30 January 2016

The Days After a Cyberattack Strikes the U.S. Power Grid

Ted Koppel's new book shines a light on America's vulnerable infrastructure.
Kevin Reagan, January 27, 2016
In his new book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath, ABC News veteran Ted Koppel concludes that America’s dependence on internet-connected critical infrastructure systems is making it increasingly vulnerable to a devastating cyberattack, and that the nation is completely unprepared for the aftermath of any such attack. The cover depicts America at night but with the eastern half of the country in darkness, evoking the memorable contrast of real-life nighttime images of the Korean peninsula. Indeed, after a clichéd opening describing the United States in a North Korea–like state (the first sentence of the book is “Darkness.”), the first chapter arrives at the focus of Koppel’s study: the centrality of the electrical grid in the United States, and what would happen if it went offline for an extended period of time, particularly as the result of a cyberattack.
After developing his cyberattack premise, Koppel then bizarrely teases readers with sparse details of other potential grid vulnerabilities of equal or greater interest, briefly acknowledging their existence before moving on with his argument. The second chapter of the first section, “AK-47s and EMPs,” details how electromagnetic pulse (EMP) attacks could be used to neutralize not only the power grid, but all electronics across the country. Without much further examination, Koppel leaves readers to ponder the somber conclusions of a2008 congressional report on the EMP threat—namely, the forecast of a 90 percent population reduction.
The chapter also details one concerning incident in 2013, in which a power substation in California wasphysically infiltrated and taken offlinein a coordinated attack by individuals armed with assault rifles. While the attack did not prove fatal or cause a widespread power outage, it highlighted the vulnerability of the grid to physical attack and the need for increased physical security at critical sites. Given the ease with which the tools used in this attack can be acquired in the United States, this threat merits much more in-depth discussion, but Koppel largely glosses over its significance in this chapter.

The opening section of Koppel’s work should invite readers to take it with a hefty grain of salt. Koppel is confident in claiming that an expanding field of actors could potentially execute a debilitating cyberattack on the grid, though he offers scant specifics as to their identities and potential motives. Over the course of the book, the national security experts he consults name a few state-level actors (namely Russia, China and Iran) that have a history of penetrating and conducting surveillance on critical infrastructure networks.

But Koppel argues that non-state actors are much more dangerous, given their relative anonymity and the difficulty of retaliating against them. The problem with introducing non-state actors to the discussion is that very few, if any, non-state actors have either the capability or motive to pull off an effective cyberattack on the entire U.S. electrical grid. Successfully executing a cyberattack of that scale requires a large team of experienced hackers, a sophisticated infrastructure and considerable time spent researching and mapping the grid networks. The world awaits evidence that any non-state actors currently possess these capabilities.

Of course, Koppel is seeking to profit from sales of the book, which is much more a work of popular journalism than an academic discussion. He can therefore be forgiven a bit of alarmism and the omission of technical details pertaining to the electrical grid’s security. But it is important to maintain a realistic view of the grid’s vulnerabilities and the desire of malicious actors to exploit them. Both state and non-state actors who may be able to neutralize the U.S. electrical grid rationally understand that such an attack would have global repercussions. Severing the single largest economy from the rest of the world would prove devastating for all but the most isolated corners of the globe. Global trade, travel and communication would be thrown into chaos as the Internet, which relies heavily on extensive physical infrastructure in the United States, ground to a halt.

Even criminal syndicates with advanced computing knowledge—the only feasible non-state actors to whom Koppel could be referring—would be extremely reticent to conduct such an attack, given their preference for profiting from the exploitation of Internet banking and credit systems. Thus, assuming that such groups are rational actors, the obvious disincentives of such drastic action vastly outweigh any potential benefits to the attackers, except perhaps in the most extreme total-war scenarios. Koppel also neglects to mention the rising number of industry professionals who are training and earning certifications in the best security skills and practices for avoiding such unlikely scenarios.

Those caveats aside, a number of overarching themes in Lights Out are valuable contributions to the discussion. For example, the book highlights American aversion to both proactive policy and government overreach, while searching for a feasible middle ground between the two. Koppel expresses frustration with Washington and the policy process throughout the book, chronicling the stagnancy of legislation that could impose stricter security requirements on the private companies administering the electrical grid.

To be sure, the United States’ democratic system and free-market economy constrain cooperation and federal regulation of private industry, particularly in the absence of imminent national security threats. Thus, proactive public policy measures like these gain little traction. Lamenting this reality, Koppel quotes Tom Ridge, the first Secretary of Homeland Security, who perfectly encapsulates the problem: “We are not a preemptive democracy. We are a reactive one. Rare are the occasions on which we act in anticipation of a potential problem.”

This dearth of proactive policy also extends to disaster preparedness and planning, and Lights Out offers a scathing critique of America’s readiness for national disasters. As Koppel acknowledges, the benefits of preparing well in advance are manifest, regardless of the nature of the disaster. While the United States has certainly made great strides in disaster preparedness in the decade since Hurricane Katrina, he identifies a number of ways in which the United States is not prepared for an emergency of a much greater scale. Foremost among these deficiencies is the absence of a definitive plan for an event like a widespread and sustained grid outage.

For Koppel, “conflicting risk assessments among our national leaders and foremost experts” is “a recurring theme,” applicable to assessing the security risk of a debilitating cyberattack as well as the readiness to respond to such as crisis. The contradictory answers Koppel receives from industry experts, security experts and government officials on this subject are telling. Indeed, the book sometimes verges on a pseudo-parodic tone, with energy industry leaders boasting about the security of their systems only to be contradicted by the concerns of security professionals. And with respect to disaster preparedness, Koppel argues that the federal government’s official advice of stockpiling modest supplies of food, water and other emergency supplies to last approximately three days is “based on outdated assumptions that are barely adequate in the wake of natural disasters.”

The shared element between those two topics is the actual equipment upon which the grid relies, which presents a unique problem of its own. Some of the most vital equipment (Koppel identifies large power transformers, “LPTs,” as an example) is so specialized, and so difficult to produce and transport, that it presents challenges to both security and recovery. Their massive size and critical importance to the grid’s function makes them highly visible targets that are exceedingly difficult to replace.

Setting aside the minimal likelihood of a debilitating cyberattack on the power grid, Lights Out also directly addresses the theme of public apathy in the face of significant security threats. While recent high-profile terrorist attacks like the Paris and San Bernardino massacres have temporarily piqued public interest and awareness regarding the terror threat, no event has been large enough to immediately affect the entire country, never mind an equivalent event affecting the power grid. Thus, opening the third section of the book, Koppel himself acknowledges that the word “apathy” might be too generous to describe the American public’s current interest in disaster preparedness for national crises. Earlier on, he quotes General Lloyd Austin, commander of U.S. Central Command, who astutely observes: “The average person doesn’t think this kind of thing can affect their lives, quite frankly.”

In fact, Koppel suggests general apathy is so ingrained that it sometimes begets outright cynicism—recalling Ridge’s experience as the brunt of jokes for his good-faith efforts to inform the public on specific national security threats. Nonetheless, Koppel remains undeterred in his quest to inform the public on what he clearly considers a critical issue. Lights Out thus transitions into studying American subcultures which are much more likely to thrive under Koppel’s disaster scenario than others.

He examines life in rural Wyoming as a case study in self-sufficiency, and spends considerable time profiling so-called “preppers,” or survivalist/disaster-preparedness enthusiasts. Koppel is also clearly fascinated by the Church of Jesus Christ of Latter-Day Saints’ preoccupation with preparing for events, natural or divine, which could hasten the deterioration of societal order. He holds these examples up to the audience as paragons of virtuous readiness—a decidedly unsubtle invitation to follow their example.

Ultimately, Koppel’s latest work is one in a growing number of cautionary volumes that warn of the dangers of increasing reliance on exploitable, Internet-connected technology. These arguments undoubtedly have plenty of merit; experts unanimously agree that security measures in this arena have often been an afterthought rather than a primary concern. But Koppel’s choice to focus on power-grid cyberattacks is almost certainly more of a dramatic consideration than a practical one, more a critique of Washington policymaking than an engagement with substantive cybersecurity issues.

And while questions remain over the validity of its premise, Lights Outeffectively critiques America’s apathy toward disaster preparation, as well as the perpetually reactive public policy process. Those familiar with the process will recognize Koppel’s primary intended audience (Washington) and the policy prescriptions contained therein. But they will also close the book with a deep skepticism in its ability to effect any meaningful change.

As retired NSA Director Keith Alexander observes of one of the key policies Koppel advocates in the book, creating a complete cybersecurity system for the entire electrical grid: “Half of the Congress will say why we should do it, and the other half will say why we shouldn’t do it. And then they’ll argue it, and they have no tactical understanding, most of them, about what they’re arguing. Unless there’s a true crisis, we’re going to move [slowly].”

Kevin Reagan is a Resident Junior Fellow at the Center for the National Interest.

No comments: