Center for a New American Security

U.S. security officials have expressed concern about the vulnerability of the electric grid to cyber attacks by non-state actors. Most experts agree that today the greatest cyber threats to the electric grid stem from state actors like Russia and China. Indeed, there is already some evidence that these states have infiltrated computer systems that control the electric grid. However, security officials warn that the threat is evolving, with non-state actors becoming more sophisticated users of cyber tools.

The U.S. intelligence community is giving this evolving threat greater attention. In January, Director of National Intelligence James Clapper told the Senate Select Committee on Intelligence that “the growing role that nonstate actors are playing in cyberspace is a great example of the easy access to potentially disruptive and even lethal technology and know-how by such groups.” General Keith Alexander, the director of the National Security Agency, recently warned that the hacker group Anonymous could poses the capability to perpetrate a cyber attack against the electric grid in just a few years.

To date, security officials have said that there is little incentive for countries like China and Russia to perpetrate a cyber attack against critical U.S. infrastructure like the electric grid, in part because the attack could be traced (at least to an extent). But non-state actors are by their very nature anonymous, making pinpointing the origins of an attack more difficult. As a result, they are not bound by the same deterrent threat (or threat of retaliation) as state actors might be. So although non-state groups like Anonymous do not have the ability to perpetrate an attack on the electric grid, cyber security experts caution that should these groups develop the capability (or acquire it from a state entity), there is a greater risk for an attack against critical infrastructure like the electric grid.

There is a lot of uncertainty in the cyber community about the capabilities state actors poses, and even more about the tools that non-state actors can wield. However, one thing is certain for the time being: states for now have an edge over non-state actors, in part because of the strategic effect that state actors can have with a cyber attack that non-states cannot. In their 2011 paper on “Non-state Actors and Cyber Conflict,” Greg Rattray and Jason Healy wrote that, “Though even advanced capabilities can be obtained, it is difficult for non-state actors to master other tasks – such as gathering intelligence and analyzing centers of gravity for attack and defense – that are likely needed to have lasting strategic effects.”

However, it is not difficult to imagine that a single sophisticated attack against the civilian electric grid could achieve some strategic effect (perhaps even accidently) due to the cascading effects on other interdependent infrastructure systems, such as water utility pumping stations. This is not meant to provoke alarmist calls to action, but rather to encourage security practitioners and policymakers to think through the types of black swan events that are difficult to predict or plan for.

Regardless of the intention to have a strategic effect or not, security officials are likely to continue to examine the potential for stateless actors to perpetrate a debilitating cyber attack against civilian infrastructure. Cyber security and protection of critical infrastructure remains a top priority for the Obama administration. Last week, the president delivered his annual budget request to Congress which included funding for critical infrastructure programs at the Departments of Defense and Homeland Security, among other federal agencies. This issue is likely to remain atop of the security agenda.