Cipher Brief Cyber Advisory Board members offer their views on threats to the U.S. power grid, as interviewed by Cipher Brief Publisher and CEO Suzanne Kelly.
Former Deputy Secretary of State Robert Work, a member of The Cipher Brief’s Cyber Advisory Board, says potential attacks on the U..S power grid would most likely come in two flavors. “A localized attack, such as an attack on a city’s power grid, could be mounted by any number of malicious hackers, minor states or terrorists. And a more widespread “counter-value” strike by a large state competitor could target assets that are not a military threat but that an opponent values, such as cities and civilian populations. Counterforce targeting goes after an opponent’s military forces and capabilities.”
Work warns that the U.S. has largely turned away from the thinking behind counter value targeting, but says that the U.S.’ great power competitors have not.
“A widespread counter-value cyberattack on the U.S. power grid that knocked out large parts of the grid for a significant period of time could cause widespread disruption throughout the United States, incalculable economic loss, and potentially loss of life. Such an attack would not be easy. But it is not out of the realm of possibility. And I am less than certain we have hardened the grid enough to thwart a concerted, large-scale cyberattack.”
Cyber Advisory Board Member Chris Inglis, former Deputy Director of the National Security Agency, agrees. “The overall complexity of the grid and the number of opportunities for nature, human error and adversaries to hold it at risk are still daunting but I’d say that the risks are serious, being worked, and often exaggerated. Could a nation state hold our grid at risk? Likely. But they would be at risk of us using the full range of our national/coalition instruments of power. Could a non-nation state hacker (or hacker group) hold the grid at risk? Yes, but the effects they could generate are limited in geographic scope and scale.”
The wild card, says Inglis, “is a generic and systemic flaw analogous to Meltdown or Spectre,” (he knows of none) or a nation-state capable actor that takes the gloves off and uses our critical infrastructure as a means to open a conflict. We’re not yet ready for a sharp transition to that class of assault. It will take a considerably different and richer collaboration for us to sense and address (in real time) something like that.”
On the private sector side, Dmitri Alperovitch, CTO of Crowdstrike says he’s not overly concerned about the possibility of a full scale attack against the grid. “While it is certainly technically feasible to cause significant impact to parts of the U.S. grid (a national-level attack would be much more complicated due to the diversity of companies and technologies used), conducting an attack like that would be within the realm of capabilities of only a few nation-states,” says Alperovitch. “Doing so would clearly cross a redline of attack against our nation that would precipitate a military response. This is why, despite significant vulnerabilities and warnings about an attack against the grid for literally the last 30 years, we have yet to see one.”
Suzanne Kelly is CEO & Publisher of The Cipher Brief.