And I mean directly, not as a side consequence of their main purpose (e.g. if they release a trojan to extort a corporation and it accidentally gets loose to a hospital, I don’t count the hospital).
If it’s already happened, in your opinion, feel free to point at it.
The Stuxnet malware (Stuxnet - Wikipedia), widely believed to have been developed by the US and Israel, compromised Iran’s nuclear enrichment facilities, making subtle changes to the PLC commands while returning normal messages to the operators. The malware didn’t cause any physical damage, but it did cause significant disruption to Iran’s nuclear program.
An attack like that could be used to cause serious damage to something like a nuclear power plant, hydroelectric plant, etc. It is possible that an adversary of the US could, for example, cause a major malfunction, up to a meltdown, at a nuclear power plant near a large population center. It wouldn’t be a trivial feat to pull off, and if we could identify the perpetrators we’d almost certainly retaliate massively. So I don’t think it’s tremendously likely that this would happen. But it’s definitely not science fiction.
Another scenario would be a drive wiping attack like NotPetya on a major hospital. That could result in significant loss of life.
Those are two scary scenarios off the top of my head.
I’ve had to become a bit of a cyber security expert in the past few months for work. The main “worst thing” people seem to be worried about involves the “Internet of Things” (IoT). The concern being that with computers and sensors slowing becoming integrated into everything from thermostats and fish tanks to locomotives, aircraft, and nuclear power plants it could enable hackers to exploit vulnerabilities to actually damage things in the physical world. An example of this would be the Stuxnet virus was (allegedly) used to destroy 100 centrifuges used by Iran’s nuclear program.
Somewhere I still have a slight fear that someone hacks a government computer (not necessarily the military but maybe something like the FAA) resulting in a huge loss of life. Unlikely but still something that nags at me.
They will take out large chunks of our infrastructure. In particular, the US power grid system is a house of cards. It won’t take much to bring that down. And if they want to, they can bring it down in a particularly harmful way. Damaging generators and more.
Without electric power to almost all services, things get nasty. Communication systems will be quite limited for a good while.
Forget getting gas at the local gas station even if you’re paying cash. And buying anything most anywhere with a credit card will be impossible.
Deliver of basics like food to cities will be seriously hampered. Once people don’t have food, things go even further downhill quickly.
We don’t even need self driving cars. We already have cars that are exploitable over the internet. Modern cars have steering/breaks/throttled hooked up to the same unsecure CAN bus that internet connected components are on.
It is only a matter of time before people intent on Bad Things find one of these bugs. One million vehicles full throttle for 2-8 seconds at random, then the wheel hard to the left during rush hour will result in hundreds of thousands of deaths in the first hours, and crippled transportation system.
That’s probably not the worst, though. As ftg points out, the worst would be hacking power generation. There’s no major stock of excess generation capacity sitting around as spare parts. Hack enough generators and run them in a Halt and Catch Fire loop, and we’ll have food riots in every major city inside of month.
I know that cybersecurity is basically a race between the ones trying to get in and the ones trying to keep them out, but given the number of state actors out there (as evidenced with political news lately) and the money/power supporting them, I really am surprised that any or all of the scenarios mentioned above haven’t taken place already.
A new, monster virus that hits banking or global stock markets would be a huge threat. I work in IT in an important industry and we get new threats all the time but they are quickly patched and almost never do much damage. Imagine something like Stuxnet that hits on a global scale and shuts down the money supply. It would be instant chaos especially if it was distributed and didn’t just affect a few key servers. Effective, general viruses like that are very hard to engineer but they are certainly possible and could bring a whole lot of common processes to a halt.
The biggest threat of all is taking out the worldwide root DNS servers. Those control much of the internet and a large portion of worldwide transactions these days. That would shut down much of the 1st world but they are heavily protected and there is a procedure to deal with that scenario. There are literally 7 rather obscure people in the world that hold the “keys” to them and can rebuild them as long as they can find a way to meet after a catastrophe.