Some two weeks after Secretary of Defense Leon E. Panetta warned of a potential “cyber-Pearl Harbor” involving a possible attack on the electric grid, Mother Nature took the cue and hit the East Coast with a storm that left millions of us for days without electricity from the grid.
Some said silent thanks for that old generator they’d thought to stick in the garage. Though it wasn’t a cyberattack, but Mother Nature gave parts of the grid a good lashing anyway. On my country road south of Annapolis, two transformers were blown down from their perches on telephone poles, and the leaking oil and surging electricity produced 20-foot flames. In the meantime, our driveway was filled for days with 15 Baltimore Gas and Electric Co. trucks and about 25 electrical workers from Arkansas erecting new poles and replacement transformers. And that was just to deal with five days of outage, caused by falling tree branches, for a very small community on one short country road. What would it have taken to deal with damage that was far more extensive across a number of states because it had been planned by a group or nation that wanted, above all, to destroy our society?
The electric grid is the heart of our ability to function as a society. We have 18 major infrastructures that keep our civilization operating — water, sewage, telecommunications, transportation, etc. All 17 of the others depend in one way or another on electricity. Imagine what it would be like for an electrical outage to last for months or years as a result of a cyber- or terrorist attack instead of merely for days.
Without electricity, we are not just back in the pre-Web 1970s, we are back in the pre-grid 1870s. Very few of us have enough plow horses or manual water pumps.
A little more than a decade ago, in the aftermath of Sept. 11, 2001, the National Research Council published a fine report on how to use technology to combat terrorism. Unfortunately, its wise recommendations are still just recommendations because very little has been done in the intervening decade to deal with the vulnerability at the heart of our civilization’s ability to operate: the electric grid.
The underlying reason is that electricity grew up as a local business in the United States, and its deregulation in the 1990s weakened central control even further. The 50 state public utility commissions in a way have responsibility for grid security, sort of. You can try to find who in Washington is actually taking action to improve the security of the electric grid overall, and you will look a long time. Eventually, you may come across something called the North American Electric Reliability Corp. (NERC). It is basically the trade association for hundreds of utilities, and it issues some standards from time to time.
But the reason the secretary of defense is so concerned is that he is not just worried about bad weather. He’s worried about Chinese and Iranian hackers and terrorists. He knows hackers and terrorists are smarter than tree branches and cannot realistically be defeated by a trade association consisting of hundreds of utilities.
We have the best cyberpeople in the world — both those who play defense and those who play offense. A large number of them are in the National Security Agency and the military services, but some are “white hat” hackers in the civilian world and some are out-of-the-box inventors of software and technical systems. Many of these folks are brilliant and take cyberchallenges to our infrastructure seriously. If you have a few days free later this month, go to Las Vegas and drop by the DEFCON and Black Hat hacker conferences. Ask attendees how vulnerable our electric grid is and what is being done to protect it. Ask if they know if any of the very best hackers and inventors outside the government have been asked to help figure out how to protect the grid. You’ll shudder at their answers.
But many in government and the electricity business focus entirely on other issues — e.g., whether to bury utility lines (defends nicely against trees, but not hackers). No one makes the utilities stockpile a reasonable number of spare transformers or store them anywhere but right next to the operating transformer. Some utilities naively welcome Chinese electricity experts and other visitors with potential hostile intent to explore how our electric grid works. Utilities in the main don’t require security clearances or background investigations; many of their top people can’t even be briefed by the government on the threats they face.
Our military and those who are ready to help them can’t protect us unless they are given the authority to get the job done and bring the very best people, quickly, to this crucial task. The way we now try to deal with grid security is worse than dysfunctional — it approaches the darkest of humor.
And our lassitude could cost us everything.
R. James Woolsey, former director of central intelligence, is a venture partner with Lux Capital and chairman of the Foundation for the Defense of Democracies.