National Security

Forget Revolution

What would really happen if the lights went out.

Government officials sometimes describe a kind of Hieronymus Bosch landscape when warning of the possibility of a cyber attack on the electric grid. Imagine, if you will, that the United States is blindsided by an epic hack that interrupts power for much of the Midwest and mid-Atlantic for more than a week, switching off the lights, traffic signals, computers, water pumps, and air conditioners in millions of homes, businesses, and government offices. Americans swelter in the dark. Chaos reigns!

Here's another nightmare scenario: An electric grid that serves two-thirds of a billion people suddenly fails in a developing, nuclear-armed country with a rich history of ethnic and religious conflict. Rail transportation is shut down, cutting off travel to large swathes of the country, while many miners are trapped underground.

Blackouts on this scale conjure images of civil unrest, overwhelmed police, crippled hospitals, darkened military bases, the gravely injured in the back of ambulances stuck in traffic jams.

The specter of what Defense Secretary Leon Panetta has called a "digital Pearl Harbor" led to the creation of U.S. Cyber Command, which is tasked with developing both offensive and defensive cyber warfare capabilities, and prompted FBI Director Robert Mueller to warn in March that cyber attacks would soon be "the number one threat to our country." Similar concerns inspired both the Democrats and Republicans to sound the alarm about the cyber threat in their party platforms.

But are cyber attacks really a clear and present danger to society's critical life support systems, capable of inflicting thousands of casualties? Or has fear of full-blown cybergeddon at the hands of America's enemies become just another feverish national obsession -- another of the long, dark shadows of the 9/11 attacks?

Worries about a large-scale, devastating cyber attack on the United States date back several decades, but escalated following attacks on Estonian government and media websites during a diplomatic conflict with Russia in 2007. That digital ambush was followed by a cyber attack on Georgian websites a year later in the run-up to the brief shooting war between Tbilisi and Moscow, as well as allegations of a colossal, ongoing cyber espionage campaign against the United States by hackers linked to the Chinese army.

Much of the concern has focused on potential attacks on the U.S. electrical grid. "If I were an attacker and I wanted to do strategic damage to the United States...I probably would sack electric power on the U.S. East Coast, maybe the West Coast, and attempt to cause a cascading effect," retired Admiral Mike McConnell said in a 2010 interview with CBS's 60 Minutes.

But the scenarios sketched out above are not solely the realm of fantasy. This summer, the United States and India were hit by two massive electrical outages -- caused not by ninja cyber assault teams but by force majeure. And, for most people anyway, the results were less terrifying than imagined.

First, the freak "derecho" storm that barreled across a heavily-populated swath of the eastern United States on the afternoon of June 29 knocked down trees that crushed cars, bashed holes in roofs, blocked roads, and sliced through power lines.

According to an August report by the U.S. Department of Energy, 4.2 million homes and businesses lost power as a result of the storm, with the blackout stretching across 11 states and the District of Columbia. More than 1 million customers were still without power five days later, and in some areas power wasn't restored for 10 days. Reuters put the death toll at 23 people as of July 5, all killed by storms or heat stroke.

The second incident occurred in late July, when 670 million people in northern India, or about 10 percent of the world's population, lost power in the largest blackout in history. The failure of this huge chunk of India's electric grid was attributed to higher-than-normal demand due to late monsoon rains, which led farmers to use more electricity in order to draw water from wells. Indian officials told the media there were no reports of deaths directly linked to the blackouts.

But this cataclysmic event didn't cause widespread chaos in India -- indeed, for some, it didn't even interrupt their daily routine. "[M]any people in major cities barely noticed the disruption because localized blackouts are so common that many businesses, hospitals, offices and middle-class homes have backup diesel generators," the New York Times reported.

The most important thing about both events is what didn't happen. Planes didn't fall out of the sky. Governments didn't collapse. Thousands of people weren't killed. Despite disruption and delay, harried public officials, emergency workers, and beleaguered publics mostly muddled through.

The summer's blackouts strongly suggest that a cyber weapon that took down an electric grid even for several days could turn out to be little more than a weapon of mass inconvenience.

"Reasonable people would have expected a lot of bad things to happen" in the storm's aftermath, said Neal A. Pollard, a terrorism expert who teaches at Georgetown University and has served on the United Nation's Expert Working Group on the use of the Internet for terrorist purposes. However, he said, emergency services, hospitals, and air traffic control towers have backup systems to handle short-term disruptions in power supplies. After the derecho, Pollard noted, a generator truck even showed up in the parking lot of his supermarket.

The response wasn't perfect, judging by the heat-related deaths and lengthy delays in the United States in restoring power. But nor were the people without power as helpless or clueless as is sometimes assumed.

That doesn't mean the United States can relax. James Lewis, director of the technology program at the Center for Strategic and International Studies, believes that hackers threaten the security of U.S. utilities and industries, and recently penned an op-ed for the New York Times calling the United States "defenseless" to a cyber-assault. But he told Foreign Policy the recent derecho showed that even a large-scale blackout would not necessarily have catastrophic consequences.

"That's a good example of what some kind of attacks would be like," he said. "You don't want to overestimate the risks. You don't want somebody to be able to do this whenever they felt like it, which is the situation now. But this is not the end of the world."

The question of how seriously to take the threat of a cyber attack on critical infrastructure surfaced recently, after Congress rejected a White House measure to require businesses to adopt stringent­ new regulations to protect their computer networks from intrusions. The bill would have required industries to report cyber security breaches, toughen criminal penalties against hacking and granted legal immunity to companies cooperating with government investigations.

Critics worried about regulatory overreach. But the potential cost to industry also seems to be a major factor in the bill's rejection. A January study by Bloomberg reported that banks, utilities, and phone carriers would have to increase their spending on cyber security by a factor of nine, to $45.3 billion a year, in order to protect themselves against 95 percent of cyber intrusions.

Likewise, some of the bill's advocates suspect that in the aftermath of a truly successful cyber attack, the government would have to bail the utilities out anyway. Joe Weiss, a cyber security professional and an authority on industrial control systems like those used in the electric grid, argued that a well-prepared, sophisticated cyber attack could have far more serious consequences than this summer's blackouts. "The reason we are so concerned is that cyber could take out the grid for nine to 18 months," he said. "This isn't a one to five day outage. We're prepared for that. We can handle that."

But pulling off a cyber assault on that scale is no easy feat. Weiss agreed that hackers intent on inflicting this kind of long-term interruption of power would need to use a tool capable of inflicting physical damage. And so far, the world has seen only one such weapon: Stuxnet, which is believed to have been a joint military project of Israel and the United States.

Ralph Langner, a German expert on industrial-control system security, was among the first to discover that Stuxnet was specifically designed to attack the Supervisory Control and Data Acquisition system (SCADA) at a single site: Iran's Natanz uranium-enrichment plant. The computer worm's sophisticated programs, which infected the plant in 2009, caused about 1,000 of Natanz's 5,000 uranium-enrichment centrifuges to self-destruct by accelerating their precision rotors beyond the speeds at which they were designed to operate.

Professionals like Weiss and others warned that Stuxnet was opening a Pandora's Box: Once it was unleashed on the world, they feared, it would become available to hostile states, criminals, and terrorists who could adapt the code for their own nefarious purposes. But two years after the discovery of Stuxnet, there are no reports of similar attacks against the United States. What has prevented the emergence of such copycat viruses?

A 2009 paper published by the University of California, Berkeley, may offer the answer. The report, which was released a year before Stuxnet surfaced, found that in order to create a cyber weapon capable of crippling a specific control system ­­-- like the ones operating the U.S. electric grid -- six coders might have to work for up to six months to reverse engineer the targeted center's SCADA system.

Even then, the report says, hackers likely would need the help of someone with inside knowledge of how the network's machines were wired together to plan an effective attack. "Every SCADA control center is configured differently, with different devices, running different software/protocols," wrote Rose Tsang, the report's author.

Professional hackers are in it for the money -- and it's a lot more cost-efficient to search out vulnerabilities in widely-used computer programs like the Windows operating system, used by banks and other affluent targets, than in one-of-a-kind SCADA systems linked to generators and switches.

According to Pollard, only the world's industrial nations have the means to use the Internet to attack utilities and major industries. But given the integrated global economy, there is little incentive, short of armed conflict, for them to do so. "If you're a state that has a number of U.S. T-bills in your treasury, you have an economic interest in the United States," he said. "You're not going to have an interest in mucking about with our infrastructure."

There is also the threat of retaliation. Last year, the U.S. government reportedly issued a classified report on cyber strategy that said it could respond to a devastating digital assault with traditional military force. The idea was that if a cyber attack caused death and destruction on the scale of a military assault, the United States would reserve the right to respond with what the Pentagon likes to call "kinetic" weapons: missiles, bombs, and bullets.

An unnamed Pentagon official, speaking to the Wall Street Journal, summed up the policy in less diplomatic terms: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks."

Deterrence is sometimes dismissed as a toothless strategy against cyber attacks because hackers have such an easy time hiding in the anonymity of the Web. But investigators typically come up with key suspects, if not smoking guns, following cyber intrusions and assaults -- the way suspicions quickly focused on the United States and Israel after Stuxnet was discovered. And with the U.S. military's global reach, even terror groups have to factor in potential retaliation when planning their operations.

None of these considerations is an argument for dismissing the risk of cyber attacks. However, they do suggest the need to keep the degree of risk in perspective. In an op-ed last year in The Hill, the Center for a New American Security's Kristin M. Lord and Travis Sharp warned the United States to avoid "billion dollar solutions to million dollar problems."

"A collective sense of urgency is needed about the growing threats in cyber space," they wrote. "But so too is pragmatic levelheadedness expressed through a U.S. cyber security strategy that prioritizes intelligently. Such a strategy will enable the U.S. government to craft policies that ensure safe access to the Internet without breaking the bank."

Strengthening U.S. cyber security is common sense, like locking your door at night. But it's one thing to turn the lock -- and another to spend the night hunched in your living room with a shotgun.



Little Bo Peepshow

China's six biggest political sex scandals.

On Friday, after months of furious speculation in the Western press and on Chinese social media, Xinhua, China's official news agency, finally announced that former Chongqing party boss Bo Xilai had been expelled from the Communist Party, opening him up for prosecution and potentially a lengthy prison sentence.

Most of the official accusations against Bo are unsurprising. "Bo abused his power, made severe mistakes and bore major responsibility in the Wang Lijun incident," the report reads, in a reference to his former police chief who fled to the U.S. Consulate in February, "and the intentional homicide case of Bogu Kailai" -- a reference to his wife, convicted in August of murdering British businessman Neil Heywood. He "seriously violated Party disciplines" as mayor and party secretary of Dalian, commerce minister, and Chongqing party chief, and "took advantage of his office to seek profits for others and received huge bribes personally and through his family," according to Xinhua.

In the middle of the list of charges is the following accusation: "Bo had or maintained improper sexual relationships with a number of women." As with the other accusations, Xinhua doesn't elaborate, and Bo's alleged unfaithfulness to his wife hardly seems relevant. So what if he was getting some on the side?

But the Communist Party has long held an ambivalent view toward the sex life of its mandarins, dating back the mixed-up mores of its founder, Mao Zedong. Before emphasizing the importance of marriage and the family, Mao flirted with publicly advocating sex "as casual as drinking a glass of water" -- a philosophy he later took up in his private life.

Nowadays, as long as party officials remain loyal and keep their bedroom behavior private, sex is a personal matter. But once they fall, the curtain surrounding their private lives falls with them.

The significance of the charges against Bo thus lies not in their accuracy, but in the Communist Party's decision to use salaciousness to discredit him. As June Teufel Dreyer, a professor of political science at the University of Miami, told Bloomberg News, it fits a pattern "wherein the party decided that no one should be portrayed as having elements of both good and evil within them -- they were either wholly devoted to the party and the people or wholly evil and against them." The following is a list of six officials, high and low, who have been exposed:

1. Chen Liangyu

The previous Politburo member sacked, former Shanghai Party Secretary Chen Liangyu, who fell in 2006, was accused of the same dissolution as Bo. In an August 2007 article in Chinese state media entitled "Since Ancient Times, Corrupt Officials Have Been Very Lusty, Also a Characteristic of Today's "Corrupt and Lusty" (Officials)," the author cites the results of an investigation into Chen's background. Not only did he cause a "endanger the safety of the social security fund," but he was "morally corrupt, using the power of his position to philander with females, trading power for sex." Details of Chen's rumored mistresses remained scant, but he's not alone: A report in 2007 by China's top prosecutor's office, cited by ABC News, "disclosed that 14 out of 16 senior leaders punished in major graft cases since 2002 were involved in ‘trading power for sex' -- the official code for having one or more mistresses."

2. Lin Longfei

Generally speaking, the lower-ranking the official, the more granular the details that emerge. After Chen's downfall, a netizen created "The Guinness [World] Records of Mistresses." The winner of the "Creativity Award" is Lin Longfei, the former party secretary of Zhouning County in South China's Fujian Province. He reportedly invited his 22 mistresses to a banquet, and announced a biannual cash award to whichever women would provide him with the greatest satisfaction that year. This met with a "warm round of applause," writes the original blogger. China's official media doesn't go into that much detail on Lin's alleged antics, but uses language remarkably similar to the rap sheet against Bo. A February 2005 People's Daily article stating that Lin had been sentenced to death for corruption claims that "Lin maintained long-term improper sexual relations with a number of women."

3. Zhang Xiaochuan

Rivaling Lin in sheer cheek is the case of Zhang Xiaochuan, former deputy head of Chongqing municipality's propaganda department who was arrested in 2005 for corruption. Reports released after the case claim that Zhang, nicknamed "major thief flower picker" and "the coolest Radio TV bureau head," had more than 30 lovers in the Radio and TV bureau. One of his paramours supposedly went from being a nurse to the host of an arts and culture show, while another magically rose from kindergarten teacher to the head of the personnel division of a cable network company.

4. Xie Caiping

Scandalous allegations are not reserved only for men who cross the line. During Bo Xilai's crackdown on organized crime in Chongqing, judges sentenced a 46-year-old woman named Xie Caiping to 18 years in prison for running illegal gambling halls. Xie, the sister-in-law of the deputy police commissioner, has been called "the godmother of the Chongqing underworld." The most salacious rumor about her case: She was said to have kept a stable of 16 young men as her lovers. The Chongqing Evening News described her co-defendant and "confirmed lover" Luo Xuan, 26, as a "bright and valiant lad," with a "good tolerance for alcohol and a sweet mouth."

5. Liu Zhijun

In February 2011, five months before a high-speed train crash killed 40 people in Wenzhou and prompted much soul-searching about the state of China's railways industry, railways minister Liu Zhijun was sacked for "disciplinary violation." An article entitled "Sex, Power, Money," published in July 2011 in the nationalist tabloid the Global Times, claims that Liu "was reported to have 18 mistresses, including actresses, nurses and train stewards. He apparently had a thing for women in uniform or those who could play the role." Afterwards, a directive from the Central Propaganda Bureau warned, "All media are not to report or hype the news that Liu Zhijun had 18 mistresses."

6. Mao Zedong

As with most things in China, in the realm of mistresses, no one compares to the Great Helmsman. According to his private doctor and author of the biography The Private Life of Chairman Mao, Mao slept with hundreds, if not thousands of women. "At the height of the Cultural Revolution in the 1960s, he and [his wife] Jiang Qing were sexually estranged, but Mao had no problems with the young women he brought to his bed -- their numbers increasing and their average ages declining as Mao attempted to add years to his life according to the imperial formula," whereby sleeping with young women is said to enhance the ruler's vitality and longevity. Dr. Li treated women who contracted the STD trichomoniasis from Mao, writing, "The young women were proud to be infected," because the illness was a "badge of honor, testimony to their close relations with the Chairman."