To begin, a conclusion: The Internet, whatever its many virtues, is also a weapon of mass destruction.
We have been distracted from focusing on that potential by a succession of high-profile cyberattacks, including China vacuuming up more than 22 million federal employee records, North Korea’s humiliating shot across the bow of Sony Pictures Entertainment and a barrage of cyberlarceny directed at U.S. banks and businesses, much of which has originated in Russia and Ukraine. Each of these targets was protected by firewalls and other defenses. But the Internet is inherently vulnerable. It was never intended to keep intruders out. It was designed to facilitate the unimpeded exchange of information, giving attackers a built-in advantage over defenders. If that constitutes an ongoing threat to commerce (and it does), it also represents a potentially catastrophic threat to our national security — and not just in the area of intelligence-gathering. The United States’ physical infrastructure is vulnerable. Our electric power grids, in particular, are highly susceptible to cyberattacks, the consequences of which would be both devastating and long-lasting.
Deregulation of the electric power industry has resulted in a network of more than 3,000 companies, some of which are well protected, many of which are not, but all of which are interconnected. Hacking into the most vulnerable could lead to a domino-like penetration of even the most secure companies. The automated programs (known as supervisory control and data acquisition systems) that control the supply and demand of electricity nationwide are, for the most part, standardized and therefore highly accessible. Multiple sources in the intelligence community and the military tell me that Russia and China have already embedded cyber-capabilities within our electrical systems that would enable them to take down all or large parts of a grid. Iran’s capabilities are believed to be close behind. North Korea is working toward such a goal. George Cotter, a former chief scientist at the National Security Agency, told me that he fears groups such as the Islamic State may soon be able to hire capable experts and assemble the necessary equipment, which is available on the open market.
Why hasn’t anyone in authority warned us? Well, they have — repeatedly. In October 2012, then-Defense Secretary Leon Panetta told an audience of security executives that “a destructive cyber-terrorist attack could virtually paralyze the nation.” More specifically, Panetta warned that it could “shut down the power grid across large parts of the country” and could be “ a cyber-Pearl Harbor.” Warning specifically of cyberattacks, President Obama said in his 2013 State of the Union address that “our enemies are also seeking the ability to sabotage our power grid.”
The impact of such an attack would be dire. In 2010, a bipartisan group, including two former secretaries of defense, two former directors of central intelligence and two former national security advisers, sent a confidential letter to the House Committee on Energy and Commerce warning that the electric grid “is extremely vulnerable to disruption by a cyber or other attack.” The letter went on to say that “timely reconstruction of the grid following a carefully targeted attack . . . would be impossible” and could “result in widespread outages for at least months to two years or more, depending on the nature of the attack.”
Serious warnings of an attack resulting in “widespread outages for at least months to two years or more” would, you might think, have galvanized the attention of policymakers. Yet the Federal Emergency Management Agency and its parent, the Department of Homeland Security, continue to bundle cyberattack into a generalized, one-size-fits-all threat response package covering floods, hurricanes, blizzards and earthquakes — disasters of shorter duration and affecting more localized areas than, say, the entire Eastern seaboard, which is part of only one grid’s coverage area. An attack on the grid would have a particularly devastating impact in our cities, quickly exhausting emergency supplies and overwhelming evacuation plans.
When I asked former secretary of homeland security Janet Napolitano what the chances are that an aggressor could knock out one of our power grids with a cyberattack, she replied, “Very high — 80 percent, 90 percent.” Yet she acknowledged that there is no specific plan to respond to a disaster of that magnitude. Jeh Johnson, the current homeland security secretary, was unable or unwilling to provide even the outline of a plan to deal with the aftermath of such an attack. When asked if he was aware that such a plan even exists and why it wouldn’t make sense to share it with the public, Johnson gestured in the direction of several white binders on a shelf in his office, indicating that there was probably something in one of them. He kept returning to the importance of having a battery-powered radio.
The military would be expected to provide support and security in the event of longer-lasting disasters. Nothing has been done, however, to prepare the greater public. FEMA’s recommendations entail having a two- to three-day supply of food and water, prescribed medicines, an unspecified amount of cash, flashlights, extra batteries and — as Johnson stressed — a portable radio. Beyond that there is the prudent recommendation that families agree on a pre-determined emergency meeting place and the phone number of an out-of-state friend or relative as a common point of contact.
It is difficult to imagine what counsel Homeland Security will broadcast after the fact that it is unable to share now. The first man to head that agency, Tom Ridge, summarized the problem. “We are not a preemptive democracy,” he told me. “We are a reactive one. Rare are the occasions on which we act in anticipation of a potential problem.”
I end as I began. The Internet is a potential weapon of mass destruction, accessible to many of this country’s enemies. It is surely time that the vulnerability of our power grids to cyberattacks and the absence of a national plan to deal with the consequences become a part of our national conversation.