The rousing report out of Mandiant about Chinese internet exploitation focused primarily on the widespread, systematic, state-sponsored thievery of proprietary data.
What it also mentioned (almost in passing) was the penetration of American energy structures, what most people call “critical infrastructure.” Exploiting the aging electrical grid, in a cyber-military strike, has been a growing concern of planners in the U.S. Government.
Yet hackers don’t normally headline talk of aging grids.
Usually talk of electrical Weapons of Mass Destruction is accompanied with conjecture about space-bound nuclear bombs and their theoretical electromagnetic pulse (EMP) — a shockwave that knocks out circuits, transformers and just about anything requiring electricity.
Newt Gingrich’s grave EMP assertions during the Republican primaries (famously couched with punchlines about “Moon bases”) immediately met with criticism from experts in the defense community. Such a projectile would be detected and shot out of the air, or space, they said.
Late last year we covered how Boeing had developed an EMP missile, capable of flying over a city and permanently zapping its electrical structure. While that might not be the most likely candidate for an assault on the American grid, it further legitimized electrical grids as potential targets.
It seemed like loss of proprietary, corporate information trumped the news headlines, but the Mandiant report also showed that it’s not EMPs which truly threaten America’s grid.
It’s software exploits, particularly from the Chinese military.
A Department of Homeland Security official told the WSJ in 2010 that network inspections had “found software tools left behind that could be used to destroy infrastructure components,” following hacks from Russia and China.
Russia and China of course denied the reports.
“It’s like (improvised explosive devices) in Iraq. Bomb makers have certain signatures, and looking at a bomb, you can tell who and where that signature comes from,” said David Lacquement, a cyber security expert with Science Applications International Corporation, and formerly the Army general in charge of operations for U.S. Cyber Command.
Lacquement said that the ability to execute ‘kinetic’ cyber operations to destroy real world targets is already well established (See also: Stuxnet). Experts say syncing those actions up with other external forces — an invading army, or more likely, a hurricane — would have catastrophic effects.
“These (cyber capabilities) are not in the realm of make believe, they are reality,” said Lacquement.
The Northeast Blackout of 2003 was the result of a “software glitch” — essentially a bug in the system — that sent a 3,500 MW power surge out into the grid. Synchronizing many of those together, along several power hubs down the East Coast, would initially cause untold damage.
A 2010 report out of North American Electric Reliability Program listed ‘cyber attacks’ right along with nuclear explosions as a massive threat to existing structures.
From the report:
“The physical damage of certain system components (e.g. extra-high-voltage transformers) on a large scale, as could be effected by any of these threats, could result in prolonged outages as procurement cycles for these components range from months to years.”
Imagine the effects of Hurricane Sandy carried out into the realm of months instead of weeks — the result is apocalyptic. Loss of water pressure followed closely by total loss of water, loss of heat or air conditioning, spoiled food, and then in only a matter of time, little or no access to gasoline — these things conjure images better associated with the ’80s flick “Mad Max” than with reality.
President Obama recently announced a new public/private information sharing initiative, though it was barely audible above the deafening sound of Marco Rubio reaching for a water bottle.
If Americans don’t want to be fighting over water bottles though, action is needed to avoid catastrophe. Hopefully Mandiant’s report will act as a loudspeaker, turning Team Obama’s cyber security squeak into a shout, and opening the doors for more public conversation about these threats.