President George Bush attended a grocer’s convention in 1992 and the New York Times erroneously wrote that Bush was amazed at the scanning technology. While this was clearly not the case, the inaccurate article led to criticism that Bush was out of touch with the average American.
In the just released Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath, (Crown 055341996X) noted broadcast journalist Ted Koppel has written a book that makes him seem out of touch with the subject he is writing about.
The books premise is that a major and devastating cyberattack on America’s power grid is imminent. While it’s a disturbing hypothesis, never once does Koppel detail how such an attack would actually take place.
Throughout the book, Koppel sets up his strawman and uses terms such as imagine, may, could and similar tenuous phrases. While these doomsday and worst-case scenarios are indeed terrifying, never does the book detail the specific how.
Throughout the book, one is led to believe that the US electrical energy industry has not taken the cybersecurity threat seriously. While there are thousands of energy firms, I consulted for a year at one of the largest electricity firms in the northeastern US, and they took the threat seriously. While the mom and pop operators may not have a competent information security team, the large providers do take the threat seriously. That’s not to say they can’t do a better job. But Koppel leads the reader to believe too many of the firms are asleep at the wheel.
While Koppel may overplay the threat, there are things he does get right in the book, especially when he sticks to the facts. While electricity is critical to everyone, most people are clueless to how the power grid works and he does a good job of scoping that out. He notes that FEMA is woefully unprepared should such a scenario arise within the electric industry. Even for those scenarios that are not as disastrous; FEMA, state, and local governments have not created adequate disaster recovery plans.
In an interview with Jeh Johnson, Secretary of the Department of Homeland Security, of which FEMA is a sub-agency, the normally hard-hitting Koppel deals with Johnson with kid-gloves. Johnson comes across somewhat clueless of the energy sector cyberthreat, to which Koppel notes that while Johnson’s answer to Koppel’s question lasted 13 minutes; he never addressed the question, and it was an area in which Johnson conceded that he had little expertise.
The book then spends a few chapters on the Mormon Church, whose doctrines include planning for cataclysmic events. The book contrasts the somewhat bumbling approach to emergency preparedness that FEMA has had, to the highly effective plans the Church has tested and implemented.
As to being out of touch with the subject he’s writing about, Koppel writes that when the NSA was working on a supercomputer which could execute a quadrillion operations a second, the NSA staff endearingly labeled the feat a petaflop. Unbeknownst to Koppel, a petaflop is a measure of computer’s processing speed and not an endearing descriptor. In this case a quadrillion operations per second.
Koppel also writes as a matter of fact that the Sony hack was perpetrated by North Korea. While there hasn’t been definitive attribution, it likely it was an insider attack.
Koppel admits that he is not proficient in the complicated energy sector. To help him navigate through the arcane world of grid reliance standards and the evolving relationship between power industry groups and federal regulators, Koppel engaged the services of Dr. Ryan Ellis of the Cyber Security Project at the Belfer Center for Science and International Affairs at Harvard University. Koppel notes that he sent transcripts of key interviews and rough drafts of relevant chapters to Dr. Ellis for his review and comments. Incredulously and disconcertingly, Koppel states that he didn’t always follow the advice of Dr. Ellis.
The book makes it seems like the power grid is the only part of the critical infrastructure that is at risk. The book glosses over other sectors as water, gas, dams and much more without a mention.
Koppel tells a great story and the book contains numerous interesting anecdotes about different characters from American history. Yet Koppel never deals with the core information security issues. He never details how an attack would play out, what systems would be infected, etc. Aside from mentioning SCADA, he never details how they are used or how they could be compromised.
Kopple writes how he spent a few days in Salt Lake City meeting with very senior leaders of the Mormon Church. He lets the reader know that the Mormons have almost 200 years’ worth of experience of dealing with disasters, as opposed to 37 for FEMA.
What Koppel did is speak to a lot of very senior people and put what he gleaned into writing. What’s conspicuously missing is his speaking to any cybersecurity expert with experience in SCADA, malware or related areas. Information security journalist Taylor Armerding asked Koppel if he interviewed penetration testers who have experience in the electric generation and transmission sector. Incredulously, he said no. I don’t think Koppel understands the significance of that exclusion; and therein lays the fundamental problem with this book.