The Days After a Cyberattack Strikes the U.S. Power Grid
In his new book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath, ABC News veteran Ted Koppel concludes that America’s dependence on internet-connected critical infrastructure systems is making it increasingly vulnerable to a devastating cyberattack, and that the nation is completely unprepared for the aftermath of any such attack. The cover depicts America at night but with the eastern half of the country in darkness, evoking the memorable contrast of real-life nighttime images of the Korean peninsula. Indeed, after a clichéd opening describing the United States in a North Korea–like state (the first sentence of the book is “Darkness.”), the first chapter arrives at the focus of Koppel’s study: the centrality of the electrical grid in the United States, and what would happen if it went offline for an extended period of time, particularly as the result of a cyberattack.
After developing his cyberattack premise, Koppel then bizarrely teases readers with sparse details of other potential grid vulnerabilities of equal or greater interest, briefly acknowledging their existence before moving on with his argument. The second chapter of the first section, “AK-47s and EMPs,” details how electromagnetic pulse (EMP) attacks could be used to neutralize not only the power grid, but all electronics across the country. Without much further examination, Koppel leaves readers to ponder the somber conclusions of a 2008 congressional report on the EMP threat—namely, the forecast of a 90 percent population reduction.
The chapter also details one concerning incident in 2013, in which a power substation in California was physically infiltrated and taken offline in a coordinated attack by individuals armed with assault rifles. While the attack did not prove fatal or cause a widespread power outage, it highlighted the vulnerability of the grid to physical attack and the need for increased physical security at critical sites. Given the ease with which the tools used in this attack can be acquired in the United States, this threat merits much more in-depth discussion, but Koppel largely glosses over its significance in this chapter.
The opening section of Koppel’s work should invite readers to take it with a hefty grain of salt. Koppel is confident in claiming that an expanding field of actors could potentially execute a debilitating cyberattack on the grid, though he offers scant specifics as to their identities and potential motives. Over the course of the book, the national security experts he consults name a few state-level actors (namely Russia, China and Iran) that have a history of penetrating and conducting surveillance on critical infrastructure networks.
But Koppel argues that non-state actors are much more dangerous, given their relative anonymity and the difficulty of retaliating against them. The problem with introducing non-state actors to the discussion is that very few, if any, non-state actors have either the capability or motive to pull off an effective cyberattack on the entire U.S. electrical grid. Successfully executing a cyberattack of that scale requires a large team of experienced hackers, a sophisticated infrastructure and considerable time spent researching and mapping the grid networks. The world awaits evidence that any non-state actors currently possess these capabilities.
Of course, Koppel is seeking to profit from sales of the book, which is much more a work of popular journalism than an academic discussion. He can therefore be forgiven a bit of alarmism and the omission of technical details pertaining to the electrical grid’s security. But it is important to maintain a realistic view of the grid’s vulnerabilities and the desire of malicious actors to exploit them. Both state and non-state actors who may be able to neutralize the U.S. electrical grid rationally understand that such an attack would have global repercussions. Severing the single largest economy from the rest of the world would prove devastating for all but the most isolated corners of the globe. Global trade, travel and communication would be thrown into chaos as the Internet, which relies heavily on extensive physical infrastructure in the United States, ground to a halt.
Even criminal syndicates with advanced computing knowledge—the only feasible non-state actors to whom Koppel could be referring—would be extremely reticent to conduct such an attack, given their preference for profiting from the exploitation of Internet banking and credit systems. Thus, assuming that such groups are rational actors, the obvious disincentives of such drastic action vastly outweigh any potential benefits to the attackers, except perhaps in the most extreme total-war scenarios. Koppel also neglects to mention the rising number of industry professionals who are training and earning certifications in the best security skills and practices for avoiding such unlikely scenarios.
Those caveats aside, a number of overarching themes in Lights Out are valuable contributions to the discussion. For example, the book highlights American aversion to both proactive policy and government overreach, while searching for a feasible middle ground between the two. Koppel expresses frustration with Washington and the policy process throughout the book, chronicling the stagnancy of legislation that could impose stricter security requirements on the private companies administering the electrical grid.