Avoiding Grid Lock
Tuesday, August 16, 2005; 9:09 AM
A few years ago I was chatting with a mid-level defense official at a cocktail party. He told me, as so many government workers do, that we reporters weren't paying sufficient attention to the real story in cyber-security.
Instead of writing about furtive teenagers and twentysomethings who subsist on a diet of pizza, anime porn and Neuromancer, he said, the media should be reporting on the threat posed by terrorists who could knock America over by seizing the computer systems that run the power grid.
Or the chemical plants. Or the water supply.
That conversation happened a few months after the Sept. 11, 2001, terrorist attacks. Since then, we have reported plenty on this topic in The Washington Post and elsewhere.
But according to Richard Clarke, not much has changed. Clarke, the former cyber-security "czar" of the Bush administration as well as a terrorism adviser to Presidents Bush and Clinton, is back in the news with his security spiel, this time delivered to the Christian Science Monitor.
"Networks run everything from water-treatment plants and oil refineries to power grids and transport networks. They constantly read data and adjust, opening a valve here, closing a tank there, often keeping the facility operating 24/7. In the wrong hands, however, such systems could be compromised," the CSM reported. The paper quoted Clarke as saying: "People downplay the importance of cyber-security, claiming that no one will ever die in a cyber-attack, but they're wrong. ... This is a serious threat."
Clarke got a bad reputation among many security officials, especially post-9/11, for his fixation on cyber-security when everyone else was more concerned about border protection and physical defense. He took his case to "60 Minutes," went all over the news media and later got a gig at the New York Times Magazine.
But things haven't changed much. When it comes to visions of technological catastrophe, otherwise reasonable decisionmakers point their fingers at the Year 2000 bug and cock a skeptical eyebrow... until now, that is.
The Monitor reported that the Energy bill that President Bush signed last week contains a requirement that power companies strengthen their defenses against computer attacks: "Why does a law aimed at boosting energy production address the dangers of hackers, software 'worms,' and computer viruses? Because the automatic networks that run so-called 'critical infrastructure' are emerging as a vital -- and weak -- link in America's defense against terrorism."
Here's more activity on the government front. The Department of Homeland Security is creating a national cyberspace response system, the Monitor said: "Supporters claim it will help the government work with the private sector to prevent, detect, and respond to cyber incidents. In November, DHS will launch its first major national exercise -- code-named 'Cyberstorm' -- to test the government's ability to partner with the private sector in response to a major cyber incident. Last month, DHS Secretary Michael Chertoff created a new post, assistant secretary of cyber and telecommunications security."
The Monitor also contained Clarke's less-than-enthusiastic response: "So far it's been all talk."
On that front -- and without any up-to-date information that says otherwise -- Clarke is more or less correct. Physical security remains the national priority. Terrorists crashed planes into buildings and killed thousands. They did not manipulate the computer systems of dams on the Colorado River to drain Lake Powell and Lake Mead. Our government is supposed to think forward to things that could happen, but it tends to work best with precedents.