Ted Koppel: Apocalypse likely
“I didn’t traffic in hysteria then, and I’m not starting now,” he says in a promotional video for his new book, “Lights Out.”
“But the Internet can be used as a weapon of mass destruction, and our electric power grids are a target – that’s a fact,” he says.
[ ALSO ON CSO: Read our Q&A with Ted Koppel on his book ]
Those facts, however, won’t end the ongoing debate within the cybersecurity community about whether, as Koppel’s book asserts, an attack on the U.S. power grid could take a portion of it down for months or even a year or more, affecting tens of millions of people. It will probably amplify it, which could be a good thing.
Indeed, “Lights Out” could be viewed as a prescient warning of a coming cyber apocalypse for which the nation is totally unprepared. Or, it could be viewed as peddling FUD – fear, uncertainty and doubt – about a catastrophe that is technically possible but highly unlikely.
Whatever the view of its conclusions, “Lights Out” is a good read – well organized, well told, as light on jargon and acronyms as is possible in an industry swimming in them, and heavier on the kinds of personal anecdotes that make a complex subject accessible to the masses.
And the fact that he is the one telling it is significant. Former defense secretary Leon Panetta, former National Security Agency (NSA) head Keith Alexander and other top government officials have been issuing similar warnings for close to a decade, using loaded terms like “cyber Pearl Harbor.”
But, as Koppel notes in the book and in numerous interviews, those warnings have gotten barely a mention from the mainstream media. Perhaps the star power of a celebrity journalist – even a retired one – will change that.
So the scenario presented is not new, although Koppel adds considerable, and disturbing, details. They include:
- Such an attack on the U.S. power grid is inevitable. Hostile nation states are already on the inside of the grid, and the generators, transformers and other equipment that operate the system are in many cases 30 to 40 years old and were never designed to be networked with one another or connected to the Internet.
- An attack could take down enough of the grid to leave as much as a third of the country without power for months or even a year.
- If the power is down for months, nine out of 10 people in the affected areas would die due to starvation, disease and societal breakdown.
[ ALSO ON CSO: Are vendors on the wrong path where smart plant security is concerned ]
- It would be essentially impossible to respond to such an attack, since attribution is so difficult. Hence, this is not like the nuclear “balance of terror,” where the origination of an attack would be obvious. That makes an attack more likely, especially from hostile nation states like Iran and North Korea, which care little about world stability.
Koppel takes pains to point out that this scenario is not coming from his fevered imagination – it comes from officials at the highest government levels – defense, homeland security, U.S. Cyber Command, the CIA and FBI.
He notes that 10 former senior top officials sent a secret letter to a congressional committee in 2010 saying that a cyberattack on the grid could leave tens of millions of people without power for up to two years.
Still, that exposes a hole in his reporting. Yes, it is important to talk with the heads of agencies and the CEOs of companies, but on a topic like this, he also needed to hear from CSOs, CISOs, CTOs, penetration testers, white-hat hackers and others who work the front lines of cybersecurity. Voices like that are missing.
And that, according to Gary McGraw, CTO of Cigital, means that Koppel, “has jumped on the cyber FUD bandwagon (led by) cyber warmongers. We must do all we can to build security into all modern systems,” he said, “but the sky is not falling.”
Gary McGraw, CTO of Cigital
Bruce Schneier, author, encryption guru and CTO of Resilient Systems, said flatly that Koppel is, “stoking hysteria. I haven't read the book, but my guess is that he's interpreting the parts of the scenario he doesn't understand in the worst possible light.”
Jon Heimerl, senior security strategist for Solutionary, is a bit more tempered. He agrees that damage from an attack would be significant. “People would be affected, and lives would be lost. There would be rioting and civil unrest,” he said. “But would it be ‘The End of The World as We Know It’ Simply put, no.”
Koppel insists that the risk is real – he notes that former Homeland Security secretary Janet Napolitano put it at greater than 80 percent, and that NSA director, Admiral Mike Rogers, said just recently that a major cyberattack on U.S. infrastructure is “inevitable.”
The inevitable result of a loss of power that goes on for more than a couple of weeks, he writes, will be thousands of deaths – from starvation, disease and societal breakdown – because government has no plan to respond it.
He writes that while there are plenty of government plans to respond to natural disasters, there is no apparent plan for the aftermath of a catastrophic cyberattack – no long-term storehouses of food and water, no way to provide lights, heat, sewer and medical services in a dense metropolitan area like New York City.
In an interview, current secretary of Homeland Security, Jeh Johnson insisted there was a plan, but didn’t know where it was, and recommended that people make sure they have a battery powered radio.
Heimerl said that doesn’t prove anything, and contends there are plans in place to deal with a grid failure. “Parts of the power grid can be run by less automated controls or some of the grid could be restored manually,” he said.
Still, the Johnson interview was enough to send Koppel on a journey, mostly in the West, to talk with “preppers” – those who prepare for the worst with everything from “bug-out kits” designed for surviving the first two or three days of a disaster, to spending hundreds of thousands of dollars on outfitting property with buildings, solar panels, cesspools, wells, generators, weapons, ammunition and root cellars for long-term storage.
He spent several days observing the way Mormons have been organized for decades to survive a major catastrophic event.
And he noted that for those who can afford it, there is even a decommissioned missile silo in Kansas, converted into luxury underground condos for $1.5 million to $3 million, which includes five years worth of freeze-dried and dehydrated food.
Koppel may indeed be listening only to those who exaggerate the threat. But worst-case scenarios, if they prompt greater efforts to avoid them, can be very useful.
Or, as Carl Wright, general manager of TrapX Security, puts it, “Power plants and our energy grid remain high-risk targets.
“It is imperative that we find new and innovative ways to detect adversaries early, mitigate the effects and then defeat them.”