What keeps Secretary Panetta up at night?
The unexpected attacks he knows the U.S. isn’t ready for, Panetta told House budgeteers on Wednesday — especially a major cyber-attack.
Panetta said one of his worst fears is that suddenly America would realize its electrical grid or its financial system had been attacked or damaged, and it might not be able to find out who was responsible.
He was careful to add that he also worries about traditional terror; weapons of mass destruction; North Korea and some other standards, but his choice to lead off with cyber-vulnerabilities was telling, especially since the two specific targets he mentioned do not now fall under his area of responsibility.
The Pentagon has spent the past few years playing political hot-potato with the other federal agencies over just who in the alphabet soup should be responsible for protecting against cyber-attacks. DoD and service-level witnesses have been pretty consistent: We are guarding our networks, our bases and our utility access, but we are not going to volunteer to take the lead in defending the power grid, the financial industry, the private sector, or any of that stuff.
Joint Chiefs Chairman Gen. Martin Dempsey has told lawmakers “we had better be talking about cyber,” because he knows what the U.S. is capable of — this always with a wink and a nod — and as such he would hate to be on the receiving end of anything like it. Uniformed officials love the secret handshake, “trust me” technique of assuring you that U.S. offensive cyber capabilities are top-drawer, though there are never any follow-up questions or other details. Secret squirrel stuff, after all.
Panetta’s warning comes just a day after Congress’ watchdog arm released its latest warning about the vulnerability of the U.S. electrical grid. The Government Accountability Office said Tuesday that the grid is not only vulnerable now, it could get even more vulnerable as more utilities adopt “smart grids,” highly automated, efficiency-minded upgrades. Beyond the not-my-jobism in Washington and a whole different alphabet soup of state and federal regulators, the nature of the grids themselves leave many openings for attack, GAO said.
There’s no coordinated approach for monitoring whether the electrical industry is following its voluntary standards; smart grids are being built without security features; the industry is not sharing information about its vulnerabilities; and power companies don’t even have good data about attacks or vulnerabilities, GAO said.
Bottom line: No matter which federal agencies wind up responsible, the cyber-threat to power grids is not just a “Die Hard 4” fantasy, GAO concluded. Here’s how its report wound up:
The electricity industry is in the midst of a major transformation as a result of smart grid initiatives and this has led to significant investments by many entities, including utilities, private companies, and the federal government. While these initiatives hold the promise of significant benefits, including a more resilient electric grid, lower energy costs, and the ability to tap into alternative sources of power, the prevalence of cyber threats aimed at the nation’s critical infrastructure and the cyber vulnerabilities arising from the use of new technologies highlight the importance of securing smart grid systems. In particular, it will be important for federal regulators and other stakeholders to work closely with the private sector to address key cybersecurity challenges posed by the transition to smart grid technology. While no system can be made 100 percent secure, proven security strategies could help reduce risk to an acceptable level.
That’s if Washington and the private sector can get their act together before Panetta’s nightmare comes true.