by Ted Koppel
A glance at one of those digital attack maps online will complete the mental image: gushing fountains of colored dots, each representing a separate attack, cascading to and from various parts of the world. Many of the lines, as one might expect, emanate from China or Russia and are aimed at the United States. Reverse traffic on the cyber highway is equally dense. Some attacks, however, originate from totally unexpected sources, aimed at equally unexpected targets—Luxembourg to Peru, Russia to Belize, Denmark to the United States. But tracking cyberattacks is not simply a matter of tracing an arc of colored dots. An attack that appears to originate in Denmark may actually have been routed through Bulgaria from a computer in Russia. Even confirming a Russian point of origin is insufficient to sustain a charge that the Kremlin had any knowledge or played any part. And as the level of sophistication rises among individual actors, so too does the degree of deniability across the board.
In the first days of September 2014 a graphic video showing the beheading of American journalist Steven J. Sotloff by a hooded executioner representing the Islamic State of Iraq and Syria (ISIS) was posted on the Internet and was instantly available around the world. Whatever benign intentions the Web’s earliest designers may have had, their gift of universal distribution and access came without a filter. ISIS stage-managed Steven Sotloff’s execution to horrify and to outrage, and very likely with the intent of provoking the U.S. government into an ill-considered response. The decision by almost all international news agencies not to reproduce the video may have been a reflection of good taste, but it was essentially irrelevant. Once posted, the video of the murder was available to anyone who wanted to watch it.
Over that same Labor Day weekend, Apple’s iCloud servers were hacked, resulting in the leak of private photographs of various celebrities. The very term “iCloud” is an interesting piece of marketing misdirection (the cloud’s servers are unambiguously grounded) designed to convey the impression that vast amounts of digital information are floating serenely and securely “up there” somewhere, out of reach to everyone but us. We alone, it is asserted, are the arbiters of access to that material. As of early September 2014 Apple’s advertising copy still read “With iCloud, you can share exactly what you want, with exactly whom you want.” Exactly? Well, not exactly. We don’t need to understand how the Internet functions in order to summon its magic, and in truth, most of us don’t.
Neither the Grand Guignol of an ISIS execution, the breathless tabloid coverage produced by unauthorized images of naked movie stars, nor the acceptance of a status quo of ceaseless DDoS attacks comes close to approaching the outer limits of where our Internet dependency may lead. When the advantages of a new technology promise so much and the inherent dangers are not yet fully understood, or seem more relevant to others than to ourselves, it is easy to defer action. But a growing body of evidence suggests we can no longer afford such complacency.
The Internet is, after all, a neutral instrument, wholly reliant on the capabilities and intentions of its users. In one set of hands it is a toy, in another a terrifyingly destructive instrument of war. The very interconnectedness that bestows on this medium the capacity to weave a benign global social network also provides the countless tiny paths of access to growing armies of cyber warriors. Those paths lead to dangerous places. One military cyber specialist spoke with me on the condition of anonymity, as he is still on active duty. “We’re terrible at assessing risk if we can’t visualize it and if it involves something we don’t control. If you go to a beach, there are people who will never go in the water because there are sharks in the water—the Jaws thing, right? If I go to a vending machine, I put in my quarters and I don’t get my drink and I shake the machine. The probability of the vending machine falling on me is 1 in 110 million. The probability of me dying from a shark attack is 1 in 250 million. We suck at looking at risk.”
There is, however, an entire industry dedicated to the objective assessment of risk. The business of insurance, after all, depends on nothing less. The insurance industry calculates the odds of something happening and then puts its money at risk. How likely is a successful attack on a power grid? I decided to consult a credible insurance specialist.
Ajit Jain is the CEO of the Berkshire Hathaway Reinsurance Group. If Jain downplays his importance to the investment juggernaut that is Berkshire Hathaway, his boss, Warren Buffett—the “Oracle of Omaha”—has done nothing to discourage speculation that Jain will someday succeed him. In his 2014 letter to Berkshire shareholders, Buffett credited Jain with the establishment of a $37 billion float. Between the time when a customer pays his premium and when the insurance company has to pay out a claim, the insurance company can invest this “floating” capital toward its own profit margin. Ajit Jain’s feat in building that large a float, wrote Buffett, is one “no other insurance CEO has come close to matching.”
Jain’s success is founded in the business of reinsurance, the market in which insurance is sold to other insurance companies. If, for whatever reason, an insurance company finds itself overexposed or overextended, the Berkshire Hathaway Reinsurance Group offers a hedge, a backup, a way of spreading the risk. Like every other kind of insurance, it comes down to studying the record, calculating the odds that an event will occur, and then naming a price to protect the buyer against the financial consequences of that event.
The risks can seem astronomical, but when premiums are accumulated from many sources over many years, the occasional massive payout can be just the price of doing business, as Jain explained: “If a force-five storm or hurricane were to make a direct hit on Miami, the industry is equipped to lose as much as two hundred billion dollars. It would not be a great day, but life would go on.” Jain estimated Berkshire’s share of that payout at anywhere from $2 billion to $7 billion.
Unlike hurricane insurance, the business of cyber insurance is relatively new. Jain asked a colleague, Kevin Kalinich, to join our conversation. Kalinich is global practice leader for cyber insurance for Aon Risk Solutions, a top U.K.-based risk consultant and insurance broker. It is a business, Kalinich explained, intended to address new risks arising from “the Internet of things,” a field in which predicting the likelihood of events is all but impossible. It barely begins to define the challenge of insuring a power company against the cost of a catastrophic cyberattack. Kalinich agreed. “There are certain industries such as utilities, power, electric, water, that have unique exposures.” “Unique exposure” refers to the extraordinarily high risk of insuring against new, unfamiliar, and potentially catastrophic events. The industry is still plotting its own cautious road map toward coverage for those exposures; it will, Kalinich told me, require a combination of traditional insurance, the involvement of a reinsurance company such as Berkshire, and government guarantees of limited liability. No one, in other words, can be expected to provide complete coverage. Even the combination of those three elements, according to Kalinich, wouldn’t go much beyond $1 billion of insurance to cover a cyber-related event.
That struck me as a pretty trivial amount. Here was Ajit Jain, after all, contemplating an enormous industry-wide payout in the wake of a massive hurricane striking Miami head-on, with what could be described as a $200 billion shrug. The impact of a successful cyberattack on a power grid could be far worse, I suggested, and Jain didn’t disagree. “If there were a complete blackout in a certain part of the country for a three-month stretch,” he said, “the looting and everything that [could] ensue just boggles the mind, how large the numbers [would] be.”
At this stage, Jain contended, it would be premature for anyone in the insurance industry to talk seriously about “calculating the odds” of a catastrophic cyberattack. There’s not enough history, he said, not enough data points on which to base those calculations. Though insurance companies can anticipate and, with some accuracy, even calculate the cost of a hurricane, insurance for cyber-related events is uncharted territory.
“Having said that,” Jain continued, “we all have s
ome subjective notion of something like that happening; we slap [on] a margin of safety and set aside a certain amount of money.” While the sums he’s talking about are not exactly play money, Jain said that there is only so much that companies such as his are willing to risk in an “emerging field” like cybersecurity. Jain has not become a potential successor to Warren Buffett by taking unsustainable risks. “The[se] extreme scenarios…are certainly likely, and we can all debate how likely and what do we mean between likely versus unlikely. But from the insurance industry’s perspective, the amount of exposure that we are willing to take on is nowhere close to the exposure that would come from these very extreme events.” With so much still unknown about the risks involved, his company may soon offer insurance against cyberattacks, but it will likely demand such a high premium that there will be few buyers.
Insurance is an unsentimental business. It is based on the proposition that a certain number of customers who buy insurance to protect themselves financially against one misfortune or another will have to be paid in full. As long as those payments are significantly less than the cumulative premiums paid in, the company stays profitable. For the time being, and given the capacity of the electric power industry to protect itself or to reconstitute itself after an attack, the consequences of cyber sabotage against a power grid are too uncertain and potentially too enormous to merit the establishment of a realistic business model. Without government support and the guarantee of limited liability, it appears that the insurance industry is prepared to dip a toe in the market, but not much beyond that.
Are we any closer, then, to determining the likelihood of a massive attack against the grid? Only to this extent: the insurance industry won’t bet against it.
7
Preparing the Battlefield
Proposed Jeopardy question: “A quadrillion operations a second.” Answer: “What is a petaflop?”
Any successful attack combines three features: opportunity, capability, and motive. As we have seen, even the most ardent defenders of grid security acknowledge its vulnerability to cyber intrusion. There is disagreement as to how much damage could be inflicted, but the arguments over opportunity and capability are issues of degree. But what about motive? The ancient Romans posed the question “Cui bono?” To whose benefit? We have barely begun to count the number of potential beneficiaries.
During his 2013 State of the Union Address, President Obama tried to focus the American public’s attention on the evolving danger of cyberattacks. “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
Nothing? Really?
The trove of classified information revealed by Edward Snowden should reassure any concerned citizen that, at least in the realm of gathering intelligence, the U.S. government is innocent of all charges of doing nothing. If anything, the Obama administration, like the Bush administration before it, has been at pains to convince the American public that our intelligence agencies are restrained in their activities. In reality, while the United States may have fallen behind in a number of critical areas, accumulating intelligence data is not one of them. Having said that, it is still the case that the United States and its infrastructure remain highly vulnerable to cyberattack, and there is blame enough to go around. In trying to find the proper balance between security and profit, many industries still incline toward a shortsighted emphasis on profit. Information sharing among businesses and between business and government is undermined by the drive to compete and by fears of litigation sparked by concerns about privacy. Civil libertarians, worried about real and potential violations of privacy, are often insufficiently focused on an even greater need to address external threats to liberty. Washington turf battles, in which a variety of agencies struggle for primacy, undermine the greater responsibility of protecting our most vulnerable targets. Meanwhile, we may have fallen victim to a distinctly American tendency to stress size over performance, confusing the accumulation of data with the gathering of actionable intelligence.
In March 2012, writing for Wired magazine, former NSA employee and longtime chronicler James Bamford reported on a project that the NSA had launched in 2004. The project’s goal was nothing less than the creation of the world’s most powerful supercomputer: a machine that could execute a quadrillion operations a second, a capacity endearingly labeled a “petaflop.” This advanced the fastest computer speed then known by a factor of one thousand. Now completed, this computer (located in Oak Ridge, Tennessee, once home to the Manhattan Project) is linked to another NSA facility on the outskirts of Bluffdale, Utah. Innocuously named the Utah Data Center, this is almost certainly the largest data mining and storage center in the world. The combined capabilities of these two operations are more than sufficient to send chills down the spines of privacy advocates and civil libertarians across the country.
Not so many years ago, Washingtonians joked that the acronym NSA stood for No Such Agency. To this day, its heroes and heroines labor, for the most part, in anonymity. Public acknowledgment of any kind is rare. It is worthy of note, then, that “part of one building,” as the agency’s former chief scientist puts it, at NSA’s Oak Ridge facility has been named the George R. Cotter High Performance Center. The man so honored has been in the front ranks of those in the intelligence community struggling to analyze, develop, and understand the nature of cyber warfare. Now retired, Cotter has devoted himself to studying the vulnerabilities of the electric power industry. He is convinced that China and Russia have already penetrated the U.S. power grid, both for purposes of reconnaissance and, very likely, in order to plant cyber weapons that could be activated at some time in the future. Having spent a lifetime in the intelligence community, Cotter cannot help but arrive at certain conclusions based on what he learned over the years. He insists that none of the material he uses nowadays is classified. Still, when he discusses his assumptions about the Chinese and the Russians penetrating the U.S. power grids, he is also implying what he knows about U.S. cyber activities. Standard operating procedure for any major nation-state, he told me, is to “study the vulnerabilities. You develop attacks against those vulnerabilities. You may actually insert the attack in the system. The general term in military parlance is ‘preparation of the battlefield.’ That is, you’re all ready to push the ‘go’ button if you have to.” We can assume that the NSA, where Cotter spent most of his adult life, has engaged in precisely this sort of “preparation of the battlefield” within the critical infrastructure of America’s potential enemies.
The notion that the United States and its principal rivals routinely fire cyber shots across one another’s bows also makes sense. Few if any of these cyber skirmishes are acknowledged, but what is publicly known certainly points to the conclusion that they are taking place. Over the course of 2014, rising tensions between Moscow and Washington over events in Ukraine led the United States and its European partners to impose a series of economic sanctions on Russia. Moscow refused to back down, continuing its policy of support for pro-Russian rebels in Ukraine and continuing to apply economic and military pressure on Ukraine’s new government, trying to force it back into Russia’s orbit. Yet its public response to the U.S. sanctions was surprisingly mild.
That only applies, of course, to what can be directly attributed to Moscow. In August 2014 the New York Times reported that a Russian crime ring had “amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses.” In early October of that year, ten American financial institutions were revealed as targets of a huge cyberattack. The most serious intrusion was against JPMorgan Chase, from which the hackers had gained access to the names, addresses, phone numbers, and email addresses of some eighty-three mi
llion households and businesses. An anonymous senior official speculated to the Times that the attack could have been in retaliation for those U.S. economic sanctions on Moscow. Only days later, reports surfaced that Russian hackers had exploited a vulnerability in Microsoft Windows to gather intelligence on “several Western governments, NATO and the Ukrainian government,” as well as “European energy and telecommunications companies and an undisclosed academic organization in the United States.”
None of these attacks can be directly attributed to the Russian government, but neither is there any evidence that the Russian government is cracking down on local crime rings targeting the United States. While it is reasonable to assume that Russian criminals might be motivated to harvest hundreds of millions of Internet user names and password combinations with an eye to selling them, why would they be spying on Western governments and NATO? Like the Times’s source, George Cotter believes that the rash of cyberattacks on U.S. banks during the summer and fall of 2014 does, in fact, constitute a warning from the Kremlin, related to events in Ukraine—a demonstration to Washington of what might follow if economic sanctions escalated. “Can we prove it? No,” he conceded. “[Not] without getting into the heads of the people who are running cybersecurity operations for the Russian intelligence services.”
The impact of those cyberattacks on American banks was only enhanced by the fact that whoever launched them could do so behind a cloak of deniability. A skillfully executed cyberattack serves the multiple purposes of inflicting damage and conveying a strong warning, all the while permitting the attacker to deflect accusations with a posture of innocent indignation. One can only speculate on the impact that such uncertainty might have had on U.S. policy makers weighing the option of further economic sanctions against Russia for its activities in Ukraine.
