Matt Gurney: You wake up in the middle of a cyber war. Do you know it?
Any of us could wake up one day and realize the power and internet were out, and the radio stations, too. Who'd tell us why?
By: Matt Gurney
You wake up to your cellphone alarm buzzing. It's still dark, before dawn. You'd set it 30 minutes earlier than usual because the weather report last night said there was snow on the way and you figured you might need extra time to get the driveway shovelled before setting off to work this morning.
Your better half is still snoozing beside you. No sounds of wakefulness from the kids' rooms, either. You reach out and silence your phone, and notice that the old clock radio on your night table is out. Hmmm. Looking around the room, you notice that all the power seems to be out, actually, and the room is already cooler than you'd expect. You pick your phone up and see it's only got half a battery charge. The power must have gone out before it had time to get up to 100 per cent.
Ah well, these things happen, you think. And after all, there was that snow storm. You open up your phone's web browser to check some news sites to see how widespread the outage is. Huh, that's odd. It won't load. You open your Twitter app — you can check the news there, too. That won't load either. Nothing will. Even with your home WiFi is down because of the blackout, you should still have mobile data, right? Then you notice the little warning at the top of the screen: No service. No new emails have arrived since shortly after midnight. No instant messages or texts since then, either. No new news alerts. No new social media notifications.
After a quick stop in the washroom, using the light on your cellphone to do what needs doing, you head downstairs, taking care not to wake anyone else. Once suited up in your winter gear, you get to work clearing your driveway in the dark, wondering if you'll even end up heading into work today. Will the office open if the power is out there, too? By the time you're done digging out the cars and clearing off the driveway and the stoop and your portion of the sidewalk, the sun is starting to come up and you're sweaty and your back is sending warning twinges. It’s nothing a hot shower wouldn’t fix, but you realize with a wince that with no power, the tankless heater is down — a cold shower will have to do. Great. Before you head in, though, you get into your car and turn it on. You put on the radio and hear ... nothing. You punch through the different preset stations. They're all off the air. You scan the whole dial. You hear a few distant transmissions, but they’re too garbled. That's really weird. A bad feeling begins to descend. You pull out your cellphone and try to text your boss to tell her you might not make it in today. The text immediately fails. It won't send.
The scenario above came to mind last month, the day after U.S. President Joe Biden and Russian President Vladimir Putin had a two-hour video conference to discuss tensions regarding Ukraine. A column about that crisis alone ought to take thousands of words, but a too-short version goes something like this: Russia seems to want, at the very least, political dominion over Ukraine, if not to conquer some or all of it outright. It has thousands of well-armed troops on the Ukrainian border, is sending many more, and had previously seized and annexed parts of the country by force in 2014. There has been sustained fighting along the new border ever since, though at a level below that of all-out war.
Ukraine is not a member of NATO, and we are not obligated by treaty to defend it. But the U.S., Canada and other allies have interests, even if they don't have treaty commitments, and a Russian-dominated Ukraine is not in our interests. Biden has warned Putin of sharp economic sanctions and vague "other measures" should Russia invade. Putin seems unimpressed.
Trying to make predictions about geopolitics is an unrewarding task. I don’t know what Putin is going to do, and no one knows what accidents of history might trigger a disaster no one wanted. (Remember: the assassination of one Austrian archduke in 1914 changed the course of history and killed many millions.) It’s very possible that Putin is posturing, testing allied resolve and has no intention of firing a shot. Hell, maybe he intends to fire many shots, but will be deterred or get cold feet and find some way to come down. And even if things do get hot, a war between Russia and Ukraine, though dangerous and destabilizing, doesn’t automatically impact global security. Even if Russia does attack Ukraine, NATO would probably work very hard to stay out.
So yeah. Caveats and qualifiers abound. But if the last two years have taught us anything, it's that things that can go wrong sometimes do go wrong. So let's indulge in some hypothesizing. I say again: this is speculative, but it’s speculation we all ought to be pondering in the backs of our minds. If we did end up in a military conflict with Russia, what would that mean? What would that look like?
There hasn't been a major armed conflict between advanced nation-states in many years — decades, really. (This is a good thing, to state the blindingly obvious.) And superpowers (or their rather bedraggled successors) certainly haven’t openly clashed in a big way. There have been skirmishes, of course. India and Pakistan trade fire routinely. Israel whacks the odd target inside Syria. China and India have had border clashes of late. But it has been a long time since two large, powerful and modern military forces controlled by strong, organized nation-states (or alliances) openly fought, using most of the weapons in their arsenal. During that period, something has dramatically changed: our societies have grown absurdly dependent on digital technology, particularly the internet. We don't need to send bombers and missiles to attack the enemy anyone. We, and the hypothetical they, can unleash lines of code and accomplish much the same at much lower cost, and with somewhat greater deniability.
So. If there were to be a war between the West and another advanced nation or alliance, and they unleashed a major cyberattack on us, what would that look like? How long would it take us to realize it had happened?
It’s a question that needs to be pondered because up until now, war has been pretty recognizably war. Whether it’s a band of guys with animal-skin armour and axes wandering over to seize your crops or a few divisions of Nazi panzers racing for your capital, war, though awful, was not hard to spot. You’d know it when you saw it. The lines can blur a bit where terrorism, piracy and banditry are concerned, and insurgencies are infamously messy, but actual organized warfare between nations and alliances is overt and obvious. Even during the Cold War, when a Third World War could have been fought entirely from command bunkers and missile silos far from the enemy homelands, we’d have known what happened when mushroom clouds bloomed out of blinding flashes.
Would this be true of a cyber war? Would you know it from inside one?
We've certainly seen cyber attacks before, but no one truly understands what a full-scale cyberwar between advanced states would look like, and even the likely combatants are only beginning to understand their own capabilities and, indeed, their vulnerabilities. There are no international conventions governing this, and no established set of norms. We do know that Russia has invested heavily in cyber-warfare capabilities, and has used them. They have the tools and willingness to use them. And as I lay in bed pondering these happy thoughts, it occurred to me that any of us could wake up one day, realize the power and internet were out, and the radio stations, too, and not have any idea that we were even in a cyber war. Hell, it could be days before someone in the government was even able to tell us.
So let's just consider a scenario. It's of my own creation, but I've drawn heavily from published sources and interviews with cybersecurity experts (given that they work for North American governments, they wished to remain anonymous). My scenario is simple: someone does something stupid in Europe, and open conflict breaks out between NATO and Russian forces. Russia's forces in the region are more numerous and better prepared, but Russia also knows that, given time, NATO can marshal more resources. Knowing there is enormous risk in directly attacking the major NATO countries, particularly North America, and with absolutely no desire to resort to nuclear weapons for fear of retaliation, Russia seeks to buy time for its ground forces by tasking its own agencies and deniable cyber proxies with a simple mission: create chaos in the enemy's homelands. A thousand cyber attacks spring to life at once, without any warning, hammering public utilities, government ministries, banking systems, major corporations, the traditional media, and the backbone of our telecommunications. Not every attack succeeds. But enough do. The lights go out. The phones go silent. The internet halts.
The scenario above isn't even the worst-case scenario. I haven't assumed any attacks directly on the health-care system, air traffic control networks or food distribution. But it's certainly a bad scenario, because these attacks would compound upon each other. Assume, for instance, a successful attack on the North American power grid results in widespread outages and some damage to critical infrastructure (cyberattacks alone can destroy electrical grid components). Imagine trying to begin a repair effort, requiring thousands of personnel, huge quantities of specialized equipment, and stockpiles of spare parts, but without the ability to communicate with any of the people necessary. Email and cellphones are down, remember. The social media companies are offline. Radio stations, those with backup power, would probably have some limited broadcasting capability left, but without cellphones, emails and the internet, the hosts in the broadcast booths would be as cut off from information as the rest of you. They can’t broadcast what they don’t know.
I stress again how speculative all of this is. It’s never happened before, and hopefully never will. It’s also worth noting that the COVID-19 pandemic has shown us that our systems have generally been robust. While the North American pandemic response has hardly been a runaway success story, our institutions and systems have bent more often than they’ve broken. Despite enormous pressure from the virus and political failures too numerous to count, in the main, the people on the frontlines have figured out how to cobble just enough resources and sheer grit together to get through another day. There is indeed, as Adam Smith told us, a great deal of ruin in a nation.
That’s the good news, as it were. The bad news is that nothing I’ve sketched out above is particularly hypothetical, even if the scenario is.
Our power grids are notoriously vulnerable to cyber attack. The sheer scale of the grid offers some degree of redundancy, but that scale also makes it damned hard to secure, since there are so many different operators and government jurisdictions involved. No one who’s studied this doubts that a sophisticated cyber attack could take down the power grid or large parts of it; worse, no one doubts that a motivated attacker could bring down the grid in a way that caused real-world physical damage to both power generators and transmission lines (it’s not hard to trigger a deliberate overload, sadly). Our governments know this, and even run war games to simulate what such an attack could be like, but precisely zero of the people I’ve spoken to about this issue over the years has any confidence that the grid wouldn’t fold like a cheap suit if a reasonably competent bad actor took a hard run at it. There were a range of views on how quickly we’d get the grid running again. They ranged from days to weeks, or longer, for a total restart; assuming no physical damage, some local restoration may be possible in hours. But long-term widespread outages across enormous areas would be near certain.
Telecommunications are another obvious vulnerability because of the reliance of our modern economy. And, again, these networks are known to be vulnerable. The experts I spoke to were generally more optimistic that our telecom companies are preparing for high-level attacks. As (mostly) private enterprises, they can spend the big bucks they feel warranted on security without the bureaucratic lag faced by governments; they also have fewer competing demands for each investment dollar. But “more optimistic,” alas, does not mean confident. There was no doubt among my sources that telecoms could be brought down; indeed, American researchers discovered in 2019 that hackers, likely motivated by good old-fashioned greed and looking to target high-profile individuals, had utterly compromised a series of telecom networks on multiple continents. Their motives seemed to be pure theft and spying, but the researchers discovered that the hackers had so thoroughly infiltrated the telecoms’ networks that, if they’d chosen to, they could have just turned them off entirely, while doing all kinds of damage to frustrate efforts by the companies to regain control and restart their own systems. We have to assume that a motivated nation-state is more than capable of pulling off a similar feat.
It’s all somewhat academic, though. Many telecoms will have limited redundant backup power, enough to maintain some operations in the event of a local blackout due to a storm or a car smashing into a utility pole. But widespread independence from the grid? No, at least not for long. If the power grid goes down, the telecoms won’t stay up.
Would it be that bad? Would all the power go down, all the cellphones? I can’t say for sure, but for what it’s worth, I think not. No attacker ever bats a thousand. Some of their attempts would fail. Some defenders would get lucky, or be unusually good. Parts of the continental grid would survive or be quickly restored. The question would then be how much of a functional grid is necessary to operate as a coherent society, particularly in a war (or something near to it). The danger isn’t that Russia or another enemy turns our utilities off forever. The danger is they turn it off just long enough to take whatever actions they’re planning to take and pull it off before we can do much about it.
For my scenario above, waking up in the dark, cold and clueless, all it would take would be to target electrical grids and telecoms. There are many other things that could be damaged on top of these things, or even, instead. (Imagine a scenario where an enemy leaves the power grid up, but cripples the banking system. Fun!) None of this should be taken as a prediction of what Russia or another sophisticated enemy would do, and God knows it would be a huge risk if they tried. Deterrence isn’t limited to nuclear war — the U.S. and its allies could launch comparable cyber attacks on an enemy if desired, and that knowledge will hopefully make such events less likely.
But the scenario above could happen. The experts agree it’s possible. Indeed, in a strange coincidence, as this column was being finalized, the Globe and Mail reported that Canada’s cyber security experts are directly warning our government officials and industry leaders to prepare for exactly the kind of scenario I’ve laid out above. And for a good, simple reason: this kind of attack is well within the technical means of our geopolitical rivals, and it’s not hard to imagine a realistic scenario where they might choose to employ such a tactic. If so, it would be up to our governments to figure out how to respond — once they regained the ability to stay warm and talk to each other, at any rate.
But for us, the millions of people who’d just wake up in it, alive but cold and cut off, we’d spend the opening act of the world’s first full-scale cyber war simply trying to keep warm, and probably without realizing a historic event, with tragic consequences, was even happening, let alone that we were part of it.
The Line is Canada’s last, best hope for irreverent commentary. We reject bullshit. We love lively writing. Please consider supporting us by subscribing. Follow us on Twitter @the_lineca. Fight with us on Facebook. Pitch us something: firstname.lastname@example.org