Who is in charge during an energy sector hack? The answer may not be clear

By: Justin Lynch  
Source Link

A cyberattack on a New England power grid during January’s sub-zero temperatures is a nightmare scenario for America’s top spy. “A lot of people are going to suffer and die,” Director of National Intelligence Dan Coates saidduring a July event at the Hudson Institute. But the ensuing chaos may cause even more destruction in the biting cold. A Sept. 4 report from the Intelligence and National Security Agency said questions remain about who is in charge during a cyberattack on critical infrastructure. Despite what government officials say are clear lines of authority during a hack, the report lays out how uncertainty was still rife during a simulated cyberattack.

In the exercise, the group split up more than 70 government officials, critical infrastructure companies and experts to see how they would react in the face of a simulated hack on the Maryland power grid.

"During the response phase, players expressed confusion about whether the state or the federal government was in charge,” the report said.

Some state officials thought they were in charge. Some believed that the federal government should be in charge. And some participants in the exercise thought that the Department of Defense should respond if the cyberattack came from a foreign country.

"Beyond issues of capabilities and effectiveness, participants noted a lack of legal clarity regarding state and federal agencies’ jurisdictions to intercede in the crisis,” the report said.

However, some government officials told Fifth Domain they have not experienced coordination issues when it comes to cyberattacks against critical infrastructure.

The White House is in charge of coordinating the responses to federal cyberattacks, Robert Kolasky, the newly installed head of the Department of Homeland Security’s risk management center, told reporters at the Intelligence and National Security summit Sept. 4. He said if the cyberattack took place on a state institution, state officials would be in charge. Kolasky pointedto the December 2016 incident response plan that laid out government responsibilities during a cyberattack.

The state of New Jersey has not had challenges coordinating during a cyberattack on critical infrastructure because it has come to rely on working with other states, Jared Maples, director of New Jersey’s office of homeland security and preparedness, told Fifth Domain.

Experts have told Fifth Domain that it is unlikely a cyberattack could take down the entire American power grid. Because the grid system is decentralized and runs on different technology, it is hard to attack at scale. Instead, they say a targeted cyberattack on one city is much more likely.