the experts - SREinSF
https://www.cnbc.com/2018/11/18/cyber-911-scenarios-power-outages-bank-runs-changed-data.html
======
badrabbit
Bricking every intel cpu,Using a likely 0 day in JunOS and ASR routers to make
them all inoperable for a few days,similar wipe outs of cloud provider
infrastructure come to mind.

But if I was the well resourced attacker I would use multiple teams and target
a diverse variety of important services and infrastructure and coordinate an
phased long term(weeks) attack. I would not cripple the internet as a
whole,especially social media. In battle,hiding your location and intent is
crucial to victory.

Social media would play a critical role in sowing confusion amidst the chaos.
Isolate part of the country and spread a message that some internal political
group (antifa or alt-right for example) launched a physical WMD attack,use
access to fortune 500 company networks to send emails and other communication
indicating internal collapse of the companies,one corp is going
bankrupt,another has been lying about profits is under SEC investigation.
Chaos after chaos. The goal of a "cyber 9/11" would not be to cripple the
internet but (imho)rather to exploit it to acheive three independent goals:

1) Long term (multi?)National and Economical instability and possibly
collapse.

2) Make the internet as it stands today a mortal threat to society.

3) As a precursor to a physical invasion. The kinetic attack would be only of
the many rumors and reports being circulated. Any and all damage to your
enemy's communications brings you one step closer to victory with minimal
effort.

More on goal #2: The goal of 9/11 was not to kill some americans. The goal was
to destabilize the west by attacking important symbols of economic and
political prosperity. It worked,economy was only momentarily destabilized but
17 years later america and the west are grappling to keep their democracies
and basic freedoms. The goal of terrorism is to terrorize not to merely
kill(which is why mass shooters are not labeled terrorists,their intent is
murder not change through terror). A Cyber 9/11 would have similar goals where
the intent is to change and cause long term weakening of the adversary.

What makes the internet strong is not BGP,DNS and secure operating systems.
It's the fact that people trust it for reliable and resilient communication
and governments view it as a strength to their political and economical
stability as opposed to a dangerous liability. The goal of terrorism is to
change your beliefs so that fear resulting from the attack changes your policy
and principles.

~~~
tyingq
I accidentally stumbled on an interesting approach to sow discontent. There
was a forum that was hotlinking a "words to images" script I had on one of my
websites. They would post these images as their "text" instead of plain text.

It was hammering my server, so I changed up the script to return random
inflammatory and/or inappropriate images if the referer was this forum site.

I was using the source IP as the rand() seed, so everyone on the forum had a
different view of the images, but consistent in that it remained constant for
any single user.

The resulting chaos and infighting was pretty funny until they figured it out.

~~~
CM30
This is what I consider/fear the next 'step' for 'fake news' and weaponised
propaganda. Giving different audiences different content, and using those
differences to turn them against each other.

Picture this:

You've got a story which is seemingly very controversial, and will rile up one
side of the political spectrum.

However, this story is only shown for say, 10-20% of your readers/viewers, and
the rest get an innoculous story, or one that says the complete opposite.

Now the ones affected by it will post it on social media sites and forums,
saying that this is proof of how 'evil' the other side is.

But the others there can't see the same story, and will think said users are
trolling them. After seeing them keep posting comments about how some minority
group is evil with links to innocent stories about kittens and puppies, said
users get banned.

This causes said users to think they're being targeted by the other side, and
then every story they see on the site is designed to build off that. Make the
forum/social media/news site owners out to be illuminati pawns or what not and
their banning policies a way to stifle dissent.

Voila, the site has now basically weaponised A/B testing, and created a
localised echo chamber to gaslight its readers into more and more extreme
mindsets.

That's basically the nightmare scenario. Imagine an enemy state like Russia or
China using it against the alt-right/antifa/whatever. Or activists using it to
recruit followers.

Worse still, imagine it with compromised browser extensions as well. Imagine
if a foreign government managed to do this in a way that could let them edit
the text on fact checking sites like Snopes or major media outlets like the
BBC or CNN or what not. Now that could have some worrying consequences.

Still, it wouldn't be impossible to fix/detect. Set up sites like
Reddit/Hacker News to automatically archive pages linked to, and send users to
the archive rather than the original unless they choose to click through.
Avoid using any browser extensions at all, with hosts file blocking for things
like ads rather than Adblock/uBlock/whatever. Ask others to double check what
every page you see says to make sure it hasn't been compromised/doesn't show
different things.

Do that and you can at least minimise this style of dissent sowing.

~~~
dragonwriter
> This is what I consider/fear the next 'step' for 'fake news' and weaponised
> propaganda. Giving different audiences different content, and using those
> differences to turn them against each other.

That's not the “next step”, it's an established practice. Notably, the recent
Russian propaganda effort directed at destabilizing the US via false flag
social media accounts and other channels was noted for doing exactly this.
(They didn't invent the general concepts either, it's much older.)

The actual _mechanism_ in your example would be a bit novel, but it's also
fairly easily accidentally penetrated, because real humans aren't 1:1 to
online personalities.

~~~
TheOtherHobbes
This is literally how the Brexit vote was won.

Cambridge Analytica used personal profiles scraped from FB and (allegedly)
from insurance company customer details to run ads that were _precisely_
tailored - almost down to specific users.

It only took a small swing to push the vote over the line.

~~~
nradov
You really have no idea whether people voted a certain way because of those
ads or in spite of those ads.

~~~
barrow-rider
Marketing works, we've had 100+ years to tweak and it justify marketing's huge
budgets. Tweaked ads work too.

Further more, why can't it be both, because of AND in spite of those ads?
Successful propaganda often uses false images from another perspective to
generate scorn, e.g. obviously idiotic comments from tumblr SJWs
(r/tumblrinaction, for example) who are likely sockpuppets.

Regardless, marketing is about numbers on the whole, not whether Bob or Sheela
specifically voted -- and on the whole it worked for Brexit.

------
miketery
I think prior to cyber 9/11 we're more likely to see actors executing attacks
for financial gain. i.e. for competitive advantage or market manipulation.

> A hacker took over the Twitter account of the Associated Press in 2013,
> tweeting "Breaking: Two Explosions in the White House and Barack Obama is
> injured." The stock market instantly fell 143 points.

Regardless, our best defense is diversification/decentralization - which goes
against normal economic development (mergers and centralization). But as the
risk increases (more attacks) - then the balance will shift to support
diversification (well I hope).

~~~
partiallypro
Wouldn't work very well, even in your example you'd have to be a very quick
trader and the SEC would catch it immediately after the fact. Whatever the
attack, it would have to be very real not some fake event.

------
FloNeu
Well - and all they really needed was facebook... a mad reality tv star, and a
mass of uneducated americans...

------
jacquesm
A cyber 9/11 would be the prelude to a shooting war if committed by a nation
state. 9/11 was not conducted by a nation state.

~~~
badrabbit
Depends on your perspective,they acted on behalf islamic states,although not
directly supported. Their backing isn't as important as their intent. For
example,North Korea supports APT groups that operate with loose connections to
Pyongyang,it's rumored one of these groups(Lazarus?) Was behind the Sony hacks
which were effectively a much smaller act of cyber terrorism. They attacked to
terrorize Sony into changing its repease of a movie mocking their leader.

~~~
jacquesm
I don't think the Sony hacks register on that scale.

But hacks against a country's infrastructure would.

------
hummingurban
When a foreign adversarial state launches 'cyber 9/11' it would imply a few
things:

1) The offending country is willing to escalate/desires to provoke skirmishes
that may lead to major battles with or without conventional military.

2) The offending country is so desperate, the only way to reboot their economy
is to start a losing battle so it can be rebuilt.

3) the economy of the offending country is so skewed at the top of the
leadership, they are willing to thin the herd using foreign intervention, and
build up a zealous supporter base who is out for blood for vengeance.

TLDR: The adversarial state will launch a 'cyber nuclear' attack when it
thinks is fully ready to take the brunt of 12 American carrier groups armed
with manned and unmanned stealth fighters.

~~~
z3phyr
What if you can't figure out who the offending country is? The USA like any
other nation is just some people who have emotions and psychology that can be
tinkered with. How about six American Carrier groups against the other six??

~~~
clubm8
>What if you can't figure out who the offending country is?

Sounds like a great excuse to take out all the "usual suspects" at once.

~~~
z3phyr
Theorotically, in a world without consequences the USA can take out multiple
powers very easily.

Practically (and without usage of nuclear weopons), the USA can barely handle
attrition. Also the USA have not fought a conventional war with another
competent regional power since World War 2 and that too was with many allies.

~~~
badrabbit
Even something like vietnam would be very difficult now with all the internal
division and the prelude strife they'll cause.

------
aviv
The cyber 9/11 will be done by rogue AWS employees who are part of a sleeper
cell at Amazon.

~~~
wrinkl3
This is an interesting idea: how many Big-N companies have sleeper cells,
capable of wrecking havoc the moment they're called upon?

------
tyingq
Some sustained attack against a core function worries me. DNS, BGP, etc.

~~~
ggggtez
Hitting DNS would probably take down credit card payments, but I think the
worry about hitting electric/water grid is a step up in terms of how immediate
the danger would be to actual lives.

~~~
cronix
I think electrical is all you'd really need to take out. If it were an attack
like stuxnet, where it physically destroys the power generators, we will be in
for a very long ride without electricity. Potentially years. The generators
can get so hot they just melt/fuse internally, permanently destroying it. And,
it can take many months to years to get a replacement. They're not just
sitting on a shelf somewhere, and if dozens or hundreds are needed
simultaneously... Seeing as how everything is centered around electricity,
including water pumps, internet, financial systems, gas pumps (knocking out
the whole supply system), etc., it would be game over and we'd be in a Lord of
the Flies situation. Think about shutting off the failsafes on a nuclear power
plant and ramping it up to run outside of normal parameters causing a
meltdown.

PBS - NOVA (CyberWar Threat):
[https://www.youtube.com/watch?v=0EnTLju9_cE](https://www.youtube.com/watch?v=0EnTLju9_cE)
Watch the whole thing, but check around the 37min mark for demos with
generators.

PBS - NOVA (Rise of the hacker:
[https://www.youtube.com/watch?v=-ZdasoAGMQs](https://www.youtube.com/watch?v=-ZdasoAGMQs)
This gives a very good description of stuxnet, which is released out in the
wild now for anyone to use. THAT, is downright scary.

------
ohiovr
A nation won’t play this hand without expecting to back it up with standard
military options. So when things get to that point it should come as no
surprise.

------
crb002
Remotely rooting automobiles during rush hour to accelerate.

Several models now stupidly designed with media systems on same wire where it
is physically possible.

------
onetimemanytime
Question: do HN-ers think that Russia and /or China have the capability of,
say, shutting down our grid or water supplies? The army would have to restore
order
[https://en.wikipedia.org/wiki/New_York_City_blackout_of_1977...](https://en.wikipedia.org/wiki/New_York_City_blackout_of_1977#Effects)

I think they do, but we can return the favor.

------
gcb0
it's very telling how everyone here is making the same mistakes USA
intelligence made on 911 itself.

911 was some internal actors, sponsored by some CIA trained warlord who they
forgot from 20 years before, but they could only see attacks coming from big
nation states.

Here the comments are making the same mistake. cyber 911 can be something like
a random operative who was given some covert training and now focus it on the
coutry who trained them. instead everyone can only see full blown world war
from well organized and funded nation states.

my guess: the (israeli?) company the US outsourced scada atacks on iran
(stuxnet) will start selling the same tech (which most US facilities are still
vulnerable to) other actors, such as north korea or syrians who felt betrayed
with the US constant side-changing.

~~~
stef25
> 911 was some internal actors, sponsored by some CIA trained warlord who they
> forgot from 20 years before, but they could only see attacks coming from big
> nation states.

Despite popular opinion, Bin Laden wasn't trained by the CIA or a hero of the
Afghan jihad. He hid out in caves Pakistan for the most of that war and made
occasional forays in to Afghanistan with a rag tag group of "fighters" whose
exploits were comical more than anything else.

Bin Laden's family very much wanted him to "stop dicking around", as did the
Saudi govt and secret service. If I'm not mistaken he was persona-non-grata in
Saudi Arabia and the only country that would have him was Sudan, where he
lived in squalor, even before 911 happened (source: The Looming Tower).

> cyber 911 can be something like a random operative who was given some covert
> training and now focus it on the coutry who trained them

Most of those tools are for espionage, not warfare. Stuxnet was sabotage,
highly specialised and took huge amounts of effort to develop and deploy.

Afaik Middle Eastern hackers are mainly defacing websites and N-Korea is
hacking entertainment companies and robbing banks.

The cyber realm is different from the physical world in the sense that it has
much more eyes on it than 911 had during the planning phase.

Stuxnet was discovered by a tiny E-European IT shop and examined by a handful
of people working in the private sector.

To really start a war using software (say by launching missiles) you'd need
highly specialised, precisely targeted tools that aren't lying around to be
sold by rogue agents.

~~~
TheOtherHobbes
To really start a war you need to persuade the people with the missiles they
should launch them. Or maybe that voters should elect someone who is more
likely to launch them.

That's a whole lot easier than hacking into the launch systems.

------
catacombs
It's only a matter of time before foreign hackers have the power to turn off
the United State's electrical grid. Look how Russia did it in Ukraine.

~~~
olivermarks
Decentralizing the attack surfaces would go a long way to mitigating 'turning
off the grid'. The US arguably has the advantage of their grids being lots of
different grids patched together and run by 500+ companies.
[https://en.wikipedia.org/wiki/Continental_U.S._power_transmi...](https://en.wikipedia.org/wiki/Continental_U.S._power_transmission_grid)
Against that there are probably lots of backdoors and security lapses amongst
all these daisy chained systems...

------
keyme
I think a cyber 9/11 is just about the only thing that'll make us get our shit
together in this industry. Hopefully it happens before cyber WWI.

------
Theodores
Hacking some financial system or industrial control isn't really the big
threat demanded of 'cyber warfare' that is just sensible information security,
building systems to best practice, reviewing them and updating as per normal.

The real danger is an idea that gets all too popular.

For instance, the could be a new climate change type of group that comes along
and gets too much mindshare. In fact there was a new group who closed five of
London's bridges the other day. I doubt that they will be the group from which
big ideas emanate from to take over the world but you never know.

So the case can be made for all of this extra spending on the basis that it is
all there to do things that sound sensible - 'Internet Security' \- but there
is capability being built for the more nefarious 'cyber warfare', making sure
ideas that threaten business as usual get taken out.

~~~
isostatic
For those confused, the op is complaining because some protesters staged a
protest on a few bridges in London last week over their view that the UK
government is not doing enough to tackle climate change. Civil disobedience
existed well before the internet, on a far larger scale.

~~~
Jedi72
I knew this was going to happen, because I read it on the internet. If the
government had censored it, then as far as I know it didnt happen, never even
existed. There could be people trying to organise similar things in Australia
right now, and the message isn't getting through the censors. 1 passionate
activist cant shut down a bridge. Governments inherintly fear any disruption
to the status quo, but its how virtually all social progress is made.

~~~
isostatic
> There could be people trying to organise similar things in Australia right
> now, and the message isn't getting through the censors

How on earth did Ghandi organize the Salt March without twitter.

China struggles to censor the internet, how on earth do you expect people to
believe that Australia does.

