United States
Pushes for Penalties on Russian Hackers of Power Grid
By Rebecca Smith (Wall Street Journal)
Aug. 5, 2018
2:11 p.m. ET
Top administration officials are devising new
penalties to hit back more forcefully at state-sponsored hackers of critical
infrastructure to deter attacks such as the successful penetration of U.S. utilities by Russian agents last
year.
The push for explicit action is coming from
top federal agencies to fight worsening threats to the country’s electricity system and
other critical industries, particularly menacing actions from Russia, China,
Iran and North Korea.
Hackers working for the Russian government claimed “hundreds of
victims” last year in a campaign against the energy sector that ultimately put
them inside the control rooms of U.S. electric utilities where they
could have caused blackouts, officials with the Department of Homeland Security
said in briefing last month.
The events have forced “an evolution in
the U.S. government’s thinking about how to deter malicious cyberactors,” said Robert L. Strayer, the State
Department’s deputy assistant secretary in charge of cybersecurity matters, in
an interview.
Spearheading the effort are the departments of State, Treasury
and Defense, among other major agencies, according to government officials.
The threat to the U.S. electric grids is
so serious that in June a group of presidential advisers said the country
needs to prepare for a “catastrophic power outage” possibly caused by
a cyberattack. The National Infrastructure Advisory Council, mostly
current or former chief executives of companies engaged in critical industries,
said resources need to be stockpiled in community enclaves to prevent mass
migrations of desperate people.
Privately owned utility companies acknowledge they need more
help from the federal government, including the military. The utilities say
they don’t have the resources on their own to protect the country’s
three big electric grids—one in the east, one in the west and one
in Texas—against foreign governments.
“There must be accountability for bad actors,” said Tom Fanning,
chief executive of Atlanta-based Southern Co., one
the nation’s biggest utility companies. “I can’t hit back. I can’t
fight back. I want to know the Department of Defense is going to be there and
hold people accountable.”
Measures under consideration would be designed to hurt opponents
but not civilians—which would mean not hitting opponents’ utilities, according
to current and former government officials. Likely tools would be more frequent
use of indictments against named hackers, and seeking Red Notices from
Interpol, or requests that other nations locate and arrest suspects, which
would make it hard for the culprits to travel outside their home countries.
Asset seizures and sanctions are two additional tools likely to be used more.
The officials pushing tougher penalties don’t know whether
Mr. Trump will embrace the recommendations. White House officials say he is
taking the matter seriously.
The president has sent contradictory messages on his
position concerning Russia’s repeated attempts
to infiltrate U.S. institutions and to throw confusion into
the electoral process, at times promising to be tough and at other times
saying the U.S. and Russia share common interests and
should work as partners.
On Thursday, senior intelligence officials
said Russian attempts to interfere in the 2018 midterm
elections were deep, real and ongoing, and said efforts were
being made to combat the threat.
Tools of the Trade
In
cyberattacks against U.S. power utilities last year, officials say Russian
hackers stole employee credentials to gain access to corporate systems.
Source: Department of Homeland Security
Special counsel Robert Mueller charged a dozen Russian intelligence officers in
July with hacking the computers of Democratic organizations in an effort to
sway voters in the 2016 presidential election. Russia denies interfering.
The debate comes as attacks against U.S. utilities have become
brazen.
In March, Homeland Security and the FBI pinned
responsibility on a Russian group, often
called Dragonfly or Energetic Bear, for intrusions into
utilities that gave attackers remote access to critical industrial-control
systems, called SCADA. These systems govern power flows and keep electricity
supplies balanced with demand and thus prevent blackouts.
“They’ve had access to the button but
they haven’t pushed it,” said Jonathan Homer, Homeland Security’s chief of
industrial control system analysis.
In April, Russian hackers were using networking equipment,
including commonplace internet routers, as another way to steal
utilities’ sensitive information and maintain a hidden presence in control
networks, laying “a foundation for future offensive operations,” Homeland
Security officials said.
In May, the FBI moved to seize a domain name, toknowall.com,
which it said Russians were using to “control malicious software that has
infected electronic devices (i.e., routers) in the United States.”
Russia has denied targeting critical infrastructure.
“The frequency of the attacks and the potential attack scenarios
are becoming so dangerous that we can’t wrap our brains around it,” said Marina
Krotofil, a Ukrainian-born German expert in
utility-control systems who has investigated breaches in
the U.S. and Europe.
Many Americans misunderstand the threat, she
said. It’s not a few hackers from Russia that they face, Ms. Krotofil said. “It’s a cyber army.”
Just a few years ago, the idea that foreign enemies
could knock out electricity through cyberstrikes was the stuff of science fiction.
Authors fantasized about lost communication except for
battery-powered ham radios; a swift deterioration in the quality of
drinking water; runs on grocery stores that sparked violence; and clogged
highways as millions tried to flee dark metropolises.
Officials are now discussing how to avert such dire conditions
if a grid goes down. “We should be thinking about how we sustain society after
a huge power outage,” said Terry Boston, former chief executive of the nation’s
largest grid-running organization, PJM Interconnection, and a member of the
president’s infrastructure council.
Ukraine got a small taste of what can happen. Cyberhackers
working for Russia crippled three Ukrainian utilities
on Dec. 23, 2015, plunging hundreds of thousands of civilians into the
darkness on a chilly winter’s eve.
A year later, Russian hackers knocked out a major
transmission substation, causing another smaller blackout in the capital
city of Kiev.
Ukraine proved that hostile actors could create blackouts
with a variety of cybertools and get away with it,
said Stanley Partlow, chief security officer at Ohio-based American
Electric Power, a multistate utility. “Everybody said, ‘Wow. That really can
happen,’ ” he said.
So far, U.S. strategies against hackers haven’t been potent
enough to ensure that a Ukraine scenario doesn’t happen here, experts say.
Some people say it is safe to assume that
the U.S. also has retaliated behind the scenes.
Homeland Security “decides what gets revealed, but I wouldn’t
fool myself into assuming you see the entire picture,” said Jim Robb, chief
executive of the North American Electric Reliability Corp., which writes
cybersecurity standards for utilities.
Until recently, the U.S. has been reluctant to say much publicly
about successful cyberattacks of its infrastructures, fearing that it might make
them even more vulnerable. Talking about attacks is “effectively creating
a bull’s-eye” on yourself, said Scott Aaronson, vice president of security
and preparedness for Edison Electric Institute, a trade group.
That view is changing, as utilities believe more must be done.
“I’d love to see a bright line drawn,” with clear consequences
for those who cross it, said Duane Highley, chief
executive of the Electric Cooperatives of Arkansas, which represents nearly a
score of distribution utilities.
Keith Alexander, a retired four-star general
and former director of the National Security Agency and U.S. Cyber
Command, has been urging more action.
In April, Mr. Alexander told the House Armed
Services Committee that it is ridiculous to expect companies to defend
themselves against state-sponsored hacking teams. No one expects Walmart to
buy missiles to defend itself against Russian bombers, he said, and yet “when
it comes to cyberspace, we expect exactly that.”
One idea some have discussed is to have U.S. soldiers
work alongside utilities, co-hunting adversaries, said Michael Assante,
director of industrials and infrastructure security at SANS Institute, a
cybersecurity research and training organization.
There is a risk that aggressive steps could cause an escalation
that ends up hurting the U.S. more than its adversaries because
the U.S. is more computer-dependent, or that the wrong organization
will get blamed for an attack and prompt a counterattack from a new actor.
Establishing attribution is hard because hackers purposely
disguise themselves. They drop foreign words into their malware to plant
suspicion against others, and they mask an attack’s origin by hijacking
computers around the world.
Success now hinges on garnering support from Mr. Trump, said
Christopher Painter, former State Department Coordinator for Cyber Issues
during the Obama administration.
“One thing the U.S. and its allies have been bad at
doing is establishing timely and consequential costs on bad actors—ones that
actually make them change their behavior,” he said. “I do worry that unless we
have consistent, high-level messaging, it will undercut this effort.”
A White House official said “the
president understands that concrete action—not mere wishful thinking—is
necessary to address the increasing cyberthreat.”
—Rob Barry contributed to this article.
Appeared
in the August 6, 2018, print edition as 'U.S. Steps Up Grid Defense.'