Features
Robert Giroux/Getty Images

The next security threat

National Security | Hackers who turn out the lights and terrorists who knock down the internet are just a few cyber-attack scenarios federal officials must contemplate

Issue: "On the road again," May 9, 2009

The largest blackout in U.S. history happened in the late summer of 2003, when 50 million residents of eight northeastern states and Canada found their electricity dead on an August afternoon. The outage cost $6 billion and was collectively blamed on overgrown trees, a common computer virus, and an odd cascading effect in the electric grid that shut down dozens of power plants from Ohio to New York.

Tim Bennett, a cybersecurity expert, last year told National Journal there was more to the story: U.S. intelligence officials had confided to him a hacker working for China's People's Liberation Army had tapped into an online power control network serving the Northeast. A spring 2008 blackout also had been traced to China, Bennett said. Then, this month, charges of a similar nature were leaked: An unidentified U.S. intelligence source told The Wall Street Journal that foreign spies had hacked into a U.S. power grid and left behind malicious software.

These allegations haven't been officially verified, but they worry insiders to the world of cybersecurity. Nearly 70,000 infiltrations of U.S. government and private networks occurred in fiscal 2008, whether by foreign agents, pranksters, or serious hackers hoping to sell sensitive information. Experts warn that a government or a terrorist group could try to amplify the effects of a physical attack by disabling vital resources like electricity or water-placing a bull's-eye on utilities with online networks.

We see you’ve been enjoying the content on our exclusive member website. Ready to get unlimited access to all of WORLD’s member content?
Get your risk-free, 30-Day FREE Trial Membership right now.
(Don’t worry. It only takes a sec—and you don’t have to give us payment information right now.)

Get your risk-free, 30-Day FREE Trial Membership right now.

With the security of such U.S. infrastructure in question, the federal government is considering shifting its weight to oversee what private utilities might not. President Barack Obama commissioned a review of cybersecurity in February. Once findings are in, the president is likely to take steps to improve security through executive action, or he could decide to let Congress take the lead.

Legislation has already been drafted in the Senate. The Cybersecurity Act of 2009, introduced April 1 by Sen. John D. Rockefeller IV, D-W.Va., and Sen. Olympia J. Snowe, R-Maine, is intended to drastically restructure government's role in defending the United States from cyberattacks. A pair of bills would create a powerful cybersecurity office in the White House-centralizing authority now shared by separate agencies-and increase federal regulation of the private sector by establishing security standards for businesses.

The legislation was a result of recommendations from cybersecurity professionals, intelligence officials, and think tanks-one of which was the Center for Strategic and International Studies (CSIS), a public policy institution whose report on U.S. cybersecurity encouraged giving the White House coordinative power, and not leaving the defense of commercial networks to the private sector.

James Lewis, the CSIS senior fellow who oversaw the report, told WORLD he's pleased with the legislation overall. But he has reservations about a provision that gives the president authority to shut down the networks of private utilities during an emergency: "Say there was an electrical utility whose network was infected and it threatened to crash the entire electrical grid in a region. Then the president would have the ability to say to that utility, 'You have to go offline until things are better.'"

Like Lewis, Greg Nojeim of the Center for Democracy and Technology believes such authority is a major step in terms of federal oversight. But Nojeim is also critical of sections of the Act that challenge the privacy rights of internet and telephone users by allowing federal cybersecurity monitoring to override existing privacy laws. He thinks a government role is necessary, but he hopes other, less top-heavy proposals by Congress or the White House with shared responsibilities: "I don't think that either one acting alone could be as effective as the private and public sectors acting together."

Wastewater management companies and electric and gas providers use the convenience of "control systems" technology to remotely activate valves, circuits, and switches.

Convenience, though, sometimes translates into vulnerability: In 2000, a computer technician in Australia who had lost a city contract took revenge by wirelessly tapping into the city's water control systems at least 46 times and releasing hundreds of thousands of gallons of untreated sewage into rivers and public areas. In 2006, the operators of the Browns Ferry nuclear plant in Alabama lost control of pumps in a reactor because of a computer glitch (the plant was shut down before safety was compromised). In a 2007 Department of Homeland Security experiment, an overheated green diesel generator smoked and shook while following remotely issued orders.

Those cases may only be the tip of an iceberg. Joseph Weiss, a control systems expert who testified before Rockefeller's Commerce Committee prior to the introduction of the Cybersecurity Act, told WORLD he had documented over 125 control system "incidents"-a term that can mean anything from a computer malfunction to a possible cyber intrusion. Weiss said most are kept quiet because utilities don't want attention aimed at them, and few regulations are in place to force companies to report cyber mishaps (five U.S. water and electric utilities I contacted either didn't return calls or responded that it was their policy not to discuss security issues).

Comments

You must be a WORLD member to post comments.

    Keep Reading