When I was an MBA student, more than 20 years ago, I was invited to participate in a research project for some innovative technology that originated in the defense industry. It was a modified computer that would, in nearly real time, monitor public water systems and provide an early warning if someone tampered with the water and put in harmful chemicals such as poisons. Our job, our little group of students, was to determine where the market opportunity was for this system, which was estimated to cost $40,000 (in 1990 dollars). We spoke to public water utilities, big and small, all over the United States. We interviewed government officials at agencies designed to protect the public health and the environment. And no one was interested in our device. Sure, cost was a big issue, as we were told more than once, “I could hire a full time engineer for that cost and grow jobs in our community.” The bigger factor, in my opinion, was the other issue we kept hearing, “there’s no such thing as domestic terrorism. The amount of chemicals needed to harm the public would be huge, like the amount in a tanker truck.” People simply couldn’t imagine the possibility of someone taking over a truck and using it for terrorism.

Sadly, in our post 9-11 world, we all can imagine just such a scenario. And though we don’t often hear about the risk to our public infrastructure (which includes our water supply but also electricity, cellular networks and more), there’s much happening to make us start paying more attention. Today, we understand the risk of terrorism on our shores and we also recognize the reality of far off agents acting against us through our connected and networked culture.  Remote control management systems connected to regular computers or with network access can be compromised. Critical systems need designs that isolate them from malware; that prevent outside memory devices being connected or other purposeful or inadvertent introductions of computer programs.

I was interested to read an interview in the New York Times with General Keith Alexander, the head of the National Security Administration.  He discussed the nature of current malware threats such as Stuxnet and Flamer that are evidence of infrastructure-damaging cyber attacks that have already occurred. He also describes the evolving discussion around how a nation such as the US can respond to cyber attacks. I suppose what I took away from my MBA student experience was how hard it can be to get people to change behavior in the face of a threat that seems unreal. What the General demonstrates is that cyber attacks against infrastructure are threats that are very real and a form we need to defend against.