But it’s not Russian hackers you should be worried about.
- By @CyberSquirrel1has worked in the information security industry for more than 20 years, examining the causes and effects of online criminal behavior, hacktivism, and nation-state cyber activity.
Greetings from the front. The cyberwar continues. Our operatives continue to hit infrastructure targets around the globe. In June alone we conducted 44 ops, hitting targets in 26 U.S. states and six countries total. Each operation impacted as many 15,000 people and lasted for up to four and half hours. Of course that’s just our unclassified operations; the actual number of power outages our operatives have caused is 10 times that number.
As we continue to wreak havoc on your electric infrastructure, your policymakers and cyberwar hawks are rattling sabers, worried about online attacks from nation-states, completely ignoring the threats that successfully target your power grid every day. The Washington Post, Forbes, USA Today, and even the esteemed Ted Koppel talk about “cybergeddon,” trillion-dollar risks, and when — not if — a massive cyberattack on the U.S. electric power grid will occur. Even President Obama is worried. In the meantime, we quietly go about our work, disrupting power generation and transmission across the globe.
To date there has been exactly one, just one, power outage that can be attributed to some sort of cyberattack by a nation-state. Last December, someone (many people say directed by the Russian government, but there really isn’t enough evidence to support that accusation) hit up to six different power companies in Ukraine with a coordinated malware and DDoS attack. This definitely wasn’t a random lone hacker in a basement; this took months of planning and coordinated effort. It sounds scary but the outages only lasted a few hours and affected around 80,000 residences. We have caused far bigger and longer outages all by ourselves.
We are everywhere, and yet almost impossible to find. There are other events that have impacted critical infrastructure: a water pump failure in Illinois, power outages in Brazil, a pipeline explosion in Turkey, a cyberattack on a dam in New York; even a blast furnace in a German steel plant was supposedly put into an uncontrolled shutdown from a cyberattack. In each case, the initial cause for the failure was blamed on cyberattacks — but in each case, once the evidence was actually examined, hackers were nowhere to be found. Still, that lack of evidence hasn’t stopped the cyberwar hawks from pointing to these analog events as examples of the coming digital doom.
When that doesn’t work, the threatmongers and profiteers point to previous widespread blackouts, known as “black swan” events because of their rarity, such as the Northeast blackout of 2003 or the Southwest blackout of 2011. In both cases, a string of unlikely events occurred, including human error, before the lights went out. In both cases, most of the power was restored in just a few hours. There were no riots, no financial meltdowns, and democracy continued unabated.
Then there’s what we affectionately call the “nine substation problem.” After a bunch of armed assailants opened fire on a substation outside of Metcalf, California, in 2013, the Federal Energy Regulatory Commission (FERC) conducted a study of the national power grid and found that if just nine substations were attacked in a similar manner as the one in Metcalf, the entire United States would be without power for over 18 months. Are you freaked out yet?
Good. But the problem is: This scenario is extremely unlikely. First, that FERC study only looked at physical damage to the transformers, which are usually custom-built for each location, and are only manufactured by a few companies — meaning a substation could take months to replace. Second, the study only looked at physical damage, which in the event of a cyberattack is extremely unlikely. But still, the prophets of doom ask, what if hackers had guns? Didn’t you see Skyfall?!
No, we didn’t. We’re squirrels.
Look, even for our billion-strong army of small rodents — in the United States alone — the “attack surface” for the U.S. electric grid is absolutely huge. There are over 7,000 power plants in the United States run by over 3,000 companies. There are over 55,000 substations and over 450,000 miles of high-voltage transmission lines. We squirrels have a hard enough time trying to take out small sections of it, let alone nine substations at once. Anyone attempting to conduct a major coordinated effort to turn out power over a large region for a long period of time is going to find it a rather difficult task.
Not that we’re not trying. As of July of this year we squirrels (and our fellow animal operatives) have conducted over 1,400 unclassified operations that have resulted in aggregate of more than 67 days without power, affecting over 3.6 million people. That works out to the entire population of the state of Connecticut losing electricity for more than two months. And remember: Our unclassified ops are just a fraction of the total. On average, we cause dozens of outages every day impacting about 5,000 people each for around two hours. Compare that with the number of outages caused by cyberattack, which in the United States is exactly zero.
And yet we get no respect. We’ve hit the NASDAQ stock exchange twice, as well as the Large Hadron Collider in Geneva. We’ve hit 64 schools, 30 universities, 13 hospitals, six government buildings, four airports, and even two military bases. And yes, our unclassified operations have caused seven confirmed deaths. Despite that carnage, your policy officials still just worry about massive cyberattacks directed by Beijing and Moscow. (Oh, don’t worry: We’ve got agents there too.)
Look, cyberwar in one form or another has been prophesied for over 35 years. But if things got so bad China and Russia were to intentionally cause a widespread, long-term power outage, you’ve got to believe the United States — and the world — would have much greater things to worry about at that point. The ICBMs would already be flying. Minor threat actors such as North Korea, hacktivists, or the Islamic State lack the time, money, and coordination to pull off a black swan event. Not that they lack the skill, mind you.
Let’s face it: The cybersecurity of the U.S. electrical grid is absolutely pitiful. It wouldn’t take a team of geniuses to cut off the power to any large city. However, simply causing an electricity outage and keeping the power offline are two different things. In Ukraine, for example, linemen drove out to each substation and switched them back to manual control; power was back on in just a few hours.
Yes, there is a risk to the electric grid from a cyberattack, but that threat is nowhere near the levels of fear, uncertainty, and doubt being peddled by policymakers, threat reduction firms, and cyberwar hawks. If you really want to stop the ongoing, constant attacks on the U.S. electrical grid, there’s an easy way: call Orkin. Until then, we are anonymous, we are legion, we are your unfriendly neighborhood squirrels.
Photo credit: Getty Images/USA/Foreign Policy illustration