WASHINGTON, DC—For years, the government and security experts have warned of the looming threat of “cyberwar” against critical infrastructure in the US and elsewhere. Predictions of cyber attacks wreaking havoc on power grids, financial systems, and other fundamental parts of nations’ fabric have been foretold repeatedly over the past two decades, and each round has become more dire. The US Department of Energy declared in its Quadrennial Energy Review, just released this month, that the electrical grid in the US “faces imminent danger from a cyber attack.”
So far, however, the damage done by cyber attacks, both real (Stuxnet’s destruction of Iranian uranium enrichment centrifuges and a few brief power outages alleged to have been caused by Russian hackers using BlackEnergy malware) and imagined or exaggerated (the Iranian “attack” on a broken flood control dam in Rye, New York), cannot begin to measure up to an even more significant cyber-threat—squirrels.
That was the message delivered at the Shmoocon security conference on Friday by Cris “SpaceRogue” Thomas, former member of the L0pht Heavy Industries hacking collective and now a security researcher at Tenable. In his presentation—entitled, “35 Years of Cyberwar: The Squirrels Are Winning”—SpaceRogue revealed the scale of the squirrelly threat to worldwide critical infrastructure by presenting data gathered by CyberSquirrel 1, a project that gathers information on animal-induced infrastructure outages collected from sources on the Internet.
Thomas sought to dispel what he called the “FUD” around cyber-attacks on critical infrastructure, citing dire predictions from a number of sources, including “the pre-eminent infosec expert Ted Koppel” (whose recent book, Lights Out, focuses on the vulnerability of the power grid). And with government officials such as the Federal Energy Regulatory Commission Chairman Cheryl LaFleur declaring that “one [successful cyber attack] is too many,” SpaceRogue likened the government’s posture to the Cheney Doctrine, also known as the “One-Percent Doctrine.” As Thomas explained, that doctrine is “if there’s a one percent chance of something occurring, we must employ 100 percent of our resources to prevent it. This is essentially [what happened with] Iraq, and we’re now applying it to cyber and equating cyber to nukes and [mutual assured destruction]. It really doesn’t work that way.”
That sort of stance is made even more unnerving by the fact that many of the cases where “cyber” has been attributed to incidents with energy infrastructure turned out to be false alarms. Even in the few cases where a network intrusion resulted in disruption of the electrical grid—specifically in Ukraine, where two attacks caused power outages—the impact was relatively brief and was comparable to outages caused by other factors, Thomas noted.
To “counteract the ludicrousness of cyberwar claims by people at high levels in government and industry,” Thomas said, he launched CyberSquirrel1. Inspired by a presentation at Thotcon by Josh Corman (now the director for Cyber Statecraft at the Atlantic Council) and Jericho of Attrition.org, SpaceRogue started CyberSquirrel1 initially as a Twitter feed on March 19, 2013. The account simply “collected from a Google alert for news,” he said. But it soon evolved into a much larger data gathering effort, collecting from search engines and other Web sources to populate a spreadsheet. Jericho joined in to enhance the data set the next year, adding more details and events—but even so, Thomas noted that he was only catching a fraction.
Squirrels are not the only “actors” tracked by CyberSquirrel1—birds, snakes, raccoons, rats, and martens factor in among the top animal threats that have been captured by the project’s spreadsheet. Jellyfish have even gotten into the act, shutting down a nuclear power plant in 2013. CyberSquirrel1’s data so far has tracked “over 1,700 outages, affecting nearly 5 million people,” Thomas noted. “If you consolidated them into one location, it would basically take out the power for the San Francisco metropolitan area for two months.” Shockingly, there have even been eight deaths attributed since the tracking began to follow animal attacks on infrastructure—six caused by squirrels downing power lines that struck people on the ground.
As of January 8, even if you count the Ukraine attacks still not firmly attributed to Russia, even frogs (with three outages) have more successful attacks on power grids than state actors. Squirrels worldwide, however, are the clear cyberwar leaders: 879 successful attacks against infrastructure. There’s also that swan that performed the denial of service attack on a train in the UK on Friday, January 13—truly showing the breadth of the animal kingdom’s toolbox.