To live in the information age is to live on the brink of conflict. Increasingly, it seems, Americans are coming to terms with this idea: the forever cyber war. But this awareness, a back-of-mind sort of static, hasn’t come to the fore of public debates about national security, much less the presidential election. This silence is in part because the screaming headlines rule the day, and there are few cybersecurity specialists both loud and respected enough to compete. John McAfee, the cybersecurity influencer and founder of McAfee Associates, is one of them — and he’s not afraid to yell himself hoarse.
“There is a cyber war looming on the horizon, which will be many times more devastating than any imaginable nuclear war,” John McAfee tells Inverse. “We will be back in the Stone Age.”
A half-century ago, as the nuclear threat loomed large, civilians knew where fallout shelters were, how many iodine pills to take, and how to hide under their desks. Today, Americans are more concerned about cyberattacks than ballistic missiles, but, because there is no real consensus on what a massive cyberattack could look like, there is no cultural imperative to prepare. And no wonder: while some experts spin apocalyptic prophecies — the more grandiose the vision, the greater the screen time — others point to the finite impacts of targeted assaults on discrete weaknesses. As it stands, the only way to make sense of the borderline ridiculous civilian conversation about national cybersecurity is to contextualize the rhetorical warnings that make headlines within the context of the concerns that don’t.
Like many libertarians, McAfee, now the first presidential candidate of the Cyber Party, believes “the purpose — the prime purpose — of government has to be national defense.” And national defense, he says, constitutes preventing “foreign incursions of every kind.” Given our status as the world’s foremost superpower, McAfee suggests that the most harmful incursion is likely to come in the form of a cyberattack. The outcome, he says, could be dire.
China employs “some of the smartest programmers on the planet,” McAfee says. So, if they choose to use their cyber arsenal, America won’t just be inconvenienced. A smart assault would “shunt our power back and forth from one substation to another, burning out this one, the next one, and the next one, until, finally, we have nothing left but cinders.”
McAfee describes one nation, united in darkness. “We’ll burn through all of our oil first, to keep our generators running, but that’s not going to last forever. We’ll have no communications — none — with anybody.” Emergency services will disappear — “What do you do, send a carrier pigeon?” — and food distribution, which is “one-hundred-percent controlled by computers,” will likewise cease. We’ll be whisked back to the nineteenth century, and most will be unable to subsist.
That’s why he’s running for president, he says: “I don’t see anybody else even looking at the frigging problem.”
Mike McNerney and Chris Finan have devoted their lives to looking at the frigging problem. They both founded and now run cybersecurity startups — Efflux Systems and Manifold Technology, respectively — but, before that, they worked for the government, crafting policy and doing vital research. McNerney spent time in the Pentagon and Finan in the White House, but within their collective resume you’ll find names such as the National Security Council, the National Security Agency, the Defense Advanced Research Projects Agency, and the Department of Defense. They agree with McAfee that the situation is dire.
And they’re not alone: McNerney says McAfee’s premonition is, for defense officials, the “nightmare scenario.” Finan says it “kept people in the administration up at night.” However, both argue that the story is, in a sense, lacking crucial footnotes. Finan dismisses the word ‘cyberattack,’ for instance, because it “conjures up the Hollywood, Michael Bay–type event.” The conversation, if it is to be productive, needs specificity. For starters, Finan explains, we should understand and explore the “very likely, realistic scenarios,” and not base our expectations on the ever-copious rhetoric.
The popular image of a cyberattack-induced meltdown — burning out substations — is, according to McNerney and Finan, overblown. But not by much. “Am I worried about large-scale intrusions, particularly those that could bring down, say, a critical infrastructure system? Absolutely,” Finan says. Anyone who’s not worried, he thinks, “has their head stuck in the sand.” He thinks it’s “a near certainty that, in the next five years, we’re going to see an event like that.” But disaster doesn’t necessitate complete catastrophe.
Though vulnerable critical infrastructure includes the stock exchange, the air traffic control system, nuclear power plants, water treatment systems, dams, and so on, the electrical grid remains, for many, most worrisome. “There’s no question: that’s very serious,” McNerney admits. “We absolutely do depend on it for life.” But, rationalist as he is, McNerney is quick to pinpoint how, precisely, an attack on the grid would look, and how each variation would have a different effect. “Our grid is very fragmented, and very old,” he explains. “That makes it easy to impact a part of the grid in a part of the country. But a sustained campaign to shut down the majority of the grid throughout the country: that’s extraordinarily difficult.”
The grid’s top layer, McNerney says — the software, the IT system — is relatively easy to compromise but very easy to fix. A simple patch can clear up a vulnerability in minutes. On the other hand, the bottom layer — the SCADA systems that control the hardware — would not be easy to fix. It’s also not easy to attack — though we’re doing little to protect it further.
A grid shutdown is not in and of itself that serious. Finan’s concerns, rather, are the “second-order effects.” Everything relies on the power grid. Hospitals, without sufficient backup generator power, would cease to function. Water would no longer reach upper floors in apartment buildings. Our military would remain functional for some time, but would undoubtedly be handicapped. A critical infrastructure exploit would hobble us, and in turn expose further, graver vulnerabilities.
And for that reason, we do need to be prepared for the worst. We need to understand that “nightmare scenarios” are possible, and that people like John McAfee, the harbingers of doom, are acting in the general interest when they go all Nostradamus on cable.
But we need not yet panic. “Threat is not just about intent,” McNerney explains. “It’s about capability and intent meeting at the same time. You have to think about who can do this to us, who would want to do that to us, and do those circles overlap at the same time.”
“We are living on a little bit of borrowed time,” McNerney admits. But, thus far, those circles have not overlapped. Some organizations, like ISIS — along with “less deterrable nation-states, like Iran and North Korea,” Finan adds — possess the intent but not the means; a few nation-state peers possess the means but not the intent. And even if the intent and capabilities did align, McNerney points out that the U.S. has “made it pretty clear” that retribution would be swift and not necessarily proportional. A virtual, cyber incursion does not limit the arena for retaliation.
“There would be hell to pay,” Finan says.
But incentives can change: in certain parts of the world, we’re flirting with chance. “If tensions were high in the South China Sea, or in Eastern Europe, you could envision something like this happening as a way to send a signal to us to back off.” McNerney acknowledges that capabilities, too, can change. More and more circles may start overlapping.
Finan, though jaded by congressional inaction, remains fervent. “I think people are going to die because we haven’t taken enough preventive action. And, unfortunately, I don’t think the political will is there, or will be there, until there’s a catastrophic event.”
McAfee and these experts agree on one fundamental point: we’re not prepared. “That’s the sad, sad reality of it,” Finan says. If the experts disagree about how best to discuss a cyber campaign’s potential ramifications with the public, they do not disagree about the question that should matter most to everyone in the public sector: What is the firewall?