Researchers say that hackers caused a December power outage in Ukraine -- an attack that came after years of warnings about the digital security of the power grid. But some say that we should be more worried about a different, furrier threat.
They can strike at almost any moment -- gnawing through the insulation guarding power lines or burrowing into substations in risky missions that can leave thousands without power at a time. The bushy-tailed rodent has even sparked economic mayhem: Back in 1987, a rogue squirrel took out the power to a NASDAQ computer center for nearly an hour and half, stopping an estimated 20 million shares from being traded, according to the New York Times.
The critters are such a big problem that the American Public Power Association even tracks the blackouts they cause with its own "Squirrel Index."
But among some cybersecurity researchers, this furry menace has become a meme that highlights what they see as the alarmist tone of policy discussions around cyberattacks on critical infrastructure.
"As far as I know, there's only one outage attributable to hackers," said Tom Cross, chief technology officer at Drawbridge Networks, a cybersecurity firm -- and that's the Ukraine incident. But there has "absolutely" been more than one blackout caused by squirrels, he said.
There's even a website that tracks when squirrels take out the lights: CyberSquirrel1.com. "This map lists all unclassified Cyber Squirrel Operations that have been released to the public that we have been able to confirm," the site's "About" section declares, although the map actually also tracks outages by other critters like birds, raccoons and the occasional beaver.
The data populating the map is culled from news reports, so it likely undercounts outages because it only includes individual incidents large enough to draw media attention. Even so, the outages noted so far are the equivalent of taking out the power in all of Phoenix for about a month, the creator of the site said.
The creator declined to reveal his or her identity but claimed to be a somewhat well-known information security professional fed up with the conversation about alleged hacks against the power grid.
"[T]here is tons of hype about how we are at so much risk from a devastating cyber attack and yet we can't even protect our infrastructure from squirrels, or birds or snakes," the site's creator said. The site grew out of a Twitter account started in March 2013 dedicated to sharing squirrel-related outages and is now a labor of love run by a handful of volunteers, according to the creator.
The risk of a cyberattack on the power grid is a common doomsday scenario on Capitol Hill. "Practically speaking, an adversary is going to go after our civilian infrastructure first," former National Security Agency and U.S. Cyber Command chief Keith Alexander said during a hearing last fall. "We're seeing that in some of the things going on today. Take down the power grid and the financial sector and everybody's going to forget about these problems."
One 2013 report from then-Rep. Henry Waxman (D-Calif.) and now-Sen. Ed Markey (D-Mass.) warned that the "electric grid is the target of numerous and daily cyber-attacks."
But up until the Ukraine incident, researchers hadn't identified a time when hackers caused a blackout. The details of that event are still trickling out, but the emerging consensus is that the blackouts were part of a coordinated digital attack on the local power grid.
In isolation, that may not pose any more of a risk than when animals or bad weather take out the power, according to Cross. What worries some officials, he said, is that hacks against the power grid could become another tool a nation-state might use to attack a country's infrastructure as part of a larger assault.
However, at least in Ukraine, the power companies appear to have been able to get the lights back on within a few hours. To Cross, that's a good sign about the resilience of an electrical grid as we enter an era when blackouts caused by such attacks may be inevitable. "Just as the power grid deals with ice storms and squirrels all the time, we might find ourselves in a position where we occasionally have to respond to cyberattacks," he said. "If power operators are just as prepared to deal with that situation as squirrels, we'll be in a good place."
The creator of CyberSquirrel1.com agrees that there's a real risk of cyberattacks on the power grid and that it's a national security issue that needs attention. "Just nowhere near the attention that [the threat of hacks against the power grid] has been getting from the cyber-war hawks," the creator said.
So in the meantime, the site is focusing on a furry adversary with a proven track record of taking out the lights.