February 22, 2012

Cyber Security, Non-State Threats and the Electric Grid

U.S. security officials have expressed concern about the
vulnerability of the electric grid to cyber attacks by non-state actors. Most
experts agree that today the greatest cyber threats to the electric grid stem
from state actors like Russia and China. Indeed, there is already some evidence
that these states have infiltrated computer systems that control the
electric grid
. However, security officials warn that the threat is
evolving, with non-state actors becoming more sophisticated users of cyber
tools.

The U.S. intelligence community is giving this evolving
threat greater attention. In January, Director of National Intelligence James
Clapper told the Senate Select Committee on Intelligence that “the
growing role that nonstate actors are playing in cyberspace is a great example
of the easy access to potentially disruptive and even lethal technology and
know-how by such groups
.” General Keith Alexander, the director of the
National Security Agency, recently warned that
the hacker group Anonymous could poses the capability to perpetrate a cyber
attack against the electric grid in just a few years
.

To date, security officials have said that there is little
incentive for countries like China and Russia to perpetrate a cyber attack
against critical U.S. infrastructure like the electric grid, in part because
the attack could be traced (at least to an extent). But non-state actors are by
their very nature anonymous, making pinpointing the origins of an attack more
difficult. As a result, they are not bound by the same deterrent threat (or
threat of retaliation) as state actors might be. So although non-state groups
like Anonymous do not have the ability to perpetrate an attack on the electric
grid, cyber security experts caution that should these groups develop the
capability (or acquire it from a state entity), there
is a greater risk for an attack against critical infrastructure like the
electric grid
.

There is a lot of uncertainty in the cyber community about
the capabilities state actors poses, and even more about the tools that non-state
actors can wield. However, one thing is certain for the time being: states for
now have an edge over non-state actors, in part because of the strategic effect
that state actors can have with a cyber attack that non-states cannot. In their
2011 paper on “Non-state
Actors and Cyber Conflict
,” Greg Rattray and Jason Healy wrote that, “Though
even advanced capabilities can be obtained, it is difficult for non-state
actors to master other tasks – such as gathering intelligence and analyzing
centers of gravity for attack and defense – that are likely needed to have
lasting strategic effects.”

However, it is not difficult to imagine that a single
sophisticated attack against the civilian electric grid could achieve some
strategic effect (perhaps even accidently) due to the cascading effects on
other interdependent infrastructure systems, such as water utility pumping
stations. This is not meant to provoke alarmist calls to action, but rather to encourage
security practitioners and policymakers to think through the types of black
swan events that are difficult to predict or plan for.

Regardless of the intention to have a strategic effect or
not, security officials are likely to continue to examine the potential for
stateless actors to perpetrate a debilitating cyber attack against civilian
infrastructure. Cyber security and protection of critical infrastructure
remains a top priority for the Obama administration. Last week, the
president delivered his annual budget request to Congress which included
funding for critical infrastructure programs at the Departments of Defense and
Homeland Security
, among other federal agencies. This issue is likely to
remain atop of the security agenda.