Ted Koppel is not optimistic. The investigative journalist and former “Nightline” host is the author of a new book that argues the U.S. power grid is totally unprepared for a cyberattack that could result in American deaths and longer blackouts than have ever been reported. The biggest problem, he says, is that the situation is going to get worse before it gets better.
Koppel’s “Lights Out: A Cyberattack, A Nation Unprepared, Surving The Aftermath” was published Oct. 27, 2015, two months before a cyberattack against a Ukrainian power plant led to the world's first blackout attributed to hackers. The U.S. grid is more efficient and cheaper than the Ukrainian grid thanks to its reliance on the Internet, Koppel says. If left unprotected, though, an attack on the modern U.S. networks could be worse than even a devastating natural disaster.
And now the clock is ticking.
Koppel interviewed 60 current and former top U.S. national security officials, including every secretary of the Department of Homeland Security and ex-leadership from the U.S. National Security Agency. He spoke to the International Business Times Thursday by phone.
International Business Times: You’re best known as the host of “Nightline” and, before that, as an ABC correspondent during the Vietnam War. Where did your interest in cybersecurity originate?
Ted Koppel: In doing “Nightline” I did 6,000 programs over 26 years and within those there must have been at least 500 different topics. I’ve never been focused on just one topic, and this just struck me as a topic that wasn’t getting the kind of attention it deserves.
The president made reference to it twice in State of the Union speeches, his secretary of defense, Leon Panetta, talked about the likelihood of a “cyber Pearl Harbor,” the former secretary of the Department of Homeland Security, Janet Napolitano, paid particular attention to it during her farewell address. Yet, with all these people at the highest level of government talking about it, I saw no government plan to deal with the consequences of it.
The more I asked, the more I came to the conclusion that there was not a plan. That struck me as a major, major lapse in the government’s responsibility.
IBT: Were you looking into whether there’s no proactive plan to stop this kind of devastating hack from happening? Or were you looking for the government’s response plan in the event a hack occurs?
Koppel: It was the second more than the first. I am not an expert on this and have no particular expertise at all, but all the experts told me it’s not a question of “if” but a question of “when” this happens. If that’s the case, it seems reasonable to me to ask what the plan is.
We have a plan for what to do in the wake of a devastating snowstorm, earthquake, hurricanes and flooding, but there’s no plan for what to do in the wake of a cyberattack on the grid. The impact of that would be far greater and far longer lasting than anything with the possible exception of a major earthquake in California.
IBT: Based on your conversations, do you have any sense now of where this ranks on the United States’ national security priorities?
Koppel: I don’t know that I can answer that question for you. Part of the problem lies in the politics of it. Politics demands that we take an issue like a terrorist attack, a traditional kind of attack when someone blows himself up with a suicide vest, as something that seizes the public attention. Nobody is going to get elected by coming out and saying "That’s really not a major threat." It’s not, but you don’t get elected by saying that. The other part of the problem is that a great deal of our media these days have also fallen victim to catering to the public appetite, which demands that we regard the kind of terrorist attacks that I’ve just been referencing as the greatest threat to the U.S. But they’re not even close to being the greatest threat.
When you hear something as ludicrous as Donald Trump’s proposal to close the border to all Muslims, you couldn’t do that. Even if you could, it’s stupid. When the far greater threat is not blowing themselves up with a bomb, but somebody sitting at a laptop computer and taking out a power grid. I am not suggesting that individual terrorist groups are capable of doing that yet, but they will be very soon.
There are nation states out there, China and Russia in particular, who already have the capability of doing that. Are they likely to do that? No, but the likelihood of a nation state like Iran or North Koreans doing that is far greater.
The Iranians probably already have that capability. I can’t say for sure whether they do, but they’re certainly moving in that direction. North Korea already showed what it can do to a large company like Sony with very little effort.
We have 3,200 power companies out there, some of which are corporations just like Sony. Some of them have superb defense mechanisms and others have almost no defense mechanisms, but they’re all linked together in a network. By accessing one you can reach the other.
IBT: What does that mean for the grid from a cybersecurity standpoint?
Koppel: The several power companies that were attacked in Ukraine were able to get back online again very quickly, ironically because they’re way behind the U.S. in terms of not being as dependent on the Internet. They were able to go back to manual controls.
In this country, because of the deregulation of the power industry, the only way we can maintain the balance between the generation of power and consumption of power, which has to be perfectly balanced, is through Supervisory Control and Data Acquisition (SCADA) systems. It’s only because the power industry operates on the Internet, and because of that you’re going to find an identical SCADA system in California as in Hong Kong. Most of the SCADA systems are made by Siemens and, for example, as was the SCADA system during the U.S. and Israel’s Stuxnet cyberattack on the Iranian nuclear systems [in 2010].
There is a level of vulnerability we have because of the increased efficiency of our system. The deregulation of the power industry made power more efficient and decreased the cost of electricity to the consumer. That’s good. What’s bad is it also made it more vulnerable to attack. The underlying truth here that’s alarming is that so much of our infrastructure — air travel and other industries — is so reliant on the Internet, and the Internet was never designed to be defended.
Keith Alexander, the former director of the National Security Agency, says there are only two kinds of companies: those who have been hacked and those who don’t know it yet.
IBT: What were you most surprised by in the course of reporting this?
Koppel: That there doesn’t seem to be even the most fundamental recovery plan that’s unique to a cyberattack.
The best they can point to is unique recovery plans for blizzards, or recovery plans for hurricanes. They’re thinking they can just apply the same thing. To a certain degree they can, but it will also be totally inadequate.
The duration of a cyberattack’s effects will be longer than any disasters except maybe an earthquake. The scale of it is going to be greater than even the biggest earthquake. If somebody takes out the eastern power grid of the U.S., you’re talking about more than 100 million people who would be affected. No natural disaster comes close to approaching that.
IBT: Who’s a bigger threat: the state-sponsored hackers or non-government groups like the Islamic State group?
Koppel: China and Russia have been operating major reconnaissance missions on the manner of how our power grid functions and is controlled. They’ve been mapping it for years. I don’t want to minimize the complexity of launching one of these attacks — it requires mapping these grids from inside out. The likelihood of an attack from the Chinese and Russians is very slim.
Those who are most capable are the least likely. Those who are at the lower end of the capability scale are the most likely. Look at it this way: We and the Chinese and Russians still have a lot of interlocking commercial, security, diplomatic and political interests. We and ISIS have zero interlocking interests. The likelihood that if ISIS is able to buy the expertise with a couple billion dollars they have, they would do it. They have only one interest: inflicting as much damage and pain on the United States and Europe.
If they ever get the ability to do it, they almost certainly will. Those that have the ability to do it now almost certainly won’t unless there’s an extreme deterioration in relations.
IBT: Malicious software is a totally new kind of weapon. How does that complicate traditional warfare?
Koppel: One of the problems with a cyberattack is the problem of attribution. Those who have the capability of doing this also have the ability of concealing the point of origin of the attack so it may appear to be coming from South Africa. Then you track it back to Stockholm, then you track it back through Santiago, Chile. Then the ultimate conclusion is that the attack originated in Brooklyn. But that still doesn’t tell you who did it.
The kind of equation that existed in terms of mutually assured destruction, which still exists in terms of the nuclear age, doesn't exist in cyberwar. Anyone considering a nuclear attack against the United States has the knowledge that we would almost certainly know where that attack is coming from, and that we’d almost surely respond in kind with an even greater attack. That’s assured the balance of terror between the U.S. and [Russia] and the U.S. and Chinese, but we don’t have that in the world of cyberwar. Someone can launch an attack against the U.S. and it could be months before we respond.
If an attacker has the confidence he can conceal the attribution it diminishes the restraint on the attacker.
IBT: Did you come out of this more or less confident that this is something the U.S. will be able to address?
Koppel: Tom Ridge, the first Department of Homeland Security secretary, probably gave me the smartest observation, and that’s that the U.S. tends to be a reactive culture. We’re not very good at taking pre-emptive action. Look at what happened in the wake of 9/11, when we’ve spent $3 trillion in two wars for almost 15 years, we’ve created organizations like the Department of Homeland Security and the TSA, and to what end? The TSA alone spent $100 billion over the last 14 years. Then when Homeland Security runs a security check at airports around the U.S. last year, in which they had people smuggle dummy weapons and explosives through TSA security points, the TSA had a success rate of finding these items at 5 percent.
It’s absolutely the right question to ask, but what do I expect to be done? Not much until there is something that grabs the American public by the ears and shakes them to the core of their existence will things get done. But the things that need to get done take years. We should have started years ago, and if we started today it might not be early enough. But we’re not starting them today.