A Cyberattack on the U.S. Power Grid
Although a high degree of coordination, extensive resources, and wide-ranging human expertise is needed to execute a cyberattack that disrupts the operations of a state’s power grid, the recent attack on Ukraine’s grid by purported Russian intelligence has shown that it is indeed a very real threat, including for the United States. The most realistic agent behind such an attack is a state actor, since it is unlikely that non-state organizations like terrorist groups or lone wolves have the sophistication necessary to conduct the months to years of research and preliminary probes into the involved networks that are needed to execute an attack. States capable of this form of cyberwarfare (e.g. Russia, China, and possibly Iran and North Korea) may be motivated to do so for the purpose of (1) discrediting the US administration, possibly during a “politically sensitive time”; (2) distracting the US government or delaying the US’s response to another ongoing conflict; and (3) as a form of retaliation against various kinds of sanctions. Though doomsday predictions are largely exaggerated, the potential damage caused by a cyberattack is severe: One scenario predicts $243 billion in economic losses as well as a small rise in death rates due to the failure of health systems if the major electrical grid Eastern Interconnection is attacked, where these results arise with just 10% of all targeted generators being compromised.
Knake recommends that the Trump administration adopt the following policy initiatives in order to prevent and mitigate a large-scale cyberattack on the power grid: (1) Perhaps most importantly, develop a detailed deterrence policy that clearly describes a firm response that the administration would take in response to each level of severity of attack. For instance, this policy should outline how the government would respond to smaller discoveries such as that of an actor infiltrating a system for information collection purposes prior to a large-scale attack, as well as such an attack itself. (2) Create an information-sharing system that allows detection of attacks in one region of the infrastructure to be quickly communicated to others and hence be contained. (3) Prepare a response plan in the case of an extended blackout, and require power companies to maintain manual controls in addition to networked ones. (4) Ensure that companies do not have to sacrifice existing risk management measures to fund new, cybersecurity-focused ones, by either implementing a universal service fee on power consumers (similar to that on phone lines), or a “tax deduction for utility spending” to raise funding.