Ted Koppel, anchor of ABC TV’s “Nightline” for 25 years, from 1980-2005, is the author of “Lights Out,” which argues that not only is the nation’s critical infrastructure at grave risk of a catastrophic cyber attack that could leave as much as a third of the nation without electricity for months or even a year, but that there is no government plan to respond to such an attack.
[ ALSO ON CSO: Read our review of the book and if the industry agrees with Koppel ]
Koppel spoke briefly with CSO earlier last week about those issues:
What kind of feedback on your book are you getting from information security professionals? Do they think you’ve overstated the risk or not?
If they do, I haven’t heard from them yet. But I’m not sure that all the messages are getting through, since I’m on the book tour. The first indication of that was in Chicago today when the former CEO of a power company said he didn’t think I was right about the vulnerabilities of SCADA (Supervisory Control And Data Acquisition) systems. But in the book, a CEO told me the same thing, but then later called me back to say he was wrong.
Based on your conclusions – that a third or more of the nation could be crippled for months or even a year or more by a well-executed cyber attack – does that make the recent nuclear deal with Iran at least somewhat irrelevant? Who needs nukes if a few keystrokes on a laptop could do as much or more damage?
Frankly it’s not even the fact that it’s a few keystrokes. It’s the anonymity of the person delivering the keystrokes. I wouldn’t say nuclear negotiations are irrelevant, but the Iranians know they don’t have to come after us with a nuclear device. That’s an exchange they would lose anyway. Cyber is an arena where we are more vulnerable than any country. And you can’t respond if you don’t know who attacked you.
Should the U.S. put more of a priority on negotiating cyber agreements than nuclear agreements with hostile nations like Iran and North Korea?
I’m not sure what a cyber agreement is going to accomplish. What is the point of having agreements if an attack is not verifiable? We shouldn’t trust because we can’t verify.
[ ALSO ON CSO: Kaspersky: ‘A very bad incident’ awaits critical infrastructure ]
In your recent interview with Charlie Rose, he asked if the U.S. has the capability to inflict more damage on the infrastructure of adversaries like Russia, China, Iran or North Korea than they could inflict on us. You said that was a “fair statement”? Does this amount to a more modern version of the “balance of terror,” in that each adversary has the capacity to destroy the other?
It does not. For MAD (Mutual Assured Destruction) to work, you have to know where the attack is coming from, and the party attacking you has to be sure that the response is going to be worse than the attack. I’ve heard that Russia has placed people into positions all around the world to cover the origin of a cyberattack. How in heaven’s name are you ever going to prove where it came from? You can’t retaliate if you don’t know where it came from?
Did you interview penetration testers who have experience in the electric generation/transmission sector for this book?
No, I did not.
You wrote that one estimate of what it would cost to harden our defenses against an EMP (electromagnetic pulse) attack was $2 billion. That’s not even a rounding error in a budget in the trillions. Why would there be resistance to it?
These things generally end up costing more than the original estimates. But let’s say that protecting against EMPs and setting up warehouses with food and other supplies each cost $100 billion. We have this not terribly effective agency where folks are allegedly guarding our access to airports and flights, and that has cost $100 billion. Yet in tests this past spring, 95 percent of fake bombs and weapons got through.
I think it goes back to what Tom Ridge (first secretary of Homeland Security) said: “We are not a preemptive democracy. We are a reactive one.”
[ ALSO ON CSO: How ‘Power fingerprint’ could improve security for ICS/SCADA systems ]
Do you think the U.S. Senate’s recent passage of the Cybersecurity Information Sharing Act will lead to the kind of threat information sharing needed to reduce the risks to our critical infrastructure?
CISA is not worth the paper it’s printed on. Private industry is worried about privacy, therefore (before it shared any information) the power industry would be allowed to scrub it of any privacy concerns. Then, the DHS (Department of Homeland Security) could scrub it again before they hand it over to the NSA (National Security Agency). That could take months. In an environment in which milliseconds count, what’s the point?
Do you think those privacy concerns are justified, given the, as you put it, “radioactivity” of the NSA after revelations of its data collection?
I think the radioactivity is misplaced in an era when companies like Google and Apple gather material on us to sell it to other parties. I’m less concerned about the NSA having my private info than Russia or North Korea.
Would you recommend that everybody do what you’ve done – buy and store several months worth of food and water for yourself and your family?
I don’t want to present myself as the solution to the problem. But my theory is that those who can afford to take care of themselves for a couple of months ought to do it, and the government should take care of those who can’t afford it.