Is this type of cyber attack inevitable? Are we prepared?
Veteran newsman, Ted Koppel, is gaining a lot of attention for his new book, “Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath.” In it, Koppel convincingly argues that a cyber attack against our nation’s computer- and Internet-dependent power grid by declared enemies of the U.S. poses an unprecedented and grave danger. It would shut off our lifeblood of electrical power over wide swaths of the country for very long periods of time.
Backup generators keeping vital infrastructure running would soon run dry. Clean water, food and sanitation would become unavailable; no heating fuel; no pumpable gasoline; pervasive breakdowns in security; millions of deaths. And, writes Koppel, the Federal Emergency Management Agency (FEMA) has not planned adequately to meet this threat.
Sadly, this nightmarish scenario is by no means farfetched. “Multiple sources in the intelligence community and the military,” writes Koppel in a recent opinion piece in the Washington Post, “tell me that Russia and China have already embedded cyber-capabilities within our electrical systems that would enable them to take down all or large parts of a grid.” He goes on to say that Iran and North Korea are rapidly accumulating the know-how necessary to do likewise, and it’s a sure bet that ISIL will be following their lead.
For the past several years, the President and others, from both sides of the political spectrum, have been warning about the strong possibility, and in some cases, probability of such an attack, yet very little has been done.
Many power executives do acknowledge that action needs to be taken. As Tom Gjelten of NPR reported back in 2013 after attending a power industry conference, the consensus among the power executives was “that such attacks are probably inevitable.”
Nonetheless, the industry as a whole has been resistant to taking action. Gjelden cited a survey of electric utilities taken in 2013, directed by then Rep. Edward Markey (now a U.S. senator) and former Rep. Henry Waxman. What they found, wrote Gjelden, was that “…most of the companies had failed to implement voluntary cybersecurity standards recommended by the North American Electric Reliability Corp., an industry organization.”
“Some companies might calculate,” wrote Gjelden, “that the necessary investments to guarantee grid security might not be justified, given their assumptions that a major attack is still unlikely.”
Fast-forward two years later, and not much has been done. USA TODAY’s investigative reporter, Steve Reilly, reported on the issue last March after extensively researching the dangers of cyber attacks as well as physical attacks on the grid by “drawing on thousands of pages of government records, federal energy data and a survey of more than 50 electric utilities.” He wrote that the industry, through its lobbyists, has successfully staved off government moves, such as the proposed Grid Reliability and Infrastructure Defense Act, or GRID Act, aimed at eliminating the industry’s current state of self regulation. “Congressional lobbying disclosure records show industry-funded groups spent millions lobbying about the GRID Act since 2010,” Reilly reported.
Obviously much more needs to be done to defend our power grid against cyber attacks. As for emergency planning if such an attack were to occur, Koppel says that the Federal Emergency Management Agency (FEMA), and the other groups responsible for protecting us, aren’t doing their jobs. He charges that the agencies continue to see a cyber attack on our grid as a relatively short-term affair, as if a cyber-induced blackout would be similar in duration to the blackouts caused by a natural disaster or a malfunction. According to Koppel, plans simply do not exist for what would be a much longer-term blackout.
Koppel writes, “When I asked former secretary of homeland security Janet Napolitano what the chances are that an aggressor could knock out one of our power grids with a cyberattack, she replied, ‘Very high — 80 percent, 90 percent.’ Yet she acknowledged that there is no specific plan to respond to a disaster of that magnitude.”
At the end of Koppel’s op-ed, he wrote, “It is surely time that the vulnerability of our power grids to cyberattacks and the absence of a national plan to deal with the consequences become a part of our national conversation.”
After being so persuasive about the enormity of the danger, merely having a “national conversation” seems too weak a response. If in fact these issues are national security threats of the highest order, we should be acting accordingly.