When China's top generals warned against building the Three Gorges Dam in the 1980s, fearing it would become a "strategic target" for China's enemies, they imagined the weapon of choice would be dam buster bombs.
Now, 25 years later, as the threat of cyber warfare grows, China's military men must worry about modern day weapons -- malicious software infiltrating computers that control critical systems like pumps, motors, alarms, and valves that could allow an attacker to take control of the world's largest dam, along with other critical infrastructure.
This nightmare scenario isn't just the material of spy thrillers.
In 2010, when Stuxnet, a computer virus dubbed the world's "first cyber superweapon," infected Siemens' control systems and caused Iran's nuclear centrifuges to spin out of control, it also attacked six million computers and nearly 1,000 industrial control systems in China, according to Beijing-based antivirus service provider Beijing Rising International Software. Siemens, a German multinational, is one of China's biggest overseas suppliers of industrial computers.
While the China Information Technology Security Evaluation Center downplayed the malware threat, saying that no severe damage had been reported, according to the South China Morning Post, neither Beijing nor Siemens would provide a full list of the industrial facilities affected by the virus. Nevertheless, it is widely known that Siemens's control system is used throughout China by airports, railways (including the Shanghai Maglev), nuclear power plants, and the Three Gorges Dam.
Others were less sanguine about the threat. Professor Sun Jianping, a hydropower expert who led a study on the reliability and stability of the generators at the Three Gorges Dam, told the South China Morning Post: "If someone hacks into the system and takes over, we will be blinded and disabled. It could cause more destruction than a bomb." According to U.S. hydrologist Dr. Philip Williams, catastrophic dam failure at Three Gorges would "rank as one of history's worst man-made disasters."
To the best of anyone's knowledge, Stuxnet did no harm to the Three Gorges Dam or other industrial facilities in China. But it was a wakeup call. "Alarm bells have been sounded in almost every key industrial sector ‒ steel, energy, transport ... This has never happened before," Wang Zhantao, a network security engineer with Beijing Rising International Software told the South China Morning Post.
China's generals considered dams "strategic targets" because of their potential to suddenly release vast quantities of water, causing massive loss of life and chaos to civil defences. Bunker busting bombs could cause such catastrophic releases. So could uncontrolled overtopping caused by the failure of sluice gates to open. That nightmare scenario was narrowly averted at the Zipingpu Dam in 2008 when workers racing against time freed sluices jammed when the Wenchuan earthquake cracked the dam.
China is currently building more than 170 new mega dams, all of them strategic targets. Compounding the risk that each poses to China's security, is the fact that many are being built in cascades, so close to one another that catastrophic failure at one upstream, causing a tsunami -- would likely mean failure of those downstream.
China's leaders have an interest in playing up the threat of malicious foreign spyware, but malfunctioning domestic software could cause the same dam catastrophes.
In 2011, Sunway Force Control Technology, a Chinese software provider to major projects such as the Three Gorges Dam, the Daqing oil field, and China's space program, was ordered by the National Computer Network Emergency Response Technical Team to notify its clients of bugs that hackers could exploit. The bugs had been detected by Dillon Beresford, who works for the U.S. private security firm NSS Labs Inc., and who , in a reassuring example of international cyber cooperation, worked with Sunway and Chinese authorities and the Department of Homeland Security to fix the bugs he found.
This was not the first time Mr. Beresford had found flaws in Chinese software. Another attempt to correct dangerous flaws was ignored until Mr. Beresford went public. Then the Chinese authorities posted a fix for the vulnerability within a few days.
Ironically, despite China's notorious record as a cyberspace aggressor, security specialists say China's computer-controlled infrastructure is more vulnerable to cyber-attacks than are Western systems.
The great majority of computers used in China run pirated software, much of it derived from the Russian mafia, according to a Washington Times interview with James A. Lewis, a cybersecurity scholar at the Center for Strategic and International Studies. "So your software sector is stunted because no one can make any money selling a product that will be so quickly and easily pirated.... if you use pirated software, you have no idea where it comes from," he said, noting that pirated software may be surreptitiously designed with "back doors" that allow unauthorized access. At best, pirated software cannot be patched to correct for flaws.
Moreover, China's infrastructure is especially vulnerable because of the country's "lack of transparency," states Mr. Beresford. Patches cannot be effective if they aren't universally applied, making it necessary for the patches to be publically available for downloading.
Openness is not exactly a characteristic of China's cyber-world.