fbinaa_May-June-2019.FINAL

continued from "Cyber War & the "Power Grid Apocalypse page 13

I n a 2012, a panel of experts convened by the National Research Council issued a report on Terrorism and the Electric Power Delivery System. It said quite bluntly: It is not hard to imagine the cascading consequences of such an extended disruption: (1) the loss of the provision of health care, home heating, air conditioning, schools, employ- ment circumstances public safety; (2) the loss of the ability to communicate by landline, the internet, cellphones; (3) the complete disruption of the region or country’s micro- and macro- financial systems like electronic bill payment; electronic money transfers between individuals and businesses as well as the complete shutdown of the banking system; the stock market; the Federal Reserve. The NRC report captures this impact well: “… it is no stretch of the imagination to think that such attacks could entail costs of hundreds of billions of dollars – that is, perhaps as much as a few percent of the U.S. gross domestic product...” In fact, the plausibility of such an attack is not hypothetical. Reports suggest that Russia may be laying the groundwork for a cyberattack on the U.S. infrastructure via the Dragonfly 2.0 hackers. In November, 2014, Admiral Michael Rogers, the National Security Agency head, testified before Congress that China and one or two other countries had the capability of mounting cyberattacks that would shut down the electric grid in the United States. And, most recently, the controversial president of Venezue- la, Nicolas Maduro claimed that the United State was responsible for a cyberattack that caused a five-day national blackout amidst political turmoil. One respected expert said in Forbes that such a cyberattack by the United States was “actually quite realistic.” (The U.S. denied any involvement in the blackout.) Correctly, private industry and the federal government have paid a good bit of attention to improving cybersecurity over the last several years. The U.S. Cyber Command, the NSA and the Department of Energy among others have ramped up their efforts in this area. Better preventative measures by the government and industry will lower risks but no one believes such measures are the perfect solution. For example, some have suggested that the cyberattacks that crippled power distribution centers in Ivano-Frankivsk region of Western Ukraine in 2015 preyed on systems that “were surprisingly more secure than an apocalypse - it can rain down on a state or region, makes it a state and local law enforcement issue of epic propor- tions. It requires anticipation and plan- ning beyond that which has been done for extreme weather and other disasters. At first blush, the phenomenon of cyber- attacks seems like a national and interna- tional problem. The extreme disaster –

some in the US, since they were well-segmented from the control center business networks with robust firewalls.” Federal Prosecutors and the FBI have also focused more significant attention to the discovery of the culprits and on pros- ecution of cyber attacks. For example, the recent indictments by Special Counsel Robert Mueller’s prosecutors of individuals and companies in St. Petersburg, Russia reflect the increasing sophistication of the Justice Department and others to identify and charge culprits. But, in the end, those are name-and-shame indictments only. Evidence collection and extradition problems are only the beginning of the issues confronting any real effort to create a deterrent effect using the criminal justice system. What’s more, governmental efforts to deter state-sponsored cyberattacks have foundered on the mere symbolic value of sanctions and what may well be evidence of lack of under- standing of when a cyberattack counts as an act of war. I have suggested elsewhere that the rules for when a cyberattack is worthy of a military-like or other powerful response by the U.S. are so undeveloped that we may well be in a state of operational paralysis. The answer, then, does not involve focusing solely on solu- tions like the above as, to say the least, they are imperfect. We must pay critical attention at the state and local levels to prepa- ration for what I have chosen to over-dramatize as the “power grid” apocalypse. A power-grid-apocalypse planning is related to but pro- foundly different than the other types of disaster. Emergency preparedness for a nuclear disaster in those regions of the coun- try with nuclear power plants focuses on evacuation planning and on mechanisms for managing what might be catastrophic death tolls, to name the most obvious concerns. The focus would be less on infrastructure repair than on survival efforts. Law enforcement has an important role in each of these, particularly because of the event’s unexpectedness. In a disaster involving flooding, anticipation is often as important as mid- and post-event management planning. All involve evacuations and rescues as well as potentially broad infrastructure repair after the fact. The same is also true for other extreme weather events like hurricanes or tornadoes. And, ice-storm disasters, while to some extent predictable in the short term, bring a particular type of utility-focused infrastructure problems to be managed in a version of a public-private partner- ship. The power-grid apocalypse is different. A region-wide, intentional and systematic effort to disable power grids has the potential to be a longer -lasting event than an extreme weather event. It presents a more comprehensive disabling of infrastruc- ture of all sorts as described above. Depending on the geograph- ic extent of the power-grid apocalypse, evacuation becomes quite difficult. A Lloyds of London modeling of the disabling of the power grid in 15 states on the eastern seaboard, including New York City and Washington, D.C., suggests that such an event might leave 93 million customers without power. Evacuation on that scale is more than a bit challenging, if even possible. The ability of utility companies to repair transformers or other aspects of the disabled infrastructure would be seriously

continued on page 22

14 F B I N A A . O R G | M A Y / J U N E 2 0 1 9