The cyberattack that wasn’t

by on November 28, 2011 · 0 comments

Over at, [I write]( about the “Russian hackers are in our water plants” min-panic that erupted last week. Turns out it was a false alarm, but that didn’t stop the rhetoric from going on overdrive. Check out [this story from Nov. 21](, one day before DHS and the FBI announced there was no attack, which said that a variant of Stuxnet had been used to attack the Illinois water plant and “caused the destruction of a water pump”. My takeaways from this incident:

>First, we shouldn’t jump to conclusions based on sketchy first reports of cyberattacks. Bad reporting tends to take on a life of its own. Two years ago, an electrical blackout in Brazil was similarly blamed on hackers, but the cause turned out to be [nothing more than sooty insulators]( That hasn’t stopped pundits, defense contractors and politicians from citing the debunked incident as evidence that we need comprehensive legislation to regulate Internet security.

>Second, although Bellovin was mistaken in believing the initial reports, he’s right that such an attack is possible. The discussion should be about the possible magnitude of attacks and what can be done to prevent them. Although the rhetorical engines of those who want new cyber-legislation were spinning into overdrive before the facts abruptly shut them down, this incident, if it had been a cyberattack, would not have shown a dire need for new rules. Instead, it showed that the damage was not catastrophic and that the water utility worked well with federal authorities under existing law.

Read [the whole thing]( at

Previous post:

Next post: