According to the Director of National Intelligence, James Clapper, the Russian government has set up a special hacker unit to prepare for cyber warfare against the U.S. In a testimony before Congress last week, Clapper said that important infrastructure, including power grids, have already been compromised. “Politically motivated cyber attacks are now a growing reality, and foreign actors are reconnoitering and developing access to U.S. critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile.”
Clapper then went on to actually name the people behind the hacks. “Unknown Russian actors successfully compromised the product supply chains of at least three [industrial control system] vendors so that customers downloaded malicious software designed to facilitate exploitation directly from the vendors’ websites along with legitimate software updates.”
The energy sector is among the most hacked sectors in the U.S. In fact, according to a 2014 report from Verizon, no other industry is hacked more than the energy sector. Another report from the Congressional Research Service, just released in June, stated that those behind the attacks have the ability ‘to take down control systems that operate U.S. power grids, water systems and other critical infrastructure.” The Russian have been known to use malware known as BlackEnergy, which has been reportedly used to gather information about vital infrastructure systems. However, some studies indicate that the same malware can be used to block certain critical operations on a system and, thus, cause them to break down. This could be used to take down a power grid, for example. The report further points out that “researchers looking at the BlackEnergy malware are reported to have identified a plug-in that can destroy hard disks, and believe that the attackers will activate the module once they are discovered in order to hide their presence.”
So far, nothing has been done by the attackers. They appear, at present, to be concerned only in reconnaissance missions in order to learn as much as they can about infrastructure networks so as to be able to more easily attack them if or when they may deem it necessary. The attackers are aided by the fact that few of those who secure infrastructure networks take such threats seriously. Their security is elementary, at best. As Clapper noted, “The muted response by most victims to cyber attacks has created a permissive environment in which low-level attacks can be used as a coercive tool short of war, with relatively low risk of retaliation”. The CRS report emphasizes that, although most networks can achieve minimal compliance, compliance does not necessarily equal security.
The last point is a serious one. Energy infrastructure, such as power grids, are quite easily breached by sophisticated attackers such as the Russian group. The group appears to want nothing more for the moment than to breach infrastructure networks and remain hidden. However, Rep. Mike Pompeo (R., Kan.), a member of the intelligence committee pointed out that “the risk from penetration of these critical industrial systems by Russian actors is very real and very serious…The same country that invaded Ukraine and is now putting tanks in Syria is conducting reconnaissance of U.S. Industrial infrastructure. We must do more to stop Putin’s aggression.”
However, the attack architecture is already in place. If, for whatever reason, Russia feels it is necessary to disrupt normal life in the U.S., they are fully capable of doing so. How disruptive would such an attack be? Well, according to Dr. Peter Vincent Pry, former CIA analyst, 90% of Americans could be killed by a prolonged power grid attack. He claims massive numbers of people would die “through starvation and disease and societal collapse.” Though this number seems somewhat alarmist, there is no doubt that the widespread disruption that would ensue with a grid shutdown could produce panic which could destabilize the nation.
For now, Russia would not attempt such a comprehensive attack for the same reason no nation has ever declared cyberwar on any other nation – the fear of retaliation. If they ever found themselves threatened, Russia could, as a show of their strength, disable small parts of the infrastructure. They would, of course, deny any complicity in the attack. Since such sophisticated attackers could hide their tracks, 100% attribution would be nearly impossible. This would put the U.S. on the back foot as they would not want to risk launching a full scale attack against anyone who they were not completely convinced was the actual perpetrator. More likely, the U.S would launch a similar limited strike to show that they knew who was behind the disruption. It’s a dangerous game to play with serious ramifications for those who may get it wrong.
The most surprising point in all of this is the growing sense of urgency and the candor shown by the U.S. government. In the past, no one wanted to talk about such attacks, no one wanted to name the attackers, and no one wanted to admit to the possibility that such a devastating attack was possible. In short, power grid attacks have moved from the realm of survivalist paranoia to a plausible reality. Add to this the growing number of threats to the DOE (Department of Energy) from Iranian hackers and you have a worrying scenario. In fact, some sources claim that Iran and Russia are now working together. “Iran has turned to Russia and the cyber warfare front in a bid to even a potential battle against the United States and the West”, states Matthew McInnis, a resident fellow at the American Enterprise Institute.” I’ll have more on the Iran threat in my next post.
Though the world may have moved back from the brink of a nuclear war, we seem to have moved one step closer to the brink of a cyber war which could have just as disastrous an impact. With tensions between the U.S. and Russia increasing all the time, and with Russia’s recent choice of power display rituals as a substitute for foreign policy, some serious cyber boundaries need to be established. Perhaps President Obama can raise the topic when he meets with Putin later today. Of course, this is unlikely to happen and, even if it did, it is unlikely that Putin would admit to having a cyber warfare group. After all, no Russian soldiers were ever in the Ukraine, right?