Despite pouring resources into infrastructure security, the United States lacks a "chain of command" for dealing with a major cyberattack on the power grid, according to former Defense Secretary Robert Gates.
"We as a government have technical capabilities that can help defend this country and the infrastructure," Gates said Friday at an event hosted by the Siebel Scholars Foundation. "The problem is, politically and bureaucratically, we are completely wrapped around the axle in terms of authorities."
Gates alluded to various critical infrastructure security programs at the Department of Homeland Security, National Security Agency and Department of Energy, the lead organization for helping privately owned utilities head off threats from hackers. In 2015, U.S. lawmakers broadened the secretary of Energy's ability to respond to emergencies such as a major cyberattack on the grid, though DOE has not yet settled how it will act on its new authority (Energywire, Feb. 8).
"It's not like people have been neglecting the problem," said Gates, who became chancellor at the College of William & Mary after leaving the Department of Defense in 2011. But he added that "as somebody who spent 50 years in the bureaucracy, when you have that many commissions and committees and groups, the question is: Who's in charge?"
Gates' comments kicked off a weekend of grid cybersecurity programming for alumni of the Siebel Scholars program, funded by technology industry billionaire Thomas Siebel. The goal was to encourage scholars, most of whom had no background in computer science, to consider new approaches to an issue that one cybersecurity executive called a "slow-moving train wreck."
"The United States is probably the hardest country in the world to defend in cyberspace," said Liam O'Murchu, director of security technology and response at software giant Symantec Corp., citing the huge amount of internet-connected — and potentially hackable — technologies here.
O'Murchu, who played a central role in unmasking the Stuxnet malware that damaged Iranian nuclear centrifuges in 2010, said Saturday he's seen evidence of state-sponsored hackers "scoping out" critical infrastructure networks in America. But he suggested attackers might not risk pulling the trigger unless their governments are locked in a physical conflict with the United States elsewhere.
If hackers did cause a power outage, experts and government officials agreed the private sector would need to play a central role in recovery. The bulk of the U.S. grid is owned and operated by private utilities.
"People have the mistaken notion that government is going to come in and solve the problems when there's this grid outage," said Douglas Maughan, director of the cybersecurity division in the Homeland Security Advanced Research Projects Agency. Maughan's office, part of the Department of Homeland Security's Science and Technology Directorate, funds promising technical solutions to the grid cybersecurity problem and other homeland security challenges.
"We need to make sure we have those lanes better defined, and maybe [make] more information available" about how the public and private sectors would coordinate in an emergency, Maughan said.
'How bad could it be?'
Several speakers at the conference tamped down fears that a nationwide blackout was imminent, whether through hackers disabling key networks or physical attackers targeting large power transformers at major substations.
Retired Gen. Michael Hayden, who formerly headed the NSA and the CIA, said the grid security outlook is "probably not quite as apocalyptic as some might think."
He pointed out that large electric utilities already deal with massive outages caused by hurricanes. "This is one industry that actually does more than tabletop [exercises] when it comes to, 'What do we do if that happens?'" he said.
Still, Hayden also acknowledged that hackers pose a distinctly different threat compared with the weather. He pointed out that a draft executive order circulating in the Trump administration would direct DHS and a few other agencies to "actually assess the impact" of a grid cyberattack, answering the basic question, "How bad could it be?"
In his comments Friday, former Defense Secretary Gates cited another pressing question surrounding grid cybersecurity: When would the U.S. military have to respond to an attack?
"I suspect [officials] are no closer to an answer to that question today than they were when I asked it 10 years ago: What kind of a cyberattack constitutes an act of war?" Gates said. "My guess is, you end up where the Supreme Court did in defining obscenity — 'You'll know it when you see it.' I don't think that's a legal answer."