Power outages, bank runs, changed financial data: Here are the 'cyber 9/11' scenarios that really worry the experts

Key Points
  • It may be impossible to hedge against the next major cyberattack, but there are some lessons from recent history and some clues from the private sector on what may be the next devastating cyberattack. 
  • Many experts have warned for years about an impending "cyber 9/11," and despite a nearly endless list of scenarios, there are a few that are more likely than others. 
  • Attacks that spill into the physical world, those that cause a financial sector "contagion" or attacks on data integrity -- rather than theft or destruction -- are top-of-mind, frightening scenarios for experts. 
REUTERS/David Mdzinarishvili

For years, government security specialists have predicted the inevitable "cyber 9/11," an event originating as a digital attack that spills over into other aspects of society, causing widespread harm to people and the global financial sector.

Former NSA head Admiral Michael Rogers told CNBC last month that "nothing is beyond the pale of possibility" for cyberattacks.

Fear sells. So it can be hard to know what experts really fear might happen, versus hype meant to market a new cybersecurity product or service, or drum up attention on social media.

But there are some nightmare scenarios that have precedent. These are the scenarios that truly concern independent cybersecurity experts.

They fall into three common themes: physical attacks that shut off or damage some aspect of critical services, financial attacks that spin out of control and lead to bank runs, and hackers changing data in a way that erodes trust in the economy and critical institutions.

Knocking out basic services

Cyberattacks that cause major disruption to public services have happened many times in the real world.

Some of them are very old news, in fact. But it's easy to imagine how a similar attack could shut down basic services, like electricity or water, that affect millions of people.

In 2000, a disgruntled sewage treatment plant worker in Queensland, Australia hacked into his employer's industrial control system to unleash torrents of raw sewage onto public grounds, flooding the city's local Hyatt hotel. The perpetrator was sentenced to two years for the attack.

In 2007, the country of Estonia was subject to widespread outages in its entire telecommunications network, following a cyberattack stemming from a dispute with Russia over a military statue. The incident was so damaging, it led to a decision to place the North Atlantic Treaty Organization's Cyber Security organization in Tallinn, the country's capital.

In 2015, Ukraine's power grid had massive outages after a cyberattack — which some officials have attributed to Russia — two days before Christmas, during a cold snap. Around a quarter-million residents were left without power, but the outages only lasted a few hours before government agencies were able to restore service.

Major cyberattacks aimed at taking down official services don't need to be strictly nation-state sponsored or terrorist-backed. They can be strictly criminal in nature, or come from a malevolent backer under the guise of a criminal attack.

The NotPetya cyberattacks of June 2017, known by the name of the criminal ransomware-inspired computer virus behind it, were notorious for the real-world harm they caused to companies. In Germany, consumer goods-maker Reckitt Benckiser halted shipments of numerous products. Ships belonging to logistics giant Maersk were at a standstill, and the company later said it took a $300 million hit from the attack. In the U.S., a facility owned by Merck that makes the HPV vaccine Gardasil was shut down to such a big extent, the company had to borrow hundreds of millions of dollars worth of back-up vaccines stockpiled by the Center for Disease Control.

Power outages or water supply corruption are the most worrisome to Peter Beshar, general counsel for risk management firm Marsh & McLennan. Loss of electricity, he said, is just one piece of the greater risk for physical security stemming from a cyberattack.

"Utilities are one vital resource. But it's not just power, water is another type of utility. If all of a sudden, the quality of drinking water is called into question, and then manufacturers who rely on using untainted water for making drugs or food is called into question. That is a potential crisis," he said.

A financial-sector attack that triggers a run

Financial regulators often talk about the risk of "contagion" as a result of an attack on banks or institutions like the New York Stock Exchange. The fear is that a cyberattack could send customers rushing to banks in a panic to pull out funds. 

"When you have significant impact to financial systems and people can't get to their money, they can cause just as much duress to the system as a major network outage," said Jacqui McNamara, head of cyber security services at Australia's largest telecom, Telstra, at an Oct. 23 cybersecurity conference in Australia.

These scenarios are both possible and alarming enough that companies and private-sector organizations have spun up some huge projects to protect against them.

"Imagine a cross-cutting attack that just ripples through the financial sector," said Beshar. "If consumers couldn't get cash out of ATM machines, if credit cards weren't functioning, that would be very problematic."

One of those initiatives, Sheltered Harbor, is a not-for-profit subsidiary of the Financial Services Information Sharing and Analysis Center. It's got about 70 participants, including big names like Citi, Morgan Stanley and Goldman Sachs.

The purpose is to ensure banks can pull up the right information about customer accounts and still reconcile transactions in the face of a catastrophic cyberattack. The initiative is especially focused on an event that significantly destroys data, or takes critical systems out of service for an extended period of time.

For banks that are a part of Sheltered Harbor, the organization provides standards designed to back up the financial data they generate each day. This would give banks a way to restore data that's lost in any attack.

Changing data so it's wrong

Criminals or nation-states could also change data, like financial information on balance sheets or commands going into an industrial machine, instead of merely stealing it or deleting it.

That's a big concern for Dmitry Samartsev, CEO of BI.ZONE, a Russian cybersecurity coordination organization for the country's banks.

"The worst case scenario is when [cybercriminals] are making several attacks at one time," he said at the Oct. 23 conference.

For instance, an attacker might launch a simple denial-of-service assault on a corporation, shutting down its web site other services, then combine that with a slew of fake news on social media meant to imply major institutions are going to be out of service. The result could be panic.

There's some precedent here, too. In 2015, BNY Mellon had a technical glitch that mispriced some securities. That jammed up the algorithms that are used for executing automated trades, and the result was a swift 1,000-point drop in the Dow.

A hacker took over the Twitter account of the Associated Press in 2013, tweeting "Breaking: Two Explosions in the White House and Barack Obama is injured." The stock market instantly fell 143 points.

Tom Kellermann, a former top cybersecurity officer for the World Bank and chief cybersecurity officer of security firm Carbon Black, agreed that he's most afraid of data being altered, instead of stolen or lost.

"Integrity of data is key. If you lose your ability to trust the information that is coming out of the financial sector, that is when things can turn dark and very quickly," he said.

The cost of cybersecurity
The cost of cybersecurity