United States Pushes for Penalties on Russian Hackers of Power Grid

By Rebecca Smith (Wall Street Journal)

Aug. 5, 2018 2:11 p.m. ET

Top administration officials are devising new penalties to hit back more forcefully at state-sponsored hackers of critical infrastructure to deter attacks such as the successful penetration of U.S. utilities by Russian agents last year.

The push for explicit action is coming from top federal agencies to fight worsening threats to the country’s electricity system and other critical industries, particularly menacing actions from Russia, China, Iran and North Korea.

Hackers working for the Russian government claimed “hundreds of victims” last year in a campaign against the energy sector that ultimately put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, officials with the Department of Homeland Security said in briefing last month.

The events have forced “an evolution in the U.S. government’s thinking about how to deter malicious cyberactors,” said Robert L. Strayer, the State Department’s deputy assistant secretary in charge of cybersecurity matters, in an interview.

Spearheading the effort are the departments of State, Treasury and Defense, among other major agencies, according to government officials.

The threat to the U.S. electric grids is so serious that in June a group of presidential advisers said the country needs to prepare for a “catastrophic power outage” possibly caused by a cyberattack. The National Infrastructure Advisory Council, mostly current or former chief executives of companies engaged in critical industries, said resources need to be stockpiled in community enclaves to prevent mass migrations of desperate people.

Privately owned utility companies acknowledge they need more help from the federal government, including the military. The utilities say they don’t have the resources on their own to protect the country’s three big electric grids—one in the east, one in the west and one in Texas—against foreign governments.

“There must be accountability for bad actors,” said Tom Fanning, chief executive of Atlanta-based Southern Co., one the nation’s biggest utility companies. “I can’t hit back. I can’t fight back. I want to know the Department of Defense is going to be there and hold people accountable.”

Measures under consideration would be designed to hurt opponents but not civilians—which would mean not hitting opponents’ utilities, according to current and former government officials. Likely tools would be more frequent use of indictments against named hackers, and seeking Red Notices from Interpol, or requests that other nations locate and arrest suspects, which would make it hard for the culprits to travel outside their home countries. Asset seizures and sanctions are two additional tools likely to be used more.

The officials pushing tougher penalties don’t know whether Mr. Trump will embrace the recommendations. White House officials say he is taking the matter seriously.

The president has sent contradictory messages on his position concerning Russia’s repeated attempts to infiltrate U.S. institutions and to throw confusion into the electoral process, at times promising to be tough and at other times saying the U.S. and Russia share common interests and should work as partners.

On Thursday, senior intelligence officials said Russian attempts to interfere in the 2018 midterm elections were deep, real and ongoing, and said efforts were being made to combat the threat.

Tools of the Trade

In cyberattacks against U.S. power utilities last year, officials say Russian hackers stole employee credentials to gain access to corporate systems.

Spear-Phishing

Watering-Hole Attacks

Remote Access

Source: Department of Homeland Security

Special counsel Robert Mueller charged a dozen Russian intelligence officers in July with hacking the computers of Democratic organizations in an effort to sway voters in the 2016 presidential election. Russia denies interfering.

The debate comes as attacks against U.S. utilities have become brazen.

In March, Homeland Security and the FBI pinned responsibility on a Russian group, often called Dragonfly or Energetic Bear, for intrusions into utilities that gave attackers remote access to critical industrial-control systems, called SCADA. These systems govern power flows and keep electricity supplies balanced with demand and thus prevent blackouts.

“They’ve had access to the button but they haven’t pushed it,” said Jonathan Homer, Homeland Security’s chief of industrial control system analysis.

In April, Russian hackers were using networking equipment, including commonplace internet routers, as another way to steal utilities’ sensitive information and maintain a hidden presence in control networks, laying “a foundation for future offensive operations,” Homeland Security officials said.

In May, the FBI moved to seize a domain name, toknowall.com, which it said Russians were using to “control malicious software that has infected electronic devices (i.e., routers) in the United States.”

Russia has denied targeting critical infrastructure.

“The frequency of the attacks and the potential attack scenarios are becoming so dangerous that we can’t wrap our brains around it,” said Marina Krotofil, a Ukrainian-born German expert in utility-control systems who has investigated breaches in the U.S. and Europe.

Many Americans misunderstand the threat, she said. It’s not a few hackers from Russia that they face, Ms. Krotofil said. “It’s a cyber army.”

Just a few years ago, the idea that foreign enemies could knock out electricity through cyberstrikes was the stuff of science fiction. Authors fantasized about lost communication except for battery-powered ham radios; a swift deterioration in the quality of drinking water; runs on grocery stores that sparked violence; and clogged highways as millions tried to flee dark metropolises.

Officials are now discussing how to avert such dire conditions if a grid goes down. “We should be thinking about how we sustain society after a huge power outage,” said Terry Boston, former chief executive of the nation’s largest grid-running organization, PJM Interconnection, and a member of the president’s infrastructure council.

Ukraine got a small taste of what can happen. Cyberhackers working for Russia crippled three Ukrainian utilities on Dec. 23, 2015, plunging hundreds of thousands of civilians into the darkness on a chilly winter’s eve.

A year later, Russian hackers knocked out a major transmission substation, causing another smaller blackout in the capital city of Kiev.

Ukraine proved that hostile actors could create blackouts with a variety of cybertools and get away with it, said Stanley Partlow, chief security officer at Ohio-based American Electric Power, a multistate utility. “Everybody said, ‘Wow. That really can happen,’ ” he said.

So far, U.S. strategies against hackers haven’t been potent enough to ensure that a Ukraine scenario doesn’t happen here, experts say.

Some people say it is safe to assume that the U.S. also has retaliated behind the scenes.

Homeland Security “decides what gets revealed, but I wouldn’t fool myself into assuming you see the entire picture,” said Jim Robb, chief executive of the North American Electric Reliability Corp., which writes cybersecurity standards for utilities.

Until recently, the U.S. has been reluctant to say much publicly about successful cyberattacks of its infrastructures, fearing that it might make them even more vulnerable. Talking about attacks is “effectively creating a bull’s-eye” on yourself, said Scott Aaronson, vice president of security and preparedness for Edison Electric Institute, a trade group.

That view is changing, as utilities believe more must be done.

“I’d love to see a bright line drawn,” with clear consequences for those who cross it, said Duane Highley, chief executive of the Electric Cooperatives of Arkansas, which represents nearly a score of distribution utilities.

Keith Alexander, a retired four-star general and former director of the National Security Agency and U.S. Cyber Command, has been urging more action.

In April, Mr. Alexander told the House Armed Services Committee that it is ridiculous to expect companies to defend themselves against state-sponsored hacking teams. No one expects Walmart to buy missiles to defend itself against Russian bombers, he said, and yet “when it comes to cyberspace, we expect exactly that.”

One idea some have discussed is to have U.S. soldiers work alongside utilities, co-hunting adversaries, said Michael Assante, director of industrials and infrastructure security at SANS Institute, a cybersecurity research and training organization.

There is a risk that aggressive steps could cause an escalation that ends up hurting the U.S. more than its adversaries because the U.S. is more computer-dependent, or that the wrong organization will get blamed for an attack and prompt a counterattack from a new actor.

Establishing attribution is hard because hackers purposely disguise themselves. They drop foreign words into their malware to plant suspicion against others, and they mask an attack’s origin by hijacking computers around the world.

Success now hinges on garnering support from Mr. Trump, said Christopher Painter, former State Department Coordinator for Cyber Issues during the Obama administration.

“One thing the U.S. and its allies have been bad at doing is establishing timely and consequential costs on bad actors—ones that actually make them change their behavior,” he said. “I do worry that unless we have consistent, high-level messaging, it will undercut this effort.”

A White House official said “the president understands that concrete action—not mere wishful thinking—is necessary to address the increasing cyberthreat.”

—Rob Barry contributed to this article.

Appeared in the August 6, 2018, print edition as 'U.S. Steps Up Grid Defense.'