With hacking of US utilities, Russia could move from cyber espionage toward cyber war
Even before the revelation on July 23 that Russian government hackers had penetrated the computer systems of U.S. electric utilities and could have caused blackouts, government agencies and electricity industry leaders were working to protect U.S. customers and society as a whole. These developments, alarming as they might seem, are not new. But they highlight an important distinction of conflict in cyberspace: between probing and attacking.
Various adversaries –including Russia, but also China, North Korea and Iran — have been testing and mapping U.S. industrial systems for years. Yet to date there has been no public acknowledgment of physical damage from a foreign cyberattack on U.S. soil on the scale of Russia shutting off electricity in the Ukrainian capital or Iran attacking a Saudi Arabian government-owned oil company, destroying tens of thousands of computers and allegedly attempting to cause an explosion.
The U.S. and its allies have substantial capabilities, too, some of which have reportedly been directed against foreign powers. Stuxnet, for instance, was a cyberattack often attributed to the U.S. and Israel that disrupted Iran’s nuclear weapons development efforts.
The distinction between exploiting weaknesses to gather information — also known as “intelligence preparation of the battlefield” — and using those vulnerabilities to actually do damage is impossibly thin and depends on the intent of the people doing it. Intentions are notoriously difficult to figure out. In global cyberspace they may change depending on world events and international relations. The dangers — to the people of the U.S. and other countries both allied and opposed — underscore the importance of international agreement on what constitutes an act of war in cyberspace and the need for clear rules of engagement.
In July the Center for Cyber and Homeland Security at George Washington University, where we serve, hosted a forum on protecting energy infrastructure. At that event, a Duke Energy Corporation executive reported that in 2017, the company experienced over 650 million attempts to intrude into their system. That number is startling, though hard to contextualize. More generally, however, some efforts directed against the U.S. are extremely sophisticated.
Federal officials have said that starting in 2016, continuing in 2017 and likely still ongoing, Russian government attacks took advantage of trusting relationships between key vendors of services related to equipment and operations for utility companies. Compromising the vendors’ computers was the first step toward breaching the security of systems not directly connected to the internet.
It’s not just electric utilities — crucial though they are to almost every aspect of modern society. The Russian intrusion targeted computerized industrial control systems that are at the beating hearts of every part of critical public and private infrastructure, including water, energy, telecommunications and manufacturing. In the U.S., more than 85 percent of those critical potential targets are owned and operated by private companies. Once considered safely on home soil far from conflict, these firms are now at the center of the international cyberspace battleground.
Setting up defenses
The energy industry has invested heavily in protecting itself and is leveraging a sector-wide collaboration called the Electricity Information Sharing and Analysis Center to communicate between companies about warnings and threats to grid operations. But the task is too great — and the consequences to public health and safety too severe — for private companies to handle the burden on their own. As a result, the U.S. Department of Homeland Security has been investigating breaches like the Russian intrusions and briefing industry leaders about what it finds.