Because passive cyber defense will not always work, nor will it ever be enough, we need to look at other options for defense. Passive defense is reactive and slow, as well as “patchy” in terms of efficiency. An all-hazards approach is necessary to ensure protection of the grid.
Physical protections against EMP and GMD will enhance protection against cyber attacks. Blocking devices and transient voltage surge suppression devices that are specifically designed to eliminate the threat from GMD and EMP effects will go a long way toward eliminating the cyber threat. This is because many cyber attacks utilize data manipulation to cause damage to transformers, generators, etc. Obviously, passive defense practices that include software upgrades, protection programs and firewalls should not be discounted, but they must be supplemented by physical security and mitigation measures.
THE PERILS OF RISK MANAGEMENT
In response to the recent Executive Order (Improving Critical Infrastructure Cybersecurity), a Brookings paper entitled Bound to Fail: Why Cyber Security Risk Cannot Simply be ‘Managed’ Away, was published. As the title would suggest, the authors chastised the Executive Order as insufficient because of its reliance on risk management and voluntary participation. “Business logic,” which the authors note as inherent in the risk management framework, “ultimately gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nation’s most critical installations.”
Indeed, this has been the experience of those who have taken stances on grid protection against other types of attacks (e.g. high-altitude nuclear EMP and radio frequency weapons) and natural disasters (e.g. great geo-magnetic storms caused by coronal mass ejections). The North American Electric Reliability Corporation (NERC) is specifically cited by Langner and Pederson as having difficulties with critical infrastructure protection (CIP) standards with regard to cyber security.
Risk-based models, as noted by the Brookings study, effectively cause the user to ignore the outliers and engage only in the “most likely” threat. The complete, unquestioning acceptance of such has only led us to a point where “worst case” is dismissed as “never going to happen,” even when experience tells us otherwise. In fact, our vulnerabilities are exposed by the over-reliance on “risk management” practices, and these vulnerabilities literally point our adversaries directly to the most effective strategic targets, tactics and procedures. While we, as a nation, think “mutually assured destruction” (MAD) will keep catastrophic attacks from being attempted, our enemies think in terms of catastrophic first-strike scenarios to remove the United States as an actor on the world stage. They know they can, because we allow the vulnerabilities to persist.
The Aramco attack (the Shamoon virus) in August of 2012 which destroyed over 30,000 computers was thought to be a counter-attack by Iran in retribution for Stuxnet, as were subsequent multiple and sustained attacks against U.S. banks. To the public’s knowledge, little (if anything) was done in response. In fact, this undercurrent of cyber activity seems not to have raised much public concern; but this could be due to a complacent assumption that a cyberwar would never cross the line into “physical space” or venture into the kinetic realm (even though SECDEF Panetta has been among the most recent to raise the specter of a “Cyber Pearl Harbor”). In fact, experts clash over the extent to which cyber operations can cause major damage, but the public-at-large is either unaware or has grown weary of the topic.
As in all “worst-case” scenario warnings, the wait over extensive periods of time for something bad to occur simply encourages the belief that nothing bad will ever happen. In this case, the secrecy that surrounds accounts of actual cyber attacks that have already been successful simply exacerbates the problem. The reasons for secrecy are myriad, and include not only classification of the data, but also an absolute need by businesses (including utilities) to exhibit trustworthiness as well as a fear of fallout related to insurance. (It may be a toss-up as to what businesses are more afraid of—cyber attacks or insurance “blowback.”)
To this point, even cyber operations resulting in substantial damage (e.g. leakage of classified data, loss of system functionality, or economic loss) -- have not instigated a full-scale war, of either the cyber or kinetic varieties. Unless, that is, you count the current “cyber standoff” (multiple instances of cyber theft, vandalism, activism, intelligence gathering, and sabotage by a variety of actors) as a type of cold war enacted mainly by proxy.
While a full-fledged “cyberwar” has not been officially recognized, the initial salvos have been released. It is only a matter of time until a cyber trigger blows the lid off the here-to-fore well-covered pot. In that regard, unpredictability in adversarial attack and response modes is something that must be considered. There are occasionally unintended consequences of adversarial activities, especially if attacks have been sequential and cumulative. One such consequence is the possibility of a “trigger event” for a larger, less controlled cyber conflict leading up to full-scale kinetic war.
To the public’s knowledge, there has been no definitive “red line” in regard to how much damage or loss a victim of cyber warfare should accept before responding. It is to this point that the so-called “secret review,” as reported by the New York Times, speaks. The Times also claims that President Obama now “has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad.” The rules are, of course, “highly classified.”
A Stuxnet-style attack/response could potentially be the “cyber trigger” that escalates into full-scale war. Stuxnet -- a cyber weapon believed to have been unleashed against Iranian nuclear activities -- has raised the bar in actuated effects and left the entire technologically-enhanced world open for “cyber blowback.” It has long been understood that one of the risks associated with initiating a cyber attack against an adversary is that the software involved can be turned around and used against the originator. Stuxnet targeted a specific type and brand of industrial controllers which operated nuclear power plants in Iran. Although focused (as an initial attack), once it was identified, nothing prevented the malicious software from being revamped and redirected — making it more generic and/or focused on other types of systems.
It is advisable, of course, for the originator of such a weapon to harden vulnerable systems against blowback prior to unleashing damaging malware; but much depends on security classification, timing, and comprehensive identification of possible damage. Perhaps the well-publicized angst over attacks on U.S. critical infrastructure is indicative of a lack of adversarial intent on the part of the U.S., or alternatively, evidence that either the U.S. had no hand in or miscalculated the blowback from the Stuxnet release.
Regardless, given the extent of the warnings issued since October of 2012, as well as information derived from aforementioned studies, it seems that the United States. is ill-prepared for a major attack against the electric grid. Such an attack, if well-coordinated as well as sufficiently staffed and resourced, could have catastrophic effects on the U.S. population. It bears repeating -- if the grid were down for a year or more, between two-thirds and 90% of our population could be lost to malnutrition, disease, and the chaos associated with social breakdown. The “Pearl Harbor” analogy would be nowhere near sufficient to describe the extent of damage that would result.
Furthermore, the analogy of a “Pearl Harbor event” could be short-sighted, by virtue of a subsequent lack of capability to respond – which would most probably be the intended result of any attack scenario against a bigger, more militarily equipped enemy. This is especially true in regard to the United States, since a power grid attack has been publically cited as one of the few “trigger events” that would be considered an “act of war.” In SECDEF Panetta’s own words: “If a cyber attack . . . crippled our power grid in this country, took down our financial systems, took down our government systems, that would constitute an act of war.”
The EMP Commission stressed that everything (including banking and government) hinges on the success or failure of the power grid. If the U.S. is ever hit with a catastrophic, long-term “grid-down” scenario, no matter what the exact cause, any response might be too late (and therefore irrelevant) for those within the affected area. It’s hard to consider how to respond to a “cyber trigger” that is, in itself, a “civilization-ending event.”
If, as rumored, a pre-emptive authority has been given to the President, it is no doubt due to an understanding that we have yet to see “worst case.” Those who prefer to advise the government to wait until “a safety issue is pervasive” (like the NHTSA) or until evidence of the effects present themselves en masse (like the NERC), may not be expecting the trigger event to simultaneously be the first and last battle of the next war. Regardless of their intent, however, they may be dooming the country to a much bigger loss than either the specter of Pearl Harbor or the attacks of 9/11 could conjure up – the loss of our national sovereignty.
The destruction of our critical infrastructure is not simply a “worst case scenario” that will probably never happen. It is a “strategy of choice” that will ensure victory to the attacker. It’s up to the people to do what is necessary to meet this looming national crisis. But the people need help from their state and local, as well as their federal leaders to provide an environment conducive to the preservation of civil society. The facts need to be understood by all—not just those at the elite levels within our defense and intelligence apparatus (and of course, our adversaries.)
The federal government can take on belligerent entities; but war is virtually always a last resort for the United States, entered into only after a major, devastating attack against us. In the case of threats to critical infrastructure, our country could be effectively removed as an actor on the world stage instantaneously and long-term. Whether or not the U.S. could respond militarily would be irrelevant to the majority of the population, who would have to suffer the consequences of such an attack.
The federal government can encourage legislation for authority and resources to ensure protection of the entire bulk power system, but Congress remains gridlocked. At present, “limitations in Federal authority may not fully protect the grid against security threats due to electromagnetic pulse” or against major cyber attacks on critical electric infrastructure.
Our infrastructure remains vulnerable, and it often appears that there are internal actors who harbor agendas that are conducive to keeping our country vulnerable. Our internal security systems have deteriorated as trust in globalized partners, companies, and equipment has become the norm. Our enemies have intentions that we have collectively been ignoring. Furthermore, those adversaries who have the capability and intent of bringing down our critical electric infrastructure have either hardened their own or have no reason to bother.
This type of crisis is like no other we have ever had to endure as a nation. Those who may have been able to reeducate us on how to survive without electricity are, for the most part, gone. The remainder of the population is so reliant on the benefits that electricity has provided us, that life without it will become virtually impossible to sustain in large numbers. If we simply continue to deliberate, study, and research, without acting on what is already known, many millions will die.
Cynthia E. Ayers is Deputy to the Executive Director of the Task Force on National and Homeland Security and member of the EMP Coalition. She formerly served as Vice President of EMPact Amercia after having retired from the National Security Agency with over 38 years of federal service -- a period that included 8 years at the U.S. Army War College's Center fo