The Pulse: Brace for havoc of a cyberattack

Massive power outages. Mass transit disruption. Financial markets closed.

Superstorm Sandy? Yes. But also the possible result of a cyberattack, to which we remain vulnerable.

Before the storm, it was difficult to envision the havoc that could be wreaked by computer shenanigans. But now that risk should be readily apparent to us all. What remains to be seen is whether Sandy serves as a wake-up call in the face of this ongoing risk - one that lasts long after power has been restored, water has receded, and homes are rebuilt.

Just 10 days before Sandy struck, I spoke about the prospect of a cyberattack with Richard Clarke, who served three presidents as a senior White House adviser. Over the course of 11 years, he held the titles of special assistant to the president for global affairs, national coordinator for security and counterterrorism, and special adviser to the president for cyber security. I tracked him down after Defense Secretary Leon Panetta's speech at the Intrepid Sea, Air and Space Museum in New York City warning that we face the threat of "cyber Pearl Harbor" because of our vulnerability to hackers who could dismantle our power grid, disrupt our mass transportation systems, and interfere with our financial markets.

Clarke told me he found Panetta's words "chilling." Panetta's description of how a well-calculated cyber assault could cause power grids to fail and stay down and trains to derail, and result in chaos in financial markets are all scenarios that Clarke wrote about in Cyber War: The Next Threat to National Security and What to Do About It.

"I think when the secretary of defense says to the public that we are in a pre-9/11 moment, we have vulnerabilities and we know that there are people out there getting ready to use those vulnerabilities, we'd better wake up and smell the coffee," Clarke told me.

Both Clarke and Panetta noted a recent attack (which the former attributed to agents of Iran) that erased data and killed hard drives on 30,000 corporate computers of Saudi Aramco, the Saudi state oil company.

"They then started bombarding U.S. banks and knocking off the publicly facing Web pages of big U.S. banks by flooding those Web pages. What if, instead of flooding the Web pages of our banks, they were able to get into the banks and erase the hard drives on all the devices on a bank network? You talk about financial chaos, that's one way to start it," Clarke told me.

That's scary on a national level, but I remain frightened by a more localized form of chaos.

Like the pandemonium that would result if we didn't know when Peco would restore power. Or if the gas lines in the Garden State weren't temporary. And imagine if our ATMs stopped spitting out 20s and the local Acme had its food deliveries interrupted.

The discomfort experienced after Sandy (and still being felt) is tempered by the realization that it will soon end. A cyberattack that dismantles, not interrupts, a power grid would not provide any light at the end of the tunnel.

Clarke laments that the subject wasn't raised during the two-year presidential campaign. I asked him to frame a debate question he wished had been asked:

"If there were a massive cyber war attack on our infrastructure tonight on the electric power grid, on the train systems, on the banking systems, who is in charge? What could they do? What legal authority do they have? What plan do they have? And if the answer to that, Mr. President, is you don't have much, why don't you?"

Clarke believes that we are vulnerable, in part, because within our government there is no one clearly in charge - "no one who has the legal authority to defend the private sector." The private sector is reluctant to have government monitoring their networks or telling them to add certain features, Clarke noted, and is thus left to defend itself.

Which explains why Panetta is pushing Congress to set "new standards at critical private-sector infrastructure facilities - like power plants, water treatment facilities, and gas pipelines - where a computer breach could cause significant casualties or economic damage," as the New York Times reported.

Last summer, a group of Senate Republicans cited the objections of business interests, including the U.S. Chamber of Commerce, as they blocked a cybersecurity bill championed by the White House and national security officials (including some who had served under George W. Bush). Those business pressures, coupled no doubt with a reluctance to rock any boats during an election year, prevented any movement toward legitimate action - despite the exponential increase in cyberattacks on U.S. networks over the last few years.

A few months later, perhaps the dual impact of the election and Sandy will cause reconsideration.