CNBC25: Rebels, Icons and Leaders

Cyberwarfare: Protecting 'soft underbelly' of USA

John Torrisi

A small-scale city in New Jersey has suffered from repeated electrical grid failures, train derailments, and water purification problems. However, the problems aren't keeping visitors away. In fact, they're the reason the micro-city exists in the first place.

CyberCity is a miniature city, measuring 6 feet by 8 feet, with a host of real-world problems. The U.S. military uses it to teach its cyberwarriors how to defend American cities and military bases from attacks.

Ed Skoudis, a SANS Institute instructor, stands over a 1:87 scale miniaturized city used to teach U.S. Army and Air Force cyber warriors how to defend industrial control systems from cyber-attacks. The small city features real-world infrastructure systems, including electrical power distribution, as well as water, transit, hospital, bank, retail and residential infrastructures.
Source: SANS Institute

CyberCity uses many of the same small versions of the industrial control systems that are used throughout the industrialized world to run everything from power grids to factories. And those real-world systems, experts told CNBC, are extremely vulnerable to attack.

"From a military perspective, [these systems] are the soft underbelly of the country and any other countries out there," said Ed Skoudis, a SANS Institute instructor and NetWars CyberCity director. "So we need to be able to defend it, and we also need to be able to attack it."

Read More The US jet fighter that can do it all—maybe

To replicate this threat, Skoudis and the SANS Institute built CyberCity using Supervisory Control and Data Acquisition (SCADA) systems from Rockwell Automation's Allen-Bradley unit, Siemens, and Phoenix Contact. SANS picked the companies because they collectively control 80 to 90 percent of worldwide market share for SCADA systems.

CyberCity is used to simulate a number of different nightmare scenarios, including attacks on power generation and water filtration facilities.

"The vulnerabilities are real, so theoretically...any attack with the intention of taking down large portions of the grid could be successful," said Jeffrey Carr, CEO of Taia Global and author of "Inside Cyber Warfare: Mapping the Cyber Underworld." " I think the only thing that has protected that from happening today is there is no one with the ability to do it that also has a reason to do it."

Read More The man with the Pentagon checkbook

In one of CyberCity's scenarios, an attack manipulates the human control interface of a water treatment plant. The attack alters the control interface to make the water appear dirty, when it is actually clean. If the problem is not identified, then the human operator could, say, ruin the water supply by adding chemicals to correct a non-existent problem.

Based on those and other perceived threats, current and former government officials have warned in the past of a "Cyber Pearl Harbor" or a "Cyber 9/11," where critical U.S. infrastructure is knocked out in a war with a state or terrorist organization.

On the Front Lines: Protecting Secrets

"There's no issue that has become more important, more rapidly, that is less understood than cybersecurity," said Peter Singer, director of the Center for 21st Century Security and Intelligence at the Brookings Institution and author of "Cybersecurity and Cyberwar: What Everyone Needs to Know."

A January Pew Research poll found that 70 percent of Americans fear cyberattacks from other countries. They fear attacks from Islamic extremist groups, like al-Qaeda, even more. The poll found that 75 percent are afraid of such an attack.

The costs of cyberattacks are also real. A first-of-its-kind study released late last year by the Center for Strategic and International Studies, a Washington-based think tank, estimated that cybercime and cyberespionage cost the U.S. economy more than $100 million annually.

Read More The List: CNBC First 25

Ninety-seven percent of Fortune 500 companies report having had their systems infiltrated, and nine new pieces of malware are discovered every second. The question is whether these operations were simply criminal acts or have escalated to cyberwarfare.

Security experts told CNBC that policy makers and business leaders responsible for adopting and implementing security protocols still do not fully comprehend the threat.

"I was speaking with a parliamentarian from a NATO ally ,and I quickly realized over the course of the discussion that everything he knew about cyberattacks was from the movie 'Die Hard 4,'" Singer said. "We have focused more on the Hollywood style versus the much wider impact."

Read More The Next Cyber War Is Already in Progress: Security Expert

Militaries around the world are building their cyberwarfare capabilities—both defensive and offensive. According to Singer's research, more than 100 nations now have a cybercommand or a special military unit assigned to fighting and winning wars in cyberspace.

The Cyberbattlefield:

There's a great deal of debate among cybersecurity experts and academics on whether any nation has actually engaged in cyberwarfare. That's largely because cyberwar and even cyberbattlespaces are still largely undefined. Although experts acknowledge that nations have engaged in both defensive and offensive operations, they are split on whether these activities meet the definition of warfare.

"'Cyberwar' is a term that is a good illustration of how far we have to go in our understanding, because it is used to describe all sorts of different things that are really not war," Singer said.

Read More Inside a Cyber War Room: The Fight Against Hacking

The rules of engagement for cyberwarfare are still largely undefined as well. In 2013, NATO released the Tallinn Manual, a non-binding study on how international law applies to cyberwarfare.

The absence on any legal definition of cyber warfare has left cyber security experts divided on whether high-profile cyberoperations, such as the Stuxnet virus that hit Iran in 2012, or the 2007 Internet outage attacks on Estonia, constitute cyberwarfare.

"Cyberwar does not exist and has never existed. It's not to say that 25 years from now, it may evolve to that. Who knows what the future will hold, but traditionally, nations cannot engage in warfare without there being a kinetic element to it," said Taia Global's CEO Carr.

—By John Torrisi, special to