Advertisement

Putin’s threat of ‘consequences’ heightens worries about Americans’ electricity

The war in Ukraine is renewing fears of a Russian cyberattack on the U.S. — and the danger that such a strike could spiral into a wider conflict between the two powers.

U.S. officials have worried for years about a potential Russian hack of critical systems such as the electric grid, which energy experts say is vulnerable to attacks that could cut off power for hours, days, weeks or even months. The United States would almost certainly respond to such an assault on Americans’ daily lives — and lawmakers and policymakers have said the options would need to include military reprisals or cyber counterattacks, not just more economic sanctions.

Washington has never made it clear what kind of hack would trigger an escalation, despite years of warnings from security agencies that Russia is probably laying the groundwork for a critical infrastructure attack that the U.S. would be ill-prepared to prevent.

“All these hypotheticals about what constitutes an attack… suddenly could move from hypothetical to real literally in the next few days,” Senate Intelligence Chair Mark Warner (D-Va.) said in an interview this week.

ADVERTISEMENT

Russian President Vladimir Putin issued an ominous warning to nations like the U.S. in his Thursday morning speech announcing the invasion — saying that “whoever tries to hinder us” will face “consequences that you have never faced in your history.”

Later that day, President Joe Biden said from the White House that “if Russia pursues cyberattacks against our companies, our critical infrastructure, we're prepared to respond” — though he did not say what that response would entail.

Biden told Putin during a summit last summer that the United States’ critical infrastructure should be "off-limits" to digital assault, handing him a list of 16 sectors that the Department of Homeland Security has identified as especially vital to the national interest. Those include energy, water, financial services, health care, defense and the food supply.

But Russian government hackers have repeatedly made forays into U.S. critical infrastructure including the energy sector since 2016, the FBI and DHS have said. A 2019 “Worldwide Threat Assessment” by the U.S. intelligence community found that Russia has the capability to disrupt electrical distribution centers in the United States for “at least a few hours,” adding: “Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”

A major attack on the U.S. grid could be especially devastating, plunging parts of the country into darkness for days or longer depending on the method of attack. Texas offered a peek at this scenario last year, when power failures triggered by cold weather left millions of people without power. More than 200 deaths were linked to the storm, two-thirds of them due to hypothermia.

Russian hackers demonstrated their ability to make such threats real by attacking Ukraine’s grid in 2015 and 2016, leaving portions of the country in the dark for several hours each time.

Criminal ransomware gangs based in Russia made the lesson even plainer for the U.S. in two critical infrastructure breaches last year — an attack on the East Coast’s main fuel supply line that triggered price spikes and gasoline shortages, and another that shut down more than a fifth of the nation’s beef supply.

If a cyberattack on the grid were massive enough, the U.S. might consider it an act of war on the same level as a physical strike against power plants. That could justify a response in kind by the United States and its NATO allies.

“Actually affecting the power grid in that way here in the U.S. would definitely be a big step up in terms of escalation,” said Michael Daniel, who was White House cybersecurity coordinator under President Barack Obama and now leads the Cyber Threat Alliance. “That would probably prompt the U.S. government to look at a wide variety of tools that it might have to try to signal the level of seriousness with which we are treating that, and also to try to impose costs and disruptions on the Russians.”

Sen. Angus King (I-Maine), who co-chaired a congressionally chartered cybersecurity commission, said last week that the U.S. would need to offer a serious response to attacks on its critical infrastructure.

“There is a range of responses, but to me the important thing is that A — there is a response, and B— the Russians know there will be a response. That’s called deterrence,” King said. “It could be sanctions, it could be any number of different things.”

NBC News reported Thursday that U.S. officials are considering preemptive attacks of their own on Russia’s critical infrastructure to hobble the Ukraine invasion, with options such as shutting off internet service, interrupting the electricity supply or tampering with railroad switches. White House press secretary Jen Psaki dismissed the report as “off base,” saying it “does not reflect what is actually being discussed in any shape or form.”

‘How deep did they get in?’

Warnings of a potential Russian attack on the U.S. electrical grid have escalated in recent months as tensions over Ukraine rose.

DHS’ Cybersecurity and Infrastructure Security Agency said in an alert this month that owners and operators of critical infrastructure should strengthen their cybersecurity practices to counter potential Russian threats. Those included water plants, communications networks and in particular, the power grid.

Separately, the cybersecurity company Dragos recently tracked a hacking group that is “doing reconnaissance on electric and natural gas sites here in the United States,” founder and CEO Robert M. Lee said in an interview this month.

Energy Secretary Jennifer Granholm urged energy executives in a letter Wednesday to “prepare to the highest possible level” for Russian hacking. Her department last year launched a 100-day plan to improve the grid’s cyber defenses.

Still, Granholm wrote Wednesday, “There remains no specific credible threat to the homeland from Russia, that I am aware of.”

The latest warnings follow years of efforts by the U.S. electric power sector to absorb the lessons of the 2015 and 2016 blackouts in Ukraine, whose power system shares some of the vulnerabilities of the American grid. (U.S. power plants also use more automated systems than their Ukrainian counterparts, which would complicate the task of bringing them back online.) But those preparations are not yet complete.

“Are we better off than we were five or six years ago when Russia undertook that activity in December of 2015 in Ukraine? Absolutely,” said Daniel, the former White House cyber coordinator. “Do I think we’re where I would say we are very well off? No, I'm afraid I couldn’t say that.”

Power industry experts disagree, though, on whether hackers could trigger a widespread power outage in the U.S.

A massive outage would be difficult to pull off through a remote hack alone, said cyber risk consultant Tom Alrich, saying it would require Russians to create a cascading blackout in which the failure of a small piece of the grid could trigger wider disruptions. Such a scenario played out in parts of Canada, the Midwest and the Northeast in 2003, when tree branches touching power lines in Ohio set off a series of failures that caused millions of people to lose power for several hours.

After those outages, a standards-setting body called the North American Electric Reliability Corp. has issued a series of rules aimed at preventing such a snowball effect on the grid, Alrich said. At this point, he said, "it would be almost impossible to cause a cascading outage" — a scenario that would require something like 20 to 30 attacks on various parts of the grid.

But former NERC official Tobias Whitney said several scenarios exist in which a wide-scale disruption would be possible. For instance, hackers could trigger mass outages by downing a control center and backup control for a large transmission operator or a critical transmission substation, said Whitney, who is now vice president of strategy and policy at the cybersecurity firm Fortress.

Experts believe that Russian hackers trying to bring down part of the U.S. grid would probably enter via a side route — breaking into a major energy provider’s networks by infecting a software update from a less secure company. Such a strategy would have been long planned out.

“If they’ve done it, they’ve done it. They are sitting in there,” said Eric Byres, founder and chief technical officer of cybersecurity group aDolus. “That typically takes six to 12 months to execute, so they won’t be doing it tomorrow. The question will be, how deep did they get in, and how destructive they want to be.”

Options for Biden

The next question is how the U.S. would respond.

One option, of course, is for Biden to impose more sanctions, on top of the economic penalties he announced Thursday for banks, oligarchs and other targets in Russia and its ally Belarus. Biden left plenty of room to ramp up the pressure later — he announced no sanctions for now on Putin’s personal wealth or Russia’s oil and gas companies.

A second possibility: The United States could use its own fearsome cyber capability to launch a counterattack on Russia.

The military’s U.S. Cyber Command has demonstrated its ability to strike Russia before — for example, by temporarily shutting down a St. Petersburg-based disinformation factory during the 2018 midterm elections, as The Washington Post later disclosed. The U.S. has also installed probes in the Russian electric grid since at least 2012, and under the Trump administration began implanting malware there at a newly aggressive pace, The New York Times reported in 2019.

A cyberattack against Russia could similarly hobble critical systems for months or longer. The best-known example, a computer worm called Stuxnet believed to be the work of the U.S. and Israel, sabotaged Iran’s nuclear program by destroying centrifuges before being discovered in 2010.

The third and most serious scenario is that an attack on the U.S. grid could trigger Article 5 of the NATO treaty, which requires all members to step in if one member is attacked. NATO declared in 2019 that a major cyberattack against one member state would qualify for such a response.

That could bring every NATO-allied nation into conflict with Russia — raising the possibility of a coordinated response against Moscow that could ramp up the conflict exponentially.

The U.S. even has a precedent for wielding deadly force against a hacker: In 2015, it used a drone strike in Syria to kill a high-level ISIS operative suspected of helping hack U.S. Central Command’s social media accounts, publishing personal information of U.S. troops and using Twitter to encourage terrorist attacks on Americans.

But the U.S. has also hesitated at times to offer a forceful response to Russian hacking for fear of triggering a cycle of escalations that would bring greater damage for the United States. That was one factor in the Obama administration’s slow-to-unwind reaction to Russia’s interference in the 2016 presidential election.

Some security experts and lawmakers have argued for years that a conventional — or “kinetic” — military response should be one option on the table for responding to a major cyberattack. But realistically, the U.S. would use physical force only if the hack had endangered health and safety.

“The U.S. has always reserved the right to respond to malicious cyber activity with both cyber and kinetic tools,” said Mark Montgomery, senior director of the Foundation for Defense of Democracies. “Should someone attack us in a significant way with a cyber tool, they can expect that our response might be in either realm.”

The line dividing these various options has never been quite clear, Warner acknowledged.

“I’m not sure we’ve put out red lines for our adversaries, or for that matter fully warned Americans about the consequences,” the Senate intelligence chair said. “We’ve been talking about this potential for a long time. Thank God we’ve never seen the full effects of an attack.”

Catherine Morehouse contributed to this report.