1. What's the worst-case scenario as far as such attacks are concerned? How could it be done? Who has the resources to do it?
2. Would giving the President the power to "step in and stop it" do any good whatsoever? How would one "stop it"?
I don't know the answers to any of these questions, and I suspect neither do the politicians or journalists. But hopefully somebody here does?
I do remember that Richard Clarke spent most of his years as counterterrorism czar warning of a "cyber Pearl Harbor". Instead of that we actually got 9/11, so now they're warning about a "cyber 9/11".
I was going to ask the second part of your second question. The answer is, that by the time anyone knew a "cyber 9/11" was happening, the President himself could do nothing to stop it.
Further, this sort of security theater (or is it Security Burlesque?) doesn't really do anyone much good. It's far better to work toward policy and protocol that improves security a little bit across the board, rather than nit-pick little specific threats. For instance, throwing a lot of time and money at locking down SCADA at nuclear power plants isn't going to help as much as making sure there's a sane firewall review policy in place.
The answers to #1 would probably be:
a. Infiltration of networks belonging to Federal Government, Military, and private defense organizations. Maybe other massive-scale breaches of smaller government entities, hospitals, etc. - Communications shutdowns, leakage or destruction of data, etc. It's really hard to tell. I don't believe in a "Live Free or Die Hard" movie-plot "Firesale" scale of carnage, though.
b. If you look at Operation Aurora, though, and consider the fact that a dedicated team of skilled attackers could potentially sit in wait, persisting without causing much trouble, over long periods of time... you see where it could go.
c. Folks who don't like the U.S. but have strong technical skills. As you can imagine, that's not exactly a TINY group of people. They'd also need someone or a group of people who are good at coordinating things.
Simultaneously disabling the commercial and residential power grid across one or more major metro areas while disrupting the GSM systems, on which multiple emergency response and industrial systems piggyback. This attack is (a) plausible and (b) almost entirely out of the jurisdiction of municipal, state, and federal governance.
(2)
No clue.
(3)
He warned about actual 9/11 too, you know.
PS:
I am not one of these "cyberwar" people. I don't care what happened to Estonia. Nobody's going to launch missiles or crash planes (at least, I don't think they will). But like it or not, there are plausible attacks on critical private infrastructure.
This bill (or something like it) comes up over and over again here. So, let me repeat myself as tersely as possible: the people who wrote this bill are probably not trying to take over the Internet. The private-sector networks that they are probably concerned about are the GSM and utility networks, as well as networks used by privately owned mass transportation operators. These networks are indeed vulnerable to serious attacks. No, "just don't plug them into the Internet!" isn't an answer to that.
Arguing that 9/11 can happen in cyberspace is complete idiocy. No one will die if crackers take out the IRS database, unleash a worm, or release credit card data on everyone in the country. Saying these two events are somehow equivalent really takes away from the meatspace event that changed America forever.
1. What's the worst-case scenario as far as such attacks are concerned? How could it be done? Who has the resources to do it?
2. Would giving the President the power to "step in and stop it" do any good whatsoever? How would one "stop it"?
I don't know the answers to any of these questions, and I suspect neither do the politicians or journalists. But hopefully somebody here does?
I do remember that Richard Clarke spent most of his years as counterterrorism czar warning of a "cyber Pearl Harbor". Instead of that we actually got 9/11, so now they're warning about a "cyber 9/11".