Elections are about power. The Russians know this. But real power is about electricity. The Russians know this as well.
Congress and the public have appropriately been outraged about the influence in our last election, and it is an ongoing concern. But it seems far less focus has been applied to keeping the power grid intact.
In March, I noted that Russia is already warmed up for an attack on our energy grid.
As I said then, Putin is more than a cyber bully. He’s righting perceived wrongs done to him and to the former Soviet Union by the great enemy. This is about a modern version of the U.S.S.R., and cyber warfare is the least risky way to accomplish it.
Because the U.S. doesn’t have a firm policy yet on how to deal with warfare in the fifth domain. Name and shame doesn’t work. When does a bit and a byte get a bomb and a bullet? We don’t know. And Putin knows that.
Last week, the Department of Homeland Security (DHS) issued a report detailing the extent that Russian hackers had obtained access to hundreds of control rooms across the United States. Jonathan Home, chief of industrial-control-system analysis for DHS, said the hackers “got to the point where they could have thrown switches” and upset power flows, according to the Wall Street Journal.
Russia is mastering the art of low-intensity conflict in cyberspace, and our energy grid is probably the most vulnerable. But what does low-intensity conflict actually mean?
One of the most compelling descriptions that sums up Putin’s strategy comes from the publication ‘Cyber War: Law and Ethics for Virtual Conflicts.’ It says: “Low-intensity cyber operations offer states opportunities to undermine adversaries while avoiding the likely strategic and legal costs of massively destruction [sic] cyber attacks.”
The costs of an attack on the grid could be catastrophic according to a report in 2015 by Lloyd’s and the University of Cambridge’s Centre for Risk Studies. A major attack on the U.S. electric grid – the study contemplated blackouts in 15 states and Washington, D.C. – could quickly cost the economy between $243 billion and $1 trillion dollars. In comparison, Hurricane Katrina cost $161 billion: add hurricanes Harvey, Maria, Sandy and Irma, and you still only get to $497 billion – about half the maximum cost of the attack on the grid projected in the study.
The costs would cascade across all sectors of the economy: the experts predict “a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail; and chaos to transport networks as infrastructure collapses.”
The loss of power and water can bring a nation to its knees.
The thing is: a massive attack isn’t needed. It would only take a gentle, imperceptible, nudge to cause the type of chaos and disruption Putin thrives on.
The conditions for a disaster are already present. In May, The Daily Caller reported “The two most populous U.S. states could face rolling blackouts during summer heat waves largely because of shuttered coal plants and a lack of natural gas storage, according to the country’s grid reliability watchdog.”
The danger is when our grid maxes out. One small ‘nudge’ and there could be wave after wave of blackouts and rolling brownouts. This would cascade into vulnerable populations like the elderly and low income areas. As we’ve seen in previous heat waves, and loss of power, there could be substantial deaths.
Earlier in July, over 70 deaths were linked to a brutal heat wave that enveloped Quebec province in Canada – and that was without any disruption in their power grid.
According to The Washington Post, The National Security Agency reported over a year ago that specific activity was detected showing the FSB, one of Russia’s spy agencies, had compromised the networks of nuclear power plants.
One plant, Wolf Creek Nuclear Operating Corp. in Kansas, downplayed the impact of the intrusion, saying: “The safety and control systems for the nuclear reactor and other vital plant components are not connected to business networks or the Internet.”
That misses the point.
The Russian intrusions are reconnaissance: harvesting credentials to use for future attacks, mapping out networks, looking for chinks in the armor. It’s arrogant for nuclear plants to think they’re invulnerable to attack. Operators have to be right all the time—Russia only needs to be lucky once.
The partial melt-down at Pennsylvania’s Three Mile Island nuclear facility in 1979 did not begin with a failure of a vital component, but rather a secondary system and a release valve.
Many pundits and experts spend tremendous amounts of energy preaching an end-of-days scenario. Chicken Little is alive and well. But I suspect they’re all off the mark.
Russia won’t be signing up for a full-scale attack on the US critical infrastructure any time soon. No one wants, or is prepared for, a full-scale cyber war. Low intensity conflict, however, can be a major nuisance, incredibly costly and disruptive, but not overly deadly. That means our response will be proportional.
DHS is forming a National Risk Management Center, according to a document obtained by The Hill that stated: “In response to the increasingly complex threat environment and corresponding demand from industry for greater integrated support from the U.S. federal government, the Department of Homeland Security (DHS) is establishing a joint center to provide a centralized home for collaborative, sector-specific and cross-sector risk management efforts to better protect critical infrastructure.”
While pundits chatter about whether or not Russia will influence the next election, we’d all do well to pay more attention securing power – electric power – to the people. The new center is a start.
Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He previously worked as a senior advisor in the U.S. State Department Antiterrorism Assistance Program and as senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.