January 16, 2009
Cyberpandemics: History, Inevitability, Response

Reading about the recent intrusions into the information systems of the World Bank and International Monetary Fund (IMF; http://www.foxnews.com/story/0,2933,452348,00.html) doesn’t inspire feelings of trustworthiness. Many nations rely on aid from these and other financial entities, especially in the midst of the current global economic downturn. When parts of our critical infrastructure, such as energy or transportation, are compromised in some way, people not only experience loss (for example, death, injury, property or environmental damage, and efficacy losses such as in productivity), but they also lose confidence in the systems on which they depend.

Providing assurance that critical infrastructures and the information infrastructures on which they rely are trustworthy is challenging. Such systems are enormous, with difficult-to-determine boundaries and a lack of central control or ownership. Additionally, they exhibit emergent behavior due to interdependence when they’re integrated vertically (such as the electric power grid in North America or horizontally (as with emergency services relying on transportation systems) into systems of systems. A system of systems is an amalgamation of both legacy and developing systems that provides capabilities greater than any individual system within it.

As cyberspace has evolved into a large, dynamic, and tangled web of computing devices, engineers often fail to design in dependability properties—such as stability, robustness, and security—at the system level. Consequently, unintentional and malevolent actions taken in cyberspace have affected critical infrastructures in the physical world, triggering and propagating power blackouts in our electric energy grids, for example. A report from the US Center for National Software Studies points out that our dependence on software has progressed to a point at which “software is now the critical infrastructure within the critical infrastructure.” These disturbances and systems’ resultant undependable behavior can progress and spread like infectious disease pandemics. We can thus call such disturbances in cyberspace cyberpandemics.

In our view, a cyberpandemic is a massive disruption of computing services that can trigger second- and third-order failures or malfunctions in computing and non-computing systems worldwide. We can recognize it by the propagation of widespread failure or malfunctioning in critical infrastructure systems with an associated large quantum of harm to society (such as physical, psychological, or financial). As far as we know, no one has ever successfully executed an intentional cyberpandemic, but we believe that one will eventually be launched because the means are available and the “terror payoff” is so high.

If you're interested in this topic, please respond in the comments. A more indepth article on cyberpandemics can be found in the January 2009 issue of IEEE Privacy & Security Magazine.

— Dr. Jeffrey Voas
Dr. Jeffrey Voas is Director of Systems Assurance at SAIC and is a SAIC Technical Fellow. He was the IEEE Reliability Society President for 2003-2005, and serves on the IEEE Computer Society’s Board of Governors. He has co-authored two John Wiley books.

http://saic.typepad.com/cybersecurity/2 ... ponse.html