Arthur H. House is chief cybersecurity risk officer in the state of Connecticut. He previously served in the intelligence community from 2009 to 2012 and as chairman of Connecticut’s utilities commission from 2012 to 2016. His views are his own.
Foreign states are breaching the security perimeters of America’s public utilities. In Connecticut, utilities have reported days in which they detected and deterred more than a million probes to their operating systems, many from foreign actors. Homeland Security Secretary Kirstjen Nielsen on Oct. 2 referred to Russia-linked hacking as an effort to “prep the battlefield” for an attack.
Meanwhile, Karen Evans, the assistant secretary for cybersecurity, energy security and emergency response at the Energy Department, testified Sept. 27 that our energy infrastructure has become a primary target for hostile cyber-actors. She warned that, “energy cybersecurity and resilience has emerged as one of the Nation’s most important security challenges,” and added in response to a committee question that she is not confident our utilities are prepared to withstand such attacks, particularly from potent actors such as Russia and North Korea.
Evans is right: The potential damage from an attack on our critical infrastructure would be harrowing. It’s time we come up with a strategy to defend our nation from potentially crippling cyberattacks that would put states at the forefront of the fight.
The effect of an attack on utility distribution systems could be similar to a major natural disaster — except we know when natural disasters end. Hurricanes do not return to strike a second or third time. And they do not replicate themselves in other parts of the country.
After just two weeks following an attack, we might exhaust reserve fuel to generate utility services, leading to shortages of potable water and an inability to treat sewage. Public order would be strained, and we could expect significant out-migration of residents seeking water and electricity. The hit on commerce could be devastating.
Given such consequences, one might understandably come to two conclusions. First, the burden and responsibility for cybersecurity defense must lie squarely on the federal government. And, second, the United States should prioritize offense — hit “them” before they can hit us. As the Trump administration’s new National Cyber Strategy states: “The responsibility to secure the Nation’s critical infrastructure and manage its cybersecurity risk is shared by the private sector and the federal government.”
That might be an appropriate strategy for interstate electricity grids and gas pipelines, but it omits reference to our nation’s distribution systems. Those responsible for protecting the actual delivery of public utility services need to be front and center in this effort. The states, not the federal government, oversee and regulate the distribution of electricity, natural gas and water.
States are, and have always been, responsible for emergency response and recovery. Who would have the burden of managing the consequences of a cyberattack on our critical infrastructure? The same first responders, emergency managers, police and National Guard members who are there after floods, hurricanes, snowstorms, wildfires and earthquakes.
Our collective vulnerability compels us to look beyond the emphasis on offense and make the United States an exemplar of defense. The United States can manage defense by land, sea and air, making conventional weapons against the United States futile. But foreign nations and sophisticated nonstate actors could devastate — some even say prevail over — the United States by hitting us where we are weakest.
Are we really ready for a cyber-deterrence strategy that now includes offensive action, as the Trump administration has proposed? Are we prepared to cause extensive human suffering in another country through denial of basic utility services? Perhaps, but Americans need to understand the need for and consequences of such offensive cyber-actions before they are deployed.
They should also be aware that if the United States were to unleash a cyber-offensive, we would become vulnerable to return attack. We cannot guarantee security. Former assistant defense secretary Paul N. Stockton appropriately noted that, before adversaries strike, power companies and government officials “should partner to draft ‘template’ orders to defend the grid.”
Besides engaging the necessary players, what do we need to mount a national cyberdefense campaign? We could start with robust sharing of threat intelligence with more personnel with security clearances in our public utilities, as well as help strengthen firewalls, penetration testing and systems defense. We also need contingency planning and rigorous regional and national rehearsals of the catastrophic disruptions we have thankfully never faced.
Cyber is a terrifying weapon — silent, malignant, mutable, chaos-inducing and potentially deadly. We are rendered more vulnerable because offensive capabilities far exceed defense. Instead of touting our willingness to use cyberweapons offensively, we would be wise to build a formidable domestic defense that recruits our states in this new chapter of our national security.