MADISON, Wis. -- A cyberattack taking down the nation's power grid could leave Americans scrambling to survive without electricity, potable water or working sewage systems, the commander of the Wisconsin National Guard warned, unless "gaps and seams" are filled in to mitigate the risk of catastrophe.
Maj. Gen. Donald Dunbar, who leads the state's emergency management efforts, addressed IT and business leaders at the Fusion 2016 CEO-CIO Symposium on Thursday. It was a sobering end to a gathering that highlighted the importance of strengthening bonds with customers through technology, but the message couldn't be more important, he said.
"Our entire society runs on power," Dunbar said. A prolonged outage due to a cyberattack on the power grid would have profound consequences. "I don't think I can truly measure in my head the impact."
Also the state's adviser on cybersecurity matters, Dunbar works with the CIO for the state of Wisconsin, David Cagigal, on emergency response efforts in the event of a cyberattack on the utility infrastructure in Wisconsin. One thing both men stressed: The government can't handle response efforts of such a scale alone. It needs to rely on a partnership with private-sector companies, such as telecoms and utility companies, to ensure people have access to basic services, Cagigal said. A big reason? The state doesn't own the lines that provide power to its citizens.
"We have a right to use the service and to pay the bills," Cagigal said. "But we can't control the resilience or the performance of those lines. We have to partner with them on a public-private basis."
In the dark
Dunbar referred to the 2015 book Lights Out by Ted Koppel. In it, the former anchor of ABC news program Nightline examined what could happen during a blackout lasting for weeks or months. He painted a nightmarish picture of unprepared authorities and a panicked populace without access to the electronic networks and devices they have come to rely on.
The book has its critics, including those in cybersecurity circles, who said the risks aren't nearly as severe as Koppel made them out to be. But Dunbar isn't taking any chances. In his view, we're ill-equipped as a society to roll back the clock and do things the way our ancestors did them, without smartphones, without the Internet, without electricity even.
"It would be a very complicated thing if it all failed," he said.
Sure, companies have generators, Dunbar said, but what happens when the diesel they run on runs out? Sure, they have contracts with suppliers, but those suppliers don't likely have enough trucks to keep up with the sheer number of orders for backup fuel -- to say nothing of the difficulty of getting fleets of diesel-bearing trucks on the road without functioning computers and dispatch capabilities. And then there are the thousands or even millions of people in cars fleeing unbearable conditions at home, clogging the roads and getting stranded without fuel.
The prospect of such an attack is real, Dunbar said. A December malware attack on Ukraine's power grid, which the U.S. Department of Energy blamed on Russia, caused widespread power outages in the country.
"That's a preview of a coming attraction," Cagigal said. "There's no reason that couldn't happen here."
On Thursday, the Justice Department blamed Iran for a 2013 cyberattack on a dam in the New York suburbs. Hackers got into the computer system that runs the dam, which is used for flood control, but no damage was done.
Preparing for the worst
In the event of a larger, coordinated cyberattack on the power grid, Cagigal said good communications and partnerships between federal, state and local governments and private companies are crucial to an effective response. Coordination with the transportation industry, for example, is needed so that trucks carrying supplies aren't stopped on the road by authorities after emergency laws kick in.
Ultimately, Cagigal said, the government and private sectors need to start thinking about a "plan C" -- though what that might look like is not yet known. Microgeneration, or the production of small-scale electric power using solar or wind energy, is a possible alternative to relying solely on the power grid, Cagigal said. Another is battery storage, a method of stowing away electrical energy that is drawing attention and investment in the U.S.
Cagigal has coordinated exercises between teams of cybersecurity professionals in Wisconsin, with roles of cyberattacker and defender. Another exercise -- this one involving five utility companies, plus AT&T and IBM -- is coming up. In the event of a blackout, real or simulated, getting the power back on is task No. 1. That's a job for the utilities.
"But once the power's back on, what do you need? The network. And what do you need after that? The computer. So you have two industries that are going to be critical to our response capabilities," Cagigal said.
But those two giants of telecommunications and technology have not revealed their plans for being ready for their customers ahead of the exercise. "I'm anxiously looking forward to that," he said.
CIO news roundup for week of March 7
A possible cyberattack on the power grid was on the minds of speakers at the Fusion conference in Madison. Here's what happened elsewhere:
- President Barack Obama decried taking an "absolutist" stand in the FBI's fight with Apple over accessing information locked in the iPhone used by one of the shooters in the San Bernardino, Calif., massacre in December. Speaking at the South By Southwest Festival in Austin, Texas, Obama said mobile devices need to be made in a way that would allow law enforcement officials to access data to prevent terrorist attacks. He said Apple's refusal to build any type of bypass around encryption controls is "festishizing our phones above every other value."
- A proposal by the Federal Communications Commission would limit what information Internet providers could collect and share about their customers. The agency's chairman, Tom Wheeler, said providers need to reveal how data about their customers' online activities may be collected. The privacy rules, if adopted, would be the first for service providers; they follow the February 2015 FCC declaration that broadband Internet service should be treated as a public utility.
- Broadband Internet access may soon be available to Americans who can't afford the service. The FCC said Tuesday it will give out a $9.25 monthly subsidy to help low-income families pay for broadband Internet access. Wheeler said more than 95% of households making $150,000 or more have high-speed Internet at home, but just 48% of households earning less than $25,000 can pay for such service.
- Amazon warehouse employees get a sobering dose of reality each morning while waiting to clock in: notices of co-workers who were fired for stealing. To discourage theft, Amazon has set up flat-screen TVs displaying instances of alleged theft -- including what was stolen and what happened to the offenders, who are not named. Theft is a concern at Amazon warehouses, which are stocked with small, valuable items, and workers have long hours and low pay.
- Ransomware tried to take a bite out of Apple. The first known attack of the malicious software, which locks users out of a computer and demands they pay a ransom, was discovered last weekend and was downloaded approximately 6,500 times before Apple could contain the threat. The number is small compared with how many ransomware attacks were made on computers using Microsoft Windows. Symantec, maker of antivirus software, said there were 8.8 million attacks in 2014 alone.
- Watch for a quantum leap in cloud computing in the next decade. Microsoft founder Bill Gates said in an interview on Reddit that the technology could be used for "super-computation" to solve huge science problems in six to 10 years. Quantum computers can carry out more calculations than traditional computers, and IBM and Google are investing heavily in quantum technologies.
Most nuclear plants not prepared for a cyberattack
What are the legal limits on cyberdefense?
Executive boards are thinking cybercrime