The recent terrorist attack in Kenya, which left at least 67 people dead, including Kofi Awoonor, celebrated Ghanaian diplomat, poet and ambassador, appears to be typical of the terrorist operation in the second decade of the 21st century. Get a bunch of dedicated people together, plan an operation, and execute it with, as they used to say, "maximum prejudice" and get publicity and funding and new recruits for the cause. This has gained recruits from Afghanistan, Iraq, Central Africa and, apparently, the United States, based on reports of Americans among the terrorists in the mall in Nairobi.
Yet at the same time, we know that it would not take a whole lot to, say, take out a refinery in the Houston Ship Channel, or even to bring down the electric grid in the 11 western states. Recently, I had a discussion with three of the smartest cybersecurity experts I know—people who are responsible for several large electric utilities' cybersecurity. I proposed to them an exploit I came up with a long time ago to do exactly that—shut off power to the 11 western states (and probably western British Columbia), and I asked them what they thought. Was it far-fetched or plausible.
Plausible, they said immediately. Very plausible. And it would keep the power off for perhaps as long as two years. A lot can happen in two years and, if we're talking about two years without power, most of it isn't good.
Here's another scenario. The Federal Aviation Administration (FAA) maintains a series of Traffic Control and Route Control centers at various places in the United States. They have minimal security. I know because I've been to several recently. They also have chillers, generators and systems to keep the FAA computer network up and running. They're very much like a special-purpose data center. Because they have rotating machinery connected to control systems, they're all open to the Aurora vulnerability or to some modified descendant of the Stuxnet exploit.
I think we may have dodged this bullet so far because the terrorists are going through regional and generational change. In Somalia, it is still easy to hand out Kalashnikovs and high capacity magazines to suicide terrorists. The Somali al Qaeda affiliate is working with strong backs and untutored troops.
This doesn't have to be so. In the United States, Canada and Europe, the terrorists have shown themselves to be clearly cyber-aware, moving money, communicating, organizing through cyber space as easily as through the desert in Afghanistan or Africa. The younger leaders think immediately of cyber as a means to destabilize the West.
It is highly unlikely that another 9/11-style attack could happen here, now. It's not likely that we would have the kind of terrorist attack that happened in Nairobi. What is likely is that the terrorists will move to cyber attacks and combinations of cyber and physical assaults.
We can't prevent that kind of attack entirely. We can, however, make it hard to do, costly and very difficult to pull off successfully. In the final analysis, it may not matter to the global financial markets what happens in Afghanistan or other places, but it matters a great deal to the global economy if the economy of North America or Europe was destabilized by a significant terrorist attack, such as those I've been talking about.
Shutting down major portions of the electric grid and the air traffic control infrastructure would very clearly be sufficient to destabilize the economy. It might even destabilize the political infrastructure as well.
We need to remain vigilant and continue to upgrade our cyber and physical defenses. Otherwise, the terrorists may decide that they can afford to hit us here, and hit us as hard as they have that shopping mall in Nairobi.