Tech
Cyberattack Nightmare Looms Due to Software Flaws
The CrowdStrike incident was a small taste of the systemic risk posed by the widespread use of easily hacked, bug-ridden software in our critical infrastructure.
Our healthcare, transport network, power grid, and entire financial system run on Windows, Mac, and Linux—software that was never designed to secure and reliably maintain such vital applications. In the hands of our adversaries, our critical infrastructure becomes a weapon of mass destruction, exposing America’s homeland to the risk of devastating attacks.
While the CrowdStrike bug was not malicious, the damage caused by one company’s mistake should prompt us to consider the ramifications of a major cyberattack on U.S. infrastructure. Such an event would eclipse any attack in our country’s history, potentially resulting in a disaster of unimaginable consequences that could send our society back to the 19th century.
Software vulnerabilities in the critical infrastructure we rely on for energy, clean water, and healthcare are a ticking time bomb for U.S. national security. In May, the EPA warned that over 70% of American water systems were vulnerable to cyberattacks. FBI Director Christopher Wray said in January that China is targeting American water treatment plants, pipelines, and the power grid to “wreak havoc” in the U.S.
“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if and when China decides the time has come to strike,” Wray told lawmakers during testimony before the House Select Committee on the Chinese Communist Party. “They’re not focused just on political and military targets. We can see from where they position themselves across civilian infrastructure that low blows are just a possibility in the event of a conflict; low blows against civilians are part of China’s plan.”
Critical infrastructure systems such as the power grid and water treatment plants become weapons of mass destruction when connected to the Internet with vulnerable software. A cyberattack could disable the power grid, dangerously alter the chemical balance of our drinking water, or take down our hospitals, potentially causing millions of casualties.
This threat is a matter of when, not if. We must urgently replace the vulnerable, commercial-grade software controlling these systems with secure, unhackable software like that used to safeguard our nuclear forces.
I have spent forty years developing software for the world’s most safety-critical applications, including nuclear bombers, fighter jets, and commercial airliners. Nuclear-grade software is a different ball game, and our government rightly demands incredibly high standards for the software that runs on our warplanes and keeps our nuclear weapons safe. Secure and reliable software exists, and we must demand that only secure and reliable software be used in the systems our lives depend on.
It is high time we recognize the risk of a cyberattack on our critical infrastructure and apply those rigorous standards to the software controlling the fundamental needs of our society.
By failing to apply the software security standards demanded for nuclear systems to critical infrastructure, we have sown our country with weapons of mass destruction, leaving the launch codes lying around for any proficient hacker to access.