The Wall Street Journal gets a major scoop on its page one this morning, reporting that China and Russia have penetrated the U.S. electrical grid, seeding it with malware that could be used to try to shut the system down.
The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war…
Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.
It’s pretty scary stuff, something that always waves the red flag to look more closely at what’s backing it up. It seems we’ve made ourselves pretty vulnerable by having a centralized electricity system plugged into the Internet:
Last year, a senior Central Intelligence Agency official, Tom Donahue, told a meeting of utility company representatives in New Orleans that a cyberattack had taken out power equipment in multiple regions outside the U.S. The outage was followed with extortion demands, he said.
But some of this seems pretty thin. Here’s the third paragraph:
“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”
Couldn’t the Journal get a better quote than that? They’re mapping it?
The story relies primarily on unnamed sources for this information. I’m not opposed to that—especially for a security story—but the paper doesn’t explicitly explain why these intelligence officials might be telling the Journal about this right now, though this is probably a hint:
But protecting the electrical grid and other infrastructure is a key part of the Obama administration’s cybersecurity review, which is to be completed next week… The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more.
As might this:
Last week, Senate Democrats introduced a proposal that would require all critical infrastructure companies to meet new cybersecurity standards and grant the president emergency powers over control of the grid systems and other infrastructure.
It’s good that the WSJ puts this information in there, but it should more clearly point out that these might be reasons government officials are talking about this to it right now.
Forbes looks at that question in a somewhat-cranky follow story looking at why the WSJ got the news:
Hearing that hackers are running amok in our power grid likely comes as a grim reality check to most Americans.
But when media reports surfaced Tuesday night that cyberspies had penetrated the computer networks of U.S. utilities and planted software designed to sabotage those systems, cybersecurity insiders weren’t as intrigued by that news as they were by the question of which government officials had leaked it—and why….
While the report represents the first government confirmation of successful cyberattacks against U.S. utilities, many connected with national cybersecurity have known for years that American utility companies have been continually and successfully targeted by hackers. Some suspect that the timing behind the security officials’ new revelations may be intended as a tactic to coax private utility companies into participating in cybersecurity regulatory initiatives currently under review.
Just goes to show, a story is a “scoop” when you get it and a “leak” when your competitor does, but this Forbes piece provides useful context.
There’s some other good reporting in the Journal piece. Here’s a peek inside the “black budget”:
Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget.
That’s somewhat comforting.
A sidebar on WSJ Online raises an appropriate question:
Is it a good idea to put the U.S. electricity system on the same footing as your spyware-addled computer?
And I just have to point out “Jim’s” comment on that story. “Jim,” you cracked me up::
How often will the power grid need to be rebooted, and what will a “locked screen” look like? And allowing a “smart grid” to power critical infrastructure systems (say, hospitals) may put new meaning into “blue screen of death”. :-(
Anybody remember the Great Blackout of 2003? I do—I spent the night on a lower Manhattan park bench. That was caused by a single tree in Walton Hills, Ohio.
It seems it’s not just our financial system that’s built on sand.
I’m looking forward to the press following up on this story and its implications.