The myth of “deterrence”

Last Friday, Politico ran a well-researched article about the Russian threat to the US grid. I was quoted saying that it would be extremely difficult for the Russians to cause a widespread grid outage, in large part because of NERC’s standards. And here I meant not just the NERC CIP cybersecurity standards, but the other NERC standards that focus on measures needed to keep the grid reliable. So events like the ones that led to the 2003 Northeast Blackout, whether or not induced by a cyberattack, simply wouldn’t be able to cause an event anything like that one, if those same events occurred today.

I also pointed the reporter to the 2019 Worldwide Threat Assessment, and made the same point to her that I made in this recent post: that if the US is really worried about Putin attacking our grid, it would be a good idea to thoroughly investigate these statements. If it turns out they’re completely wrong, then great…let’s hear about it. But if it turns out they’re right and there is Russian malware planted in grid control centers (since those would be the best points from which to cause outages. Attacking a substation – even taking one out completely – is highly unlikely to cause any outage at all, and certainly not a cascading one. The 2013 Metcalf substation attack demonstrated this).

But I was concerned about the article’s discussion of possible US “deterrence” of a Russian cyberattack on the grid by threatening to respond in kind, presumably with a cyberattack on our own (and the article repeats previous reports that the US has planted plenty of malware in the Russian grid. I don’t doubt that those reports are true, although I don’t have a way of knowing that). This idea is based on flawed logic:

1.      The Russians attack the US grid and cause serious outages that lead to some loss of civilian lives.

2.      We turn around and cause an even more serious outage in Russia, with presumably even more loss of civilian lives.

The fact is that this scenario will never happen. The US is never going to launch any sort of attack directly targeting civilians in another country, unless we’re actually at war with the country. No matter what Russia is doing in Ukraine, we’re simply not going to “launch a devastating cyberattack” on their grid, no matter what sort of cyberattack they launch on ours. Instead, we’ll impose other non-lethal punishment on the country – beyond what we’ve already imposed. Sure, impoverish the people. But don’t kill them.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.