A Game Changer in the Cyberweapon War

Last December, one-fifth of Kiev’s electric power shut down, plunging 225,000 Ukrainians into darkness and cold. The shutdown was not planned, but rather the result of a cyberweapon developed by Russian hackers.

Last week researchers confirmed the existence of the new malware, which has been dubbed “CrashOverride.” Although American government officials have not officially attributed the cyberattack on Ukraine to the Russian government, some privately say that they concur with private sector assessments that the hackers were acting on behalf, or at the behest, of Moscow.

The new cyberweapon, according to the Texas-based cybersecurity firm Dragos, could be modified to be deployed against U.S. electric transmission and distribution systems, to devastating effect. According to one of the firm’s researchers, it is only the latest threat from Russia, but a very noteworthy one. “It’s the culmination of over a decade of theory and attack scenarios,” the researcher, Sergio Caltagirone, warned. “It’s a game changer.”

Russian hackers are believed to have been behind infiltrations of U.S. industrial control systems in 2014. That year too, a hacking campaign that researchers believe was Russia-based targeted NATO, the Ukrainian and Polish governments, and European Industries.

In 2015, it was discovered that sensitive parts of the White House’s computers had been infiltrated by what the FBI, the Secret Service, and other U.S. intelligence agencies reportedly categorized as one of “the most sophisticated attacks ever launched against U.S. government systems.” And that attack too, according to experts, bore the electronic equivalent of Russian fingerprints.

And, of course, it isn’t news that our government is investigating a wide-ranging, ambitious effort by the Russian government to disrupt last year’s presidential election. That cyber-campaign, according to American intelligence officials, employed a variety of methods, including hacking hundreds of political and other organizations.

So we Americans should be under no illusions that we are protected from malicious electronic attacks, or that a weapon like CrashOverride will not be deployed against our own electrical grids.

Cybersecurity professionals say that the newly discovered malware can automate mass power outages, like it did in Kiev, and that it includes components that could allow it to be adapted to different electric utilities and launched simultaneously across multiple targets. Thus, they warn, CrashOverride could inflict outages in industrialized countries like our own that would be more widespread and longer lasting than the Ukrainian blackout.

The effect of a large-scale cyberattack on American electrical grids would be on the order of a major hurricane or earthquake — but, potentially, on a nationwide scale. Americans in parts of the country prone to natural disasters know that they must be prepared for a week or two of emergency supplies in the event of such happenings, and often have some warning beforehand that a disaster may be imminent.

But most Americans assume that when they flick on a light switch the light will go on. And that when they set their thermostat, their home’s temperature will adhere to the setting. That their trains will, even if sometimes late, be running, and that their water faucets will be too. A major cyberattack would render those assumptions — and many others — mistaken.

And so, prudence dictates that all of us, even in temperate, stable parts of the country, take precautions as well, and have at least a few days’ backup supplies and water stored away or otherwise available.

Becoming unduly alarmed, though, isn’t called for. Energy sector experts said that while the new malware is cause for concern, the industry is developing ways to disrupt attackers who breach their systems.

What is more, a protection of sorts against a major cyberattack exists in the fact that most every advanced nation uses similar technology in its power grids, employing the same control system tools available through global vendors.

Which means that, even if we are living in an electronic glass house, so are other developed countries, including those, like Russia, that have the ability to disrupt our electrical and other systems. That fact yields a modern-day version of the “Mutually Assured Destruction” deterrent of the Cold War era, when the Soviet Union, it was believed, was restrained from using nuclear weapons against the West by the fact that any such attack would be responded to immediately in kind.

But that offers only a limited solace. We need to be prepared for disruptions of our electricity-dependent lives. And the government needs to continue and intensify its cybersecurity efforts, and use whatever means may be available to dissuade bad global actors from using sophisticated tools to wreak substantial havoc.