The U.S. now likens cyberattacks to terrorism. Here's what that could mean

The FBI director calls this a 9/11 moment. Cyberattacks on meat processing, oil pipelines, hospitals and power plants have the U.S. government likening computer crimes to terrorism. A new book asks how we got here and how might we escape this growing threat to our digitally vulnerable world.

Recent digital attacks targeting pipeline, hospitals and meat processors may bring new resolve to Washington

A suspected Russian criminal attack on a U.S. pipeline caused gas shortages last month. Biden warned that Russia is especially vulnerable to oil and gas cybattacks. (Jonathan Drake/Reuters)

The director of the FBI compares this moment to 9/11: A time of reckoning about a threat that's increasingly proven its ability to destabilize society.

He's referring to cyberattacks.

Recent digital ransom attacks have accelerated an acknowledgment in Washington that the current trajectory is untenable. 

That's after meat plants were shuttered temporarily including in Canada this week; after cars lined up at empty U.S. gas stations when a major pipeline was hacked. 

A hacker recently tampered with chemical levels at a water-treatment plant in Florida. Nuclear and other power facilities, voting systems, political parties, hospitals and governments have all been compromised.

"This is our new normal," said Nicole Perlroth, a cybersecurity reporter at The New York Times and author of a new book on the history of cyberattacks.

Unless governments start taking the threat more seriously, she said in an interview: "This is only going to keep happening." 

The issue appears on the U.S. political agenda now.

U.S. lawmakers next week will grill the CEO of Colonial Pipeline, the company at the centre of a recent cyber attack, at two separate hearings in the House and Senate. The Justice Department has labelled the threat as on par with terrorism.

U.S. President Joe Biden intends to raise hacking in his first meeting with Russian President Vladimir Putin later this month.

The U.S. is fuming at Russia for providing a safe haven for hackers. The countries' leaders will have their first meeting as heads of government on June 16 in Geneva. (Alexander Natruskin/Reuters)

The Biden administration is also reportedly mulling cyberattacks of its own against Russians, enraged at ransomware attacks from that country.

Yet Americans must weigh such attack plans against the reality that in a tit-for-tat exchange, their highly connected nation is as exposed as any on Earth and filled with potential targets for reprisal.

Meanwhile international talks are inching along at the United Nations toward a so-called digital Geneva Convention — a global pact on what cybercrimes must be off-limits. 

That effort remains a long way off and human rights groups are wary of the Russian-led initiative, fearing authoritarian governments might use it to crack down on political dissent.

Perlroth's new book, This Is How They Tell Me the World Ends, explores two key questions: How did we get here? And where do we go next?

How a market was born

It begins with programmers in the 1990s who hacked as a hobby, probing software for security flaws and trying to alert companies.

They were treated as a nuisance or worse by companies like Microsoft that resented their products being picked apart.

Eventually, an entrepreneurial Texan had an insight: Why not monetize this work? 

Reporter Nicole Perlroth's book chronicles how computer hacking grew into an industry that involves programmers, spy agencies and criminals. (Christian Högstedt/Courtesy Nicole Perlroth)

John Watters bought a cash-strapped tech company and began paying hackers for what they discovered in the early 2000s, then published their findings in security reports he sold to corporate clients.

A market was born. 

It involved a brand new commodity, the discovery and sale of so-called zero-days — software flaws that allow intruders to inflict damage with zero warning.

Intelligence agencies came calling. Perlroth writes that deep-pocketed buyers affiliated with the U.S. government transformed the market.

Zero-days Watters once bought for $400 were suddenly going for $150,000 to U.S. government contractors; employees at the National Security Agency were quitting government jobs and doubling their annual salary by selling just one hack.

WATCH | The rising cost of a ransomware attack: 

The rising cost of a ransomware attack

3 years ago
Duration 2:09
Organizations hit by a ransomware attack face a plethora of encrypted data and a hefty price tag to retrieve it. And many find that whether they pay the ransom or not, the attacks are extremely costly.

The power of military cyberweapons came to public light in a 2010 attack on an Iranian uranium plant that slowed Iran's nuclear program.

Foreign states and criminal gangs awoke to the possibilities of stockpiling zero-days. Unknown buyers were now offering hackers multimillion-dollar paydays.

'This would only end badly'

Perlroth's book describes a hacking conference in Vancouver a decade ago where one NSA veteran scanned a room filled with attendees from all over the world and shook his head, realizing that the United States was about to lose control of weapons it helped create.

"This, the man told himself, would only end badly," she writes.

Catastrophe struck a few years later, in the aftermath of the public revelations by Edward Snowden of the NSA's programs. 

Suspected Russian hackers dumped online the NSA's stockpile of zero-days, which have since been used around the world in countless criminal attacks.

The 2017 WannaCry attack, for example, using the NSA's tools knocked hundreds of thousands of computers offline.

Criminals demanded ransom payments and disrupted hospitals in Britain, numerous government offices and companies in 150 countries, in sectors including automobiles, rail, and package-delivery.

A number of hospitals have also been hit. The Hollywood Presbyterian Medical Center in L.A., seen here, paid $17,000 in ransom after its database crippled was crippled in 2016, forcing doctors to rely on phones and fax machines. (Mario Anzuoni/Reuters)

The economic damage from cyberattacks had already far surpassed the economic toll of terrorism, Perlroth writes.

A 2018 paper from the Rand Corporation think-tank estimated cyberattacks had already cost the global economy trillions of dollars.

Fuming at Moscow

U.S. officials fume that Russia has given cybercriminals carte blanche to operate on its soil, even using them as allies against the West.

Putin has compared Russian hackers to talented artists

Perlroth's book says Putin laid down two rules for Russia's hackers: First, no attacks against Russians, and second, when the Kremlin asks for a favour, do it.

WATCH | Cyberattack targets major U.S. pipeline:

Cyberattack targets major U.S. pipeline

3 years ago
Duration 2:04
One of the worst cyberattacks on American infrastructure will keep a pipeline from Texas to New Jersey shut down for several days. Officials blame a criminal gang known as DarkSide.

An official who led cybersecurity operations for the Obama White House said in an interview that he recalls one ground-shifting moment in 2014.

It occurred even before attacks on the U.S. election, which the Mueller report blamed on the Russian government.

As U.S.-Russia tensions escalated after the invasion of Ukraine in 2014, American officials found Russian hackers in numerous federal networks, says Michael Daniel.

An unusual thing happened when American IT kicked them off the networks: Instead of hiding their tracks and disappearing, they kept popping up.

Revelations by Edward Snowden about NSA hacking triggered protests including this one from a pro-China party in Hong Kong in 2013. By 2017, the NSA's hacking tools were stolen and dumped online for use by criminals and other nations. (Bobby Yip/Reuters)

"They came back. And they contested control of the network," says Daniel, now president and CEO of the Cyber Threat Alliance, who was the White House cybersecurity coordinator from 2012 to 2017.

"[They] were willing to be upfront and brazen in a way we had not seen before. And that was very much a signal that I think that things had changed." 

What's next

So what now?

A recent U.S. ambassador to Russia, Michael McFaul, says don't expect much from the Putin-Biden summit on June 16. He says the Russian leader has no interest in better relations with the West. 

On the domestic front, Biden issued executive orders this month aimed at upping America's cybersecurity game.

One on May 12 calls for changes in federal contracting so that companies doing business with the U.S. government abide by stricter security protocols like two-factor authentication, use cloud storage, and keep records for every login.

WATCH | Concerns hackers are trying to disrupt COVID-19 vaccine supply chain: 

Concerns hackers are trying to disrupt COVID-19 vaccine supply chain

3 years ago
Duration 2:00
There are growing concerns that hackers are targeting the COVID-19 vaccine supply chain with the intent of disrupting the rollout once the vaccine arrives in Canada.

It also created a digital equivalent of the National Transportation Safety Board: as the NTSB investigates plane crashes, the new Cyber Safety Review Board would review computer incidents.

Cryptocurrency is another concern.

Calls for reform are zeroing in on cryptocurrency, represented in this image. Critics say anonymous transactions are being abused by criminals and must be regulated. (Dado Ruvic/Reuters)

Multimillion-dollar ransoms are being paid in digital currencies not subject to the same identity disclosure and money-laundering requirements as standard financial transactions.

Daniel wants new rules for cryptocurrency transactions. That's one of 50 recommendations from a ransomware report he participated in drafting. 

Perlroth says she's frustrated that people are slow to run software updates. After the NSA weapons were unleashed in 2017, for example, software companies released updates; she says too many people failed to download the patches.

She wants the U.S. Congress to pass new laws making cyber-hygiene a requirement for companies. 

What's causing sleepless nights

She also urges more funding for research like the Pentagon-supported program studying the design of new microchips that stop suspicious code from spreading.

Her book says covering cyberwarfare has caused her numerous sleepless nights. Asked what sort of attack keeps her awake, she says it's not just one thing, like signs of hacking into voting systems and computers at nuclear plants.

It's everything. 

At the very moment she sat for an interview with CBC News last week, she saw a headline pop up about a ransomware attack on the Nantucket Ferry.

Instead of a digital Pearl Harbor attack, she says, we're witnessing a slow-rolling plague: theft of intellectual property, public agencies paralyzed, infrastructure, even democracies, more vulnerable.

"What else is left?" she said.


Alexander Panetta is a Washington-based correspondent for CBC News who has covered American politics and Canada-U.S. issues since 2013. He previously worked in Ottawa, Quebec City and internationally, reporting on politics, conflict, disaster and the Montreal Expos.