Lights Out
Page 9
Planning is under way. The largest, most profitable power companies are investing in backup equipment, but as with network security, the industry as a whole remains highly vulnerable. Experimental solutions are being tested, but they’re still years away from being available across the board. Large power transformers remain vulnerable to cyberattack, and because of their size and because so many of them are out in the open, they are also vulnerable to a well-trained team of saboteurs armed only with semiautomatic rifles, as was demonstrated in California in 2013. What remains unchanged is that LPTs are essential to the functioning of the grid. Because they are very expensive, only the largest and most profitable power companies can afford to keep backup transformers on hand. Because the transformers are custom-made, they are not easily interchangeable. Because the equipment is huge, it is not easily transported. Because these transformers are, on average, thirty-eight to forty years old, some of them were originally delivered by rail systems that no longer exist. Because the vast majority of LPTs are built overseas, it takes a very long time to replace them. When, as you will see in the next chapter, government officials compare an attack on the power grid to a natural disaster such as a hurricane or a blizzard, keep those distinctions in mind.
10
Extra Batteries
We are not a preemptive democracy. We are a reactive one.
— TOM RIDGE, FIRST SECRETARY OF HOMELAND SECURITY
The existential nightmare that haunted members of George W. Bush’s administration during the last months of 2001 and throughout many of the months that followed was an image of 9/11 on steroids. What if some terrorist group was to get its hands on a “dirty bomb,” a small nuclear weapon? What if the next attack involved chemical or biological weapons? Almost every action and authorization that flowed from Washington was predicated on one or another of those what-ifs.
Judgments rendered in recent years on the wars in Afghanistan and Iraq, on the black sites and brutal interrogations, on the expanded powers of the National Security Agency and the CIA, the drones and the aerial assassinations executed by remote control, have emerged in the more reflective environment that the passage of time permits. Many of the decisions reached in the wake of 9/11 were wrong, but they were issued by men and women far more frightened by the prospect of having done too little than by the consequences of having done too much.
On September 22, 2001, President Bush asked Tom Ridge, the former governor of Pennsylvania, to join him at the White House as special assistant to the president for homeland security. With the passage of the Homeland Security Act in November 2002, Tom Ridge became the first secretary of the Department of Homeland Security (DHS), responsible for overseeing what had been twenty-two separate departments and agencies as diverse as the Secret Service, the Coast Guard, and the Immigration and Naturalization Service. The department’s mandate, conceived as it was through the prism of what had just happened, essentially boiled down to preventing another terrorist attack. During subsequent years, the department’s mission has evolved, in the public mind, to what might almost be described as a policy of “protect almost everything against almost anything.” Ridge acknowledged that the department ought to be doing even more on at least one level: ensuring security, he agrees, involves not only preventing disaster but also planning for its potential consequences. That part of the mission, Ridge told me, is almost doomed to fail. “We are not a preemptive democracy. We are a reactive one. Rare are the occasions on which we act in anticipation of a potential problem.”
There have been, as of this writing, only four secretaries of homeland security. Each of them has conceded the likelihood of a catastrophic cyberattack affecting the power grid; none has developed a plan designed to deal with the aftermath. I met the first, Ridge, in the offices of Ridge-Schmidt Cyber LLC, a Washington consultancy company in the field of cybersecurity. The Schmidt half of the partnership is Howard A. Schmidt, the former cybersecurity coordinator for the Obama administration, whom we heard from in Chapter 8. He is the technical expert in this duo.
Neither Ridge nor Schmidt, who had served at the White House more recently, was aware of any plan in the event that a cyberattack knocked out our electricity. I suggested to Tom Ridge, who brings a long career of political experience and connections to the table, that most Americans would likely expect the government to have a plan, a way to take care of the public during such a catastrophe. “Correct,” he said. “I’m sure they would say [that]. It would be helpful if the political world would just accept that there are two permanent conditions that are going to affect future generations: one is the global scourge of terrorism, the other is the digital forevermore.” Within that world of the “digital forevermore” lies the prospect of a catastrophic cyberattack on one of the U.S. power grids. Where, then, might a concerned citizen find advice on how to cope with the aftermath of such an attack?
“There is no answer,” said Schmidt. No government agency has guidelines for private citizens because, according to Schmidt, there’s nothing any individual can do to prepare. “We’re so interconnected,” he said, that in terms of disaster preparation “it’s not just me anymore: it’s me and my neighbors and where I get my electricity from. There’s nothing I can do that can protect me if the rest of the system falters.” It’s an answer bordering on the fatalistic: the individual can’t do anything and the government won’t do anything.
In the immediate aftermath of 9/11, Ridge tried to engage the public in confronting the prospect of another terrorist attack. “We can be afraid, or we can be ready,” he told a Red Cross gathering at the time. But while Ridge intended to provide some guidance, this became an exercise in humiliation. Ridge recommended that people stock their homes with plastic sheeting and duct tape in the event of a chemical attack, a proposal that made him the butt of numerous late-night monologues. “Oh, yeah. I remember well,” he laughed. “It’s going to be in my obituary.” Ridge’s example and the humiliation he endured cannot have encouraged any of his successors to invest either time or effort in leading further campaigns in disaster preparedness.
Tom Ridge’s successor as secretary of homeland security during the Bush administration was Michael Chertoff. He estimated that a concerted cyberattack could knock one or more power grids offline for several weeks. When I asked whether he believed the American people are prepared for anything like that, he stated the obvious: “In some parts of the country, people do stock food and buy generators. In urban centers people don’t do that. In New York you’d try to move a lot of people out over a period of time.”
“Really?” I asked. “More than eight million people? Where? How?”
Chertoff acknowledged that dealing with grid-wide outages would present a unique problem in public management. “Get a hand-crank radio,” was the former DHS secretary’s principal recommendation. It was evident that he hadn’t delved very deeply into the issue. “In a dense city,” Chertoff offered as something of an afterthought, “people can walk to schools and fire stations.”
What, I wondered, could I learn from the senior officer at my local fire department? The captain on duty at the Potomac, Maryland, fire station assured me that there are secret locations where food and water have been stored. “For all of us?” I asked.
“No,” he acknowledged. “Just for the first responders.”
“What about the rest of us?”
He considered the question for a moment and then conceded that he would be awaiting further instructions.
“And when you get those instructions,” I wondered, “how will you communicate them to the rest of us when the electricity’s out?”
“I’m due to retire in a couple of years,” said the captain. “I’m hoping it doesn’t happen before then.”
To date, the longest-serving secretary of homeland security has been Janet Napolitano, who put in almost five years on the job before taking the post of president at the University of California. In October 2012 and during the weeks that followed, Napolitano presid
ed over the coordination of a federal response to Hurricane Sandy. In addition to hitting major sections of New Jersey and Long Island, Sandy flooded New York City streets, tunnels, and subways, effectively cutting off all electric power to Lower Manhattan.
“It was,” Napolitano recalled, “very cold. It was still wet, so the plan was to mass resources to restore the power. So we brought in, for example, power trucks, flown in from places as far away as California on DOD [Department of Defense] planes, to begin replacing the poles and the lines. At one point FEMA had about eighteen thousand people working in that area going door-to-door, bringing people food and removing them from unsafe buildings until we could get the power back on.” Janet Napolitano’s recollection was that power to Lower Manhattan was restored within twenty-four hours and that within ten to twelve days power had been restored to the entire region. It actually took more than five days before any power was restored to Lower Manhattan, but 95 percent of New York’s customers did have their power back after thirteen days. Even so, thousands of homes were lost throughout the region and tens of thousands were rendered homeless.
But what, I wondered, if a blackout was the result of a cyberattack? What if the affected area covered several states and efforts to restore power were ineffective for weeks or even months? Is there a plan?
“There is no plan that would be adequate in that circumstance,” Napolitano conceded. She insisted, though, that the experts are good at figuring out quick workarounds. “One thing we need to do better,” said Napolitano, “is to make sure that that capability is firmly entrenched in every power company in the United States. The big ones have it; it’s the small ones, the investor-owned utilities, that you really have to worry about.” It’s an ongoing refrain: whether in the area of security or resilience, the smaller, less profitable companies are the weak links in the vast chain of companies that make up the grids. There remains a void between defining the problem and proposing a solution.
We met Jeh Johnson, current secretary of the Department of Homeland Security, in the previous chapter. Asked to define the threat of cyberattack, he said simply that “it is potentially very large. It is potentially devastating.” Could he, I wondered, be a little more specific?
“Well,” he said, “the cybersecurity experts could be more specific than me, but I would say, given the interconnectivity of cyberspace, an effective attack has the potential to cause wide-ranging devastation on our power grid, on critical infrastructure.” At this point he deflected the question to Assistant Secretary Caitlin Durkovich (“She’s smarter than me”). Durkovich insisted that the cyber threat has been overdrawn. She repeatedly stressed the resilience of the electric grid, echoing the power company executives we met in Part I. She credits owners and operators with having put into place mechanisms and redundancies that would mitigate any cyberattack.
It is not surprising, then, that when I raised the issue of a national preparedness plan, something that might give the public some advance notice of how the federal government intends to deal with the consequences of a successful cyberattack on a power grid, the conversation became prickly. Johnson began by enumerating the various federal departments and agencies that would be involved in a response: the Department of Defense, the Department of Energy, the National Guard, FEMA. “First thing I would have to do as secretary is look to our federal emergency response experts in FEMA.”
What Johnson had done, I pointed out, was name the component parts of the various agencies he would assemble. “Is there,” I wondered, “a plan that you’re familiar with for what you would do?”
“Well, like I’ve said, I would know who to go to, to get my plan on a moment’s notice.”
“And that’s not something you think you might need to know about beforehand?”
“Look, Ted, I hope this is not a memory quiz. I’m sure that in the course of my intensive briefings coming into office I have been given awareness of a contingency plan in the event of a large-scale loss of power. It may even be sitting up there among those white books.”
It was not an unreasonable position. Johnson heads the third-largest federal department, behind only the Department of Defense and the Veterans Administration. He has a staff of approximately 240,000. He cannot be expected to be intimately familiar with every problem confronting his department. Still, Johnson was not shy about appearing on the Sunday talk shows in February 2015 to reassure the public after an ISIS threat to attack shopping malls in the United States. When a rumor surfaced that ISIS might use the Ebola virus against the United States, Johnson addressed the threat publicly. The secretary had already acknowledged the potential impact of a cyberattack on a power grid as “devastating.” But he was clearly unfamiliar with what his department might do in the wake of such an attack. In any event, it was worth giving the issue another try, I thought.
“Just help me understand a little bit,” I asked. “I’m sitting at home. My power has gone out. The water’s not working. The toilet’s not flushing and the refrigerator and the freezer are starting to leak. Where and how am I getting my information? From whom? And what are they communicating?”
Tanya Bradsher, the assistant secretary for public affairs, began to answer, but Johnson had clearly had enough.
“Wait, wait, wait, wait! Hold on before you answer that! At some point, this is on the individual member of the public to do a little bit to plan for that contingency. So if in your hypothetical you lose power completely—I mean, this is not modern learning here. This is 1960s learning. You lost power completely, you ought to have, you gotta have a radio. That’s not a revelation.”
The revelation, I pointed out, would be the duration and scope of the crisis. We’re talking about something that could theoretically affect millions of people over a period of several weeks.
“But in the immediate aftermath,” Johnson countered.
“Fine,” I said. “I’m OK for two or three days.”
“Maybe my nineteen-year-old wouldn’t know how to do this, but I could, in the dark, find my battery-powered radio so I could find a radio station somewhere that works.”
We had squared the circle. It seemed pointless to ask just what information would be conveyed on the radio. There is a clear reluctance to accept the proposition that a cyberattack disabling all or part of a power grid is any different from a blizzard. “We had Snowmageddon,” said Bradsher, referring to a blizzard in February 2010, “and we got through it. We got through Snowmageddon.”
Suzanne Spaulding, the undersecretary, tried to rescue the conversation, acknowledging that, depending on the scale, a cyberattack could lead to an extended, very challenging period. She enumerated some of the steps taken in the wake of Superstorm Sandy: bringing in generators and fuel, setting up shelters to provide heat and power. “Again,” she conceded, “it would be a significant challenge.”
I ventured one final approach to the secretary, who was clearly ready to end the interview: is there not some value to getting a message out beforehand on what to do beyond the first two or three days?
“I suspect there is a message that is out,” he said. “It’s just very few people are actually paying attention to it.”
When Caitlin Durkovich joined the conversation again, it was clear that we had been engaging in a dialogue of the deaf. The scenario I was describing, she told me, has a relatively low probability of occurrence. Not to worry.
In successive State of the Union addresses President Obama has warned of the danger of cyberattacks on our infrastructure. Government is adapting to the “new normal” of daily hacking, and cyber specialists such as Richard Clarke and George Cotter, who held senior government posts, have explained that the Russians and the Chinese are almost certainly inside the grid, mapping its vulnerabilities. Keith Alexander and Howard Schmidt warn that independent actors will soon have the capability to damage the grid, if they don’t have it already. If nothing else, the United States demonstrated with Stuxnet what a carefully planned cyberattack can do to the most se
curely defended equipment. Still, senior officials at the Department of Homeland Security, including the current secretary, treat the likelihood of a crippling attack on one of the nation’s power grids as nothing more than a speculative threat, and an unlikely one at that. We are, as Tom Ridge put it, a reactive society.
—
There are plans. Of course there are plans—dozens of them, possibly hundreds.
As we’ve seen, for all the warnings from within the government and from high-ranking members of the military and intelligence establishments, and despite the known vulnerabilities of the transformers critical to the viability of the grid, there remains a determination within the power industry and among some government officials to stress the grid’s resilience. They invariably cite as evidence the manner in which electric power has been restored in the wake of one natural disaster after another. Absent a crippling example to the contrary, the presumed consequences of a cyberattack on a power grid are bundled into the same general category as blizzards, floods, hurricanes, and earthquakes.
On one level, this is understandable and even prudent. Experience is a more compelling instructor than speculation. Indeed, negative experience, such as that accumulated by the Federal Emergency Management Agency during the aftermath of Hurricane Katrina in New Orleans, can be especially instructive. FEMA is a far better-led organization today than it was in 2005. That’s the good news. FEMA is, after all, the agency within the Department of Homeland Security that will bear the heaviest and most immediate burden of recovery, no matter what happens or why. A cyberattack may be different from anything FEMA has previously dealt with, but it is not unreasonable for the agency to focus on the experience it has gained from natural disasters.