In the summer of 2016, the Department of Energy started doing something counterintuitive: It tried to hack its own network.
“To protect the grid from hackers, you need to break it,” the DOE later explained in a now-deleted post about how officials had taken the unlikely step in order to learn how to better protect it against aggressive adversaries.
The approach signaled an increasingly defensive mindset when it comes to U.S. cyber strategy that continues today. Just last month more than 100 cybersecurity experts and engineers from the Defense Advanced Research Projects Agency (DARPA) quietly worked for six days in November on a remote island off Long Island Sound to restore power to the U.S. electrical grid after it was hit with a devastating — and fictional — cyberattack.
U.S. officials have reason to be defensive: Critical infrastructure like the country’s electrical grid is constantly under attack, particularly by one of America’s most potent competitors, Russia. But experts aren’t worried that the Kremlin is going to shut off the lights in New York or San Francisco anytime soon. They’re worried about not being able to retaliate when they need to.
“There’s still a concentrated Russian cyberespionage campaign targeting the bulk of the U.S. electrical grid,” FireEye analyst Alex Orleans told the CyberWarCon conference in Washington last month.
With each attack, Moscow is gathering key intel about the country’s critical infrastructure, identifying weak spots, and planting malware for future deployment. Moscow’s deep roots inside the U.S. electrical grid have given Russia an undeniable advantage in the emerging space of cyberwarfare, experts said. And that upper hand could limit how the U.S. conducts its own offensive cyberattacks — and even foster an environment of paralysis on a key battleground.
These fears have only been exacerbated under the Trump administration, which cut its two top cybersecurity positions in April, and has yet to replace them.
“If we have a significant cyber incident, the normal mechanisms for coordinating that interagency response that is absolutely required, that’s going to be very difficult without a cyber coordinator at the White House,” Suzanne Spaulding, who served as undersecretary for the National Protection and Programs Directorate at the Department of Homeland Security (DHS) during the Obama era, told VICE News.
A long time coming
The possibility that hackers could turn off the lights first came to national prominence back in 2003, when more than 50 million people lost power during the massive Northeastern blackout. Experts initially feared the outage could have been caused by a cyberattack after software in an alarm system malfunctioned.
The blackout turned out to be the result of a bug rather than a malicious attack, but it was enough of a scare that officials soon introduced new resilience and defense standards designed to harden the core network.
Then came Russia’s crippling attacks on Ukraine’s power grid in 2015 and 2016, which caused hundreds of thousands to lose power, and revealed to the world Moscow’s full cyber capabilities.
“One of the most disturbing aspects is that the Russians are believed to have gained access to these utilities using basic hacking techniques.”
Since then, governments around the world have intensified their focus on securing and defending critical networks. In the U.S., experts like FireEye’s Orleans say the core network of the electrical grid has been improved. And DARPA has developed tools to help restart the grid from a complete power outage.
But new trends have introduced new vulnerabilities: The industrywide push to digitize energy grids through “smart meters,” which save money and encourage efficiency, for example, has created fresh access points for hackers to attack the network. And some of these attacks don’t even have to be all that sophisticated, experts warned.
“One of the most disturbing aspects is that the Russians are believed to have gained access to these utilities using basic hacking techniques, such as spear phishing company employees — so they didn’t even have to use the more advanced techniques that the Russians are believed to have used in Ukraine and elsewhere,” Rhea Siers, a former Deputy Assistant Director for Policy at the National Security Agency, told VICE News.
In May, the Department of Homeland Security’s Computer Emergency Readiness Team detailed the operations of one Russian hacking group that was actively trying to infiltrate critical national infrastructures, such as energy, nuclear, water, aviation, and manufacturing sectors. The DHS even named the group — known variously as Temp.Isotope, DragonFly 2.0, Berserk Bear and Energetic Bear — but the public shaming did little to stop attacks on the network.
According to Orleans, whose company closely tracks the group's activities, Russian hackers continue to probe all parts of the U.S. electrical grid. They’re gathering valuable information and drawing detailed maps of the network, he said.
“There is a growing realization that inaction in itself is escalatory because it shows adversaries that they can get away with increasingly provocative actions.”
Yet he doesn’t expect Moscow to use that information in a destructive attack. Instead, he said Moscow is more likely to use the access to foster an environment of fear and inaction in Washington. Spaulding, the former DHS official, shared similar concerns.
“I am worried that Russia may signal its capability to do so, in a way that deters us from taking action that we think is in our national interest, so to freeze us with a fear of escalation or retaliation,” she said.
That paralysis could leave the U.S. even more vulnerable in the long run, experts said. “There is a growing realization that inaction in itself is escalatory because it shows adversaries that they can get away with increasingly provocative actions,” Kate Charlet, a former Department of Defense official, who helped develop its cyber policy, strategy, and capabilities, told VICE News.
In September, National Security Adviser John Bolton made it clear that he wanted the U.S. to act more aggressively when it comes to the cyber domain.
“For any nation that's taking cyber activity against the United States, they should expect … we will respond offensively, as well as defensively,” Bolton said before the publication of the White House Cyber Policy and the Department of Defense (DoD) Cyber Strategy.
Knowing what a more offensive U.S. cyber strategy looks like, and whether it is being effective, is impossible, given the operations are classified. A spokesperson for Cyber Command declined to comment on the specifics of any actions they have taken in recent months or the impact of a specific adversary on those actions.
“There is a growing realization that inaction in itself is escalatory.”
The change in strategy was welcomed by former National Security Agency director Michael Rogers, who said Obama’s more cautious approach, at times, risked playing into adversaries’ hands.
“One of the things that frustrated me at times was: Why are we taking one element just straight off the table?” Rogers told a panel at the Center for Strategic and International Studies. “I just thought, boy, if you’re in Moscow or Beijing you are loving this approach to life because it doesn’t really change your risk calculus.”
Others, however, are concerned that the change of approach won’t have the desired effect.
“Even with the most state-of-the-art cyber tools, it is not clear that complete freedom to use them would deter America’s adversaries Russia and China, and to a lesser extent North Korea and Iran, who are doing everything they can to erode U.S. advantages and strengthen themselves,” Patrick Barry, a former DHS official who advised the Obama administration on cyber strategy said.
Much of Barry’s concerns, however, center on Trump’s “hollowing out” of his White House team that runs cyberspace policy, a worry shared by a number of experts.
“It is still critical that any offensive cyber plan is reviewed broadly and thoroughly in terms of potential impacts — both on our adversaries and potential blowback on the U.S.,” Siers said.
Cover image: In this photo taken Tuesday, Aug. 14, 2018 power transmission lines deliver electricity along the Interstates 40 and I-85 corridor in Orange County near Hillsborough, N.C. (AP Photo)