Is a cyberattack by Iran against the U.S. a realistic threat? And if so, could it be defeated by a technique called "bullet time," that slows Internet traffic just enough to give critical infrastructure defense systems time to respond?
There is considerable disagreement over that, with some experts saying both that an attack is likely and the defense is possible, while others dismiss both.
Nobody in government or in cybersecurity thinks Iran is capable of delivering any kind of serious military blow to the U.S. But some say it could damage computer networks that control critical American assets like the power grid or the financial system.
In an interview last week with National Public Radio, Jeffrey Carr, a cyberconflict expert who has consulted for the U.S. Department of Defense said, "[The Iranians] have all the resources and the capabilities necessary to be a major player in terms of cyberwarfare."
[Gregory Machler goes in-depth: The future of SCADA-control security]
The NPR report also said that James Clapper, director of national intelligence, told Congress that Iran is motivated to attack the U.S. and that its cyber capabilities have, "dramatically increased in recent years."
He cited the country's ability to track dissidents, shut down Twitter, block websites and launch sophisticated cyberattacks within the country. And while NPR said cybersecurity experts doubt that Iran could take down the U.S. power grid, it might be able to hack into the banking system.
Meanwhile, a story in New Scientist this week profiles security engineers at the University of Tulsa who say they have developed a way to slow Internet traffic, including malicious data, to give networks time to deal with attacks.
The technique has been named "bullet time," referring to the scenes in "The Matrix," when Keanu Reeves's character, Neo, was able to dodge bullets, as time appeared to slow down. According to Tulsa's Sujeet Shenoi, while the system would not be easy or cheap to set up, "slowing the malicious traffic by just a few milliseconds will let the hyper-speed commands activate sophisticated network-defense mechanisms."
But Gary McGraw, CTO of the security software consultancy Cigital, says the problem is not that "bullet time" would be expensive or difficult, but that it is a fantasy to think it would work.
"It's ridiculous. When you're talking about cyberattacks, it's beyond milliseconds," he said. "It's picoseconds (one-trillionth of a second). And when you use Internet protocols to slow down traffic, that slows everything else, too."
Dan Philpott, editor of FISMApedia (Federal Information Security Management Act), is a little less dismissive, but said "bullet time," while, "conceptually interesting," would be effective as countermeasure in very few places. "The problems aren't in responding, but identifying attacks when they occur."
McGraw also dismisses as "ridiculous" the possibility of a serious cyberattack by Iran. "They couldn't even defend their nuke," he said, referring to the Stuxnet worm that wiped out an estimated fifth of Iran's nuclear centrifuges in 2010.
He believes Iran has improved its cyber defenses since then. "They would be stupid if they didn't," he said, but still contends the country is not close to capable of a sophisticated attack.
Philpott is not so sure. "Iran has very well-educated population and good access to computers, so it is probably adequate to the task," he said. "I don't know that they have a cyberattack mechanism, since their government is very fractured [among] public, private and religious [entities]."
"But I wouldn't out of hand dismiss their capabilities. I tend to agree with government experts that all of the qualities are there,"Ã'Â Philpott said.
Both agree on this much: The U.S. needs to improve its defenses, especially in areas like the power grid. McGraw said those who say the financial system is more vulnerable than the power grid have it backward. "The finance guys have much better defenses than the power grid," he said.
Philpott says the security of energy facilities is "not up to standard. A lot of the things we depend on aren't built very well," he said. "They fall down under the simplest of attacks."
McGraw said the best way to protect critical infrastructure against cyberattack is to "build things that aren't broken."
Yes, it's impossible to build devices that are completely invulnerable, he said, but it is possible to build them so they are very difficult to attack. "And if the cost [of an attack] is too high, the bad guys will go elsewhere," McGraw said.
Philpott agrees. "Don't make it low-hanging fruit," he said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.