Share A LinkedIn icon Share by linkedin An email icon Share by email

KEY POINTS A cyberattack of devastating proportions is not a matter of if, but when, numerous security experts believe.

Almost 40 percent of all industrial control systems and critical infrastructure faced a cyberattack at some point in the second half of 2017.

Many companies are still running critical infrastructure on Windows XP and other platforms that are unpatchable — meaning they can't be updated for vulnerability and bug fixes.

A view of the power lines as evening settles. David McNew | Newsmakers | Getty Images

A cyberattack of devastating proportions is not a matter of if, but when, numerous security experts believe. And the scale of it, one information security specialist said this week, will be such that it will have its own name — like Pearl Harbor or 9/11. "The more I speak to people, the more they think that the next Pearl Harbor is going to be a cyberattack," cybersecurity executive and professional hacker Tarah Wheeler told a panel audience during the Organization for Economic Cooperation and Development's (OECD) annual forum in Paris. "I think that the most horrifying cybersecurity attack is going to have its own name and I think it's going to involve something more terrifying than we've thought of yet." Wheeler is CEO and principal security advisor at Red Queen Technologies, a cybersecurity fellow at Washington, D.C.-based think tank New America, and former cybersecurity czar at multinational software firm Symantec. Explaining her premonition, Wheeler pointed to vital health and transport infrastructure she described as grossly under-protected. "I think about the fact that most American healthcare technology is secured, if at all, with ancient, crumbling security infrastructure. I think of planes full of people, the kind of infrastructure that protects flu vaccinations. I think about fertility clinics losing years' worth of viable embryos," she said, stressing that people are not paying attention to that crumbling infrastructure.

Critical infrastructure and industry

Wheeler is not alone in her apocalyptic outlook. Not a single report from technology companies and researchers in this field claims that the cyberthreat environment is becoming less hostile or less significant. The World Economic Forum's (WEF) Global Risks Report 2018 names cyberattacks and cyber warfare as a top cause of disruption in the next five years, coming only after natural disasters and extreme weather events. "In a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning," the report said. Industry and critical infrastructure like power grids and water purification systems could be potential targets for hackers, whether they are small groups or state actors.

Retired Admiral James Stavridis, who served as NATO Supreme Allied Commander for Europe, echoed these warnings in a prior interview with CNBC: "We're headed toward a cyber Pearl Harbor, and it is going to come at either the grid or the financial sector... we need to think about this cyberattack as a pandemic." Artificial intelligence-focused security firm BluVector reported in February that almost 40 percent of all industrial control systems and critical infrastructure faced a cyberattack at some point in the second half of 2017.

Unpatchable devices and the internet of things

Companies and governments aren't doing enough to protect these systems, Wheeler said. "The inevitability is based in the easy access to the kinds of exploits that still work 10, 15, 20 years after they've been revealed," she said, noting that there are still companies running critical infrastructure, including health infrastructure, on Windows XP and other platforms that are unpatchable — meaning they can't be updated for vulnerability and bug fixes. Many internet of things (IOT) devices, she described, are unpatchable by design.

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by a wave of cyber attacks earlier in the day, in Kiev, Ukraine, June 27, 2017. Valentyn Ogirenko | Reuters

IOT, which has been described as "merging physical and virtual worlds, creating smart environments" through devices connected to the internet and that communicate with one another, represents a whole new level of vulnerabilities. And cybercriminals have an exponentially increasing number of potential targets, the WEF report said, "because the use of cloud services continues to accelerate and the internet of things is expected to expand from an estimated 8.4 billion devices in 2017 to a projected 20.4 billion in 2020." The chief executive of defense firm Raytheon International, John Harris, recently called cyberattacks the "single biggest threat to global security," adding that "the more we are connected, the more we are vulnerable."

Listen to the hackers

But Wheeler didn't specify who would likely be behind such acts, stressing that the nature of cyber warfare is asymmetric — and while there are state actors with hostile intentions, cyber weapons are accessible to just about anyone with the skills to deploy them. What's needed, Wheeler stressed, is "sensible, deep, not broad, cybersecurity regulation that has teeth." She urged the private sector to listen to its "early warning system" — what she called the information security community, or hackers — rather than criminalizing their activity. Industry experts have encouraged best practices and a greater awareness of the threats across the public and private sectors, and call on both sides to improve collaboration.

The unprecedented global cyberattack has hit more than 200,000 victims in scores of countries, Europol said on May 14, 2017, warning that the situation could escalate when people return to work. In Britain, the attack disrupted care at National Health Service facilities, including The Royal London Hospital, part of the largest NHS Trust in England. Niklas Halle'n | AFP | Getty Images