Cyber hacking the energy grid: Putting threats in context

In isolation, a July 23, 2018, report citing Homeland Security officials stating that Russian hackers have conducted hundreds of attacks against the United Stated electrical grid would be cause for alarm. In the echo chamber that has come to stand for news reporting, multiple news outlets are reporting on the same issue this week, all citing the same reporter. Given the continuing controversy surrounding the 2016 elections, adding the words “cyber” and “Russia” to a news article brings the equivalent of a four-alarm blast. Context is needed.

{mosads}In March 2018, the Trump administration blamed the Russian government for a campaign of cyber attacks going back at least two years that targeted the U.S. power grid, marking the first time the United States publicly accused Russia of hacking into American energy infrastructure. The administration stated that beginning in March 2016 through 2017, Russian government hackers sought to penetrate U.S. critical infrastructure sectors, including energy, nuclear, commercial facilities, water, aviation and manufacturing, according to a U.S. security alert published that month.

The Department of Homeland Security and FBI said then that a “multi-stage intrusion campaign by Russian government cyber actors” had targeted the networks of small commercial facilities “where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” The alert did not name facilities or companies targeted.

Four months later, Homeland Security officials are once again briefing the Russians’ hacking into our electrical grid, and the damage that could be caused. No new blackouts, denial of services, or specific intrusions are reported, just the same call for concern.

Of course, that our nation faces cyber threats is not a point for debate. However, stoking fear — without context — does a disservice. Hysteria about our nation’s capabilities and capacity to handle threats is an old one: the bomber gap, the missile gap, mobile nuclear weapons launchers, weapons of mass destruction, weaponizing space. Past being prologue, caution and judicious exploration of facts and balancing risks and costs should be next steps, not simply repeating press releases.

In short, cybersecurity policy should be based on real evidence and on cost-benefit analysis.

There is good news. In May 2018, according to an updated cybersecurity strategy, the Department of Homeland Security plans to take a more robust approach to cybersecurity.The cybersecurity strategy formalizes a plan for the department to share cybersecurity tools directly with industry, especially critical infrastructure sectors. The strategy also stresses a “risk based” and “cost effective” approach to cybersecurity. That includes identifying the government computer systems and data sets that cyber criminals and adversary governments are most likely to try to hack into and “prioritizing protections around those systems,” the strategy states. A sober rational approach to developing policy and action is encouraging.

In June 2018, the Senate confirmed Christopher Krebs, President Trump’s choice to lead the Department of Homeland Security’s cyber and infrastructure protection unit. Going forward, Under Secretary Krebs will be responsible for overseeing the security of federal civilian networks and spearheading the federal government’s efforts to protect critical infrastructure from cyber and physical threats.

Sadly, much of the fear mongering over cyber threats appears as an attempt to get entities to invest more money into combatting cyber challenges without context. A vast body of work exists that argues for private sector solutions to cyber intrusions of industry or utilities based on realistic probabilities and cost benefit analyses. Articles reporting both perspectives of the cyber issue, without simply magnifying clickbait doomsday scenarios, would be a welcome change. 

Gregory T. Kiley is a former senior professional staff member of the Senate Armed Services Committee and U.S. Air Force Officer.