What's your daily routine? Perhaps you roll over and scroll through your phone for a few minutes, ask Alexa for the weather, fire up satellite radio on your drive to work or use a credit card to purchase a train ticket, swipe a keycard at the office, and sign into a PC at your desk. You pay for lunch with Apple Pay, keep tabs on your home and pets via a security cam, and buy a few things on Amazon. At home, the kids watch Netflix or play Fortnite as a robot vacuum whirs nearby and you pay bills with a few taps on the iPad.

Most of us remember a time before these modern creature comforts. We made do with paper books, physical maps, landlines, and snail mail. But now, it's all but impossible to live a productive life without access to the internet, not to mention more vital resources such as electricity.

If any of these services were to go offline—briefly or for a long time—it could seriously disrupt our way of life and the economy, and our foreign adversaries know it. But it works both ways; every country with formidable cyber weapons is well aware that their foes are one extended power outage, ransomware crisis, or data dump away from chaos. Many, including the US, have already wormed their way deep into the critical infrastructure of their foreign adversaries. Russia has turned off the lights in Ukraine, the joint US-Israel Stuxnet operation messed with an Iranian nuclear facility, and North Korea crippled operations at Sony Pictures.

Still, nation-states have not yet approved the sort of attack that might signal the start of a formal cyberwar, in large part because a retaliatory strike could be worse. US policy changes at the top, however, suggest that might soon change.

The Brakes Are Off

In summer 2018, President Trump quietly reversed the Obama-era Presidential Policy Directive 20 (PPD-20). This wonky-sounding directive's demise gave the US government the authority to unleash on its enemies some of the most powerful cyber weapons at its disposal. As former National Security Director John Bolton put it at the time, "Our hands are not tied as they were in the Obama administration."

What this means exactly is classified. Even members of Congress aren't entirely sure what Trump's approach—dubbed National Security Presidential Memorandum 13 (NSPM 13)—actually allows the US government to do, and they're not happy about it.

In theory, NSPM 13 cuts the red tape. It "frees the military to engage, without a lengthy approval process, in actions that fall below the 'use of force' or a level that would cause death, destruction or significant economic impacts," according to The Washington Post, which cited anonymous individuals familiar with the policy.

Former National Security Director John Bolton (Photo by STR/NurPhoto via Getty Images)

The US is not rushing to turn the lights off in China or Iran, according to Bolton. NSPM 13 is "in our national interest—not because we want more offensive operations in cyberspace, but precisely to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear," he said.

US Cyber Command is ready to get cracking. "We cede our freedom of action with lengthy approval processes," the agency said in April 2018. "Our adversaries maneuver deep into our networks, forcing the US government into a reactive mode after intrusions and attacks that cost us greatly and provide them with high returns."

According to Bolton, NSPM 13 was used to target Russia's Internet Research Agency (IRA) ahead of the 2018 midterms. More recently, The New York Times reports that the US has placed "potentially crippling malware" inside the Russian electric grid both to send a message and to prepare for a strike should it be necessary, though that used authority granted in the defense authorization bill, not NSPM 13.

The US is no stranger to clandestine operations, particularly in cyberspace. The Stuxnet malware that hit Iran's Natanz nuclear facility was reportedly part of a much larger effort known as Nitro Zeus (NZ), which anonymous National Security Agency (NSA) officials described as a "science-fiction cyberwar scenario."

NZ infiltrated Iran's command-and-control systems, military air defense systems, and civilian support systems, including power grids, transportation, communications, and financial systems, as filmmaker Alex Gibney outlined in his Zero Days documentary about Stuxnet.

"We were inside waiting, watching, ready to disrupt, degrade, and destroy those systems with cyber attacks," officials told Gibney. "And in comparison, Stuxnet was a back-alley operation. NZ was the plan for a full-scale cyber war with no attribution."

NZ was reportedly a last resort—a way for the US to stop Iran in its tracks if it attacked Israel and started a real war. But it begs the question: What do our adversaries have planned for us?

The biggest threats are the usual suspects—China, Russia, Iran, and North Korea—and their goal is "to steal information, to influence our citizens, or to disrupt critical infrastructure," former Director of National Intelligence, Dan Coats, said in a January report to Congress.

Russia has already proven to be quite adept at the first two. It famously hacked the Democratic National Committee (DNC) during the 2016 presidential election, stealing and then releasing through Wikileaks emails from top officials. It also used social media to exploit political divisions and spread disinformation. There's no evidence Russia changed actual vote tallies, but "Russian activities demand renewed attention to vulnerabilities in the US voting infrastructure" as 2020 approaches, the Senate Intelligence Committee warned in July.

Dan Coats appears before the Senate Intelligence Committee (Photo: SAUL LOEB/AFP/Getty Images)

Russia and China also have their eyes on a much bigger prize: US infrastructure.

"Moscow is now staging cyber attack assets to allow it to disrupt or damage US civilian and military infrastructure," according to Coats. "Russia could disrupt an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016. Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage."

China could "cause localized, temporary disruptive effects on critical infrastructure—such as disruption of a natural gas pipeline for days to weeks—in the United States." And Iran "could disrupt a large company's corporate networks for days to weeks," Coats said.

We've seen inklings of this for years. At the Black Hat cybersecurity conference this year, Microsoft warned that Russian state-sponsored hackers may be trying to spy on companies by hacking into vulnerable office Internet of Things (IoT) devices connected to corporate networks. Is that a paper jam, or has Moscow come knocking?

In early August, meanwhile, security firm Proofpoint revealed that emails impersonating the US National Council of Examiners for Engineering and Surveying were sent to three unnamed US companies in the utilities sector. Attached to the emails were Word docs full of malware that, once installed, could enable hackers to delete files, take screenshots, move and click mice, and more.

Proofpoint declined to place blame on any one entity but suggested it could "be the work of a state-sponsored APT [advanced persistent threat] actor based on overlaps with historical campaigns and macros utilized."

This came a few weeks after the Cybersecurity and Infrastructure Security Agency (CISA) within DHS warned about a "recent rise in malicious cyber activity" from Iran, which the US reportedly hit with cyberattacks in June after an Iranian intelligence group attacked oil tankers and drones in the Strait of Hormuz.

"Iranian regime actors and proxies are increasingly using destructive 'wiper' attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing," said CISA Director Christopher C. Krebs. "What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you've lost your whole network."

US Insecurities

Complicating matters is the state of US infrastructure. We know about the potholes and crumbling bridges, but what about the gadgets and software powering critical systems?

"Most of the devices that run the world's infrastructure were never designed to be secure," Michael S. Rogers, former NSA Director and Commander of US Cyber Command, wrote in a July op-ed. "The world's critical infrastructure runs on dozens of obscure and old protocols, many of which are proprietary to a small number of manufacturers and difficult to parse."

Moreover, the military is still scrambling to assemble and staff up new cyber and electronic warfare units. Two recently activated Army units—the 915th Cyber Warfare Support Battalion based out of Fort Gordon, Georgia, and the Intelligence, Cyber, Electronic Warfare, and Space (ICEWS) unit—got up and running at an accelerated pace and are currently understaffed, according to an August Government Accountability Office (GAO) report.

As of March 2019, the 915th had filled only 30 of 171 authorized positions for fiscal year 2019; ICEWS had filled 110 of 199 positions, in part because the Army is having trouble convincing possible recruits to work for the military instead of taking cushy Silicon Valley positions.

"Army headquarters officials said they are exploring options to address the challenges and have taken steps to retain the personnel that they have, mostly in the form of retention bonuses and incentive pay," the GAO said. "Some of those incentives are targeted at the senior enlisted levels, which are some of the personnel that Army officials indicated are in the most demand and of which they have a shortage."

The Army will also need to staff new Electronic Warfare Companies and platoons scheduled to go into service between 2020 and 2025.

What Cyber War Might Look Like

"When it comes to critical infrastructure in cyberspace, defenders are in the dark without the benefit of night vision goggles," Rogers wrote. This was metaphorical, but we could find ourselves in actual darkness in the event of a major cyber offensive.

Last year, the Homeland Security Department called on the President's National Infrastructure Advisory Council (NIAC) to figure out what would happen during a catastrophic power outage. Who would be in charge? How long would we have until society collapsed?

The news was grim. The council—made up of senior executives from industry and state and local government who own and operate critical infrastructure—determined that our current plan is the bureaucratic equivalent of the shrug emoji. Emergency personnel have plans in place for natural disasters such as hurricanes, blizzards, and earthquakes, "but how emergency authorities would be implemented for cyber-physical events and larger-scale disasters is less clear," the report said.

A half-dark Times Square during July 2019 power outage (Atilgan Ozdil/Anadolu Agency/Getty Images)

"Existing frameworks do not identify who has ultimate decision-making authority or clearly define the roles to be undertaken by state, local, tribal, and territorial (SLTT) governments and the private sector during a widespread, multi-state catastrophic power outage that will require coordinated cross-sector, cross-government response," NIAC concluded.

The problem is one that vexes organizations of all sizes: teamwork and communication.

"Critical infrastructure owners and operators have limited visibility into how the federal government will manage an event of this size, and how the federal government will be working with the private sector to make critical resource decisions," the report said.

There's also a "lack of understanding" about how critical services fit together. "Hospitals and other mass care providers are often at the top on priority restoration lists, however, for example, some of the water and wastewater treatment facilities they rely on are not. Without working water or wastewater systems, hospitals are unable to function. There may even be a lack of understanding of which hospitals are the most critical to prioritize for restoration."

Moral of the story: Maybe add a generator and some fuel to your end-times bunker.

The New Normal

A cyber attack that resulted in a widespread blackout is the worst-case scenario and would likely be considered an act of war by the United States, which would respond in kind. So it's not surprising that North Korea or Russia go right up to the line but have yet to cross it.

"Adversaries continuously operate against us below the threshold of armed conflict," US Cyber Command says. "In this 'new normal,' our adversaries are extending their influence without resorting to physical aggression. They provoke and intimidate our citizens and enterprises without fear of legal or military consequences."

Just ask North Korea, which used ransomware to attack Sony Pictures in 2014 and released the WannaCry virus in 2017. Attribution for the Sony hack was somewhat obvious; it came in response to The Interview, a Sony Pictures movie that depicted a mission to assassinate Kim Jong Un. The US responded with sanctions.

President Obama discusses the Sony Pictures hack in 2014 (Photo by Leigh Vogel/WireImage)

For WannaCry, which infected hundreds of thousands of PCs around the globe, it was "hard to find that smoking gun," former homeland security adviser Tom Bossert said at the time. But US investigators say WannaCry used cyber tools and techniques that North Korean hackers have used in the past, usually through "intermediaries."

In September 2018, the Justice Department unsealed a criminal complaint against Park Jin Hyok, a North Korean citizen, for his alleged role in the Sony and WannaCry incidents, as well as for stealing $81 million from Bangladesh Bank in 2016. The charges are largely performative, however, as the man lives in North Korea and won't be extradited.

The money earned from these and other cyber attacks, approximately $2 billion over the past few years, has been used by North Korea to fund its weapons programs, according to a confidential UN report leaked to the press in August.

Financial organizations are a top target of ransomware campaigns; of those networks hit by ransomware file encryption in North America between January and June 2019, 38 percent were in the finance and insurance sector, followed by education at 37 percent, according to security firm Vectra. Government systems were third at 9 percent; NotPetya ransomware, for example, is thought to be the work of Russia, which wanted to disrupt Ukrainian industries and government sectors but eventually hit industries around the world, resulting in US sanctions.

2015 WannaCry press conference in Hong Kong (Sam Tsang/South China Morning Post via Getty Images)

"The speed of NotPetya's spread was a wakeup call for security teams to generate and share threat insights faster," security firm IronNet said in June. "Cyber defenses today should employ near-real-time network traffic analysis [versus] likely outdated signature-based alerting systems. Advanced AI and machine learning are needed to help analysts keep pace with the speed of attacks, allowing quick threat identification and reaction."

That's the dream, but it helps if you don't let powerful cyber weapons fall into the hands of those who would use them against you—like the NSA tools that were dumped online a few years ago by a hacking group known as the Shadow Brokers, one of which hastened the spread of WannaCry. Today, it's a midsize US city locked out of its computer systems; tomorrow, it could be drained bank accounts, self-driving cars and assembly lines that go haywire, point-of-sale systems that can't process payments, and dwindling supplies of food and water.

And for all the help AI can provide in detecting cyber attacks, it can also be used to take a hack to the next level. As the World Economic Forum warned in June, AI-enhanced malware could "learn the nuances of an individual's behavior and language by analyzing email and social media communications." Messages written by this AI malware will "be almost impossible to distinguish from genuine communications," increasing the chance of people being duped by phishing scams. With AI, attacks will be faster, more targeted, and harder to detect.

On the world stage, "interactions between multiple advanced AI systems could lead to unexpected outcomes that increase the risk of economic miscalculation or battlefield surprise," according to former DNI Coats.

"We anticipate that all our adversaries and strategic competitors will increasingly build and integrate cyber espionage, attack, and influence capabilities into their efforts to influence US policies and advance their own national security interests," Coats says.

The big question: Is the US willing to attack first? Will NSPM 13 make scenarios like Nitro Zeus the new normal? It may be less costly to unleash malware on an adversary than to drop a bomb, but the US is not the only nation with powerful cyber tools. For now, though, the standoff continues.

Further Reading

Security Reviews