The Pain in Spain

As protests and problems pile up, there's no easy way out of the crisis for Spain's embattled government.

MADRID – There is not a crisis in Spain today. Well, not just one. The country is beset by a series of crises, which makes the task of merely enumerating them a challenging exercise. Financial analyst Nicholas Spiro tried last week, telling the New York Times, "Spain is the only country in the world that must contend with a banking, economic, sovereign debt, political, and constitutional crisis all occurring simultaneously." Off hand, it is hard to think of any other country able to match that.

But, of course, these five problems are interconnected, as the presence of thousands of disgruntled protesters around Madrid's Congress building most evenings last week served to demonstrate. Taking up the messages of the 15-M protesters -- who in the spring of 2011 (beginning on May 15, hence the name) sparked a wave of similar anti-capitalist demonstrations in many Western countries-- the "indignant ones" (or indignados, as they are known here) outside parliament last week were not demanding jobs or handouts. With unemployment at 25 percent of the workforce (and double that for those under age 25), many might be in need of such things, but they chose to join in a collective finger-pointing at Spain's politicians, making no exception between the ruling Popular Party (PP) and the Socialist opposition.

The political crisis resonating outside is less apparent inside Madrid's parliament, where the rightist PP of Prime Minister Mariano Rajoy can simply deploy its absolute majority to reel off austerity measures aimed at reassuring the markets that Spain's debt load is sustainable. What's more, the European Union, which has already approved a 100-billion-euro bailout for Spain's stricken financial sector, has conditioned its support on budget-deficit targets being met -- orders that Madrid passes on to the Spanish regions, which are responsible for spending on basic services such as health care and education.

But the malaise can be clearly seen in the street protests -- which harness a growing sense of disenfranchisement on the part of the citizenry -- and in local authorities across Spain who are questioning the harsh medicine they are being asked to swallow. The extreme example is Catalonia, where the traditional party of power has felt the need to move in sync with a popular groundswell of separatist sentiment and call for a referendum on self-determination. Never mind that in the months preceding Sept. 11's massive march for independence, the same center-right nationalist government in Catalonia had caused the streets of Barcelona to seethe with angry teachers, health workers, and others as it slashed at the public sector with a gusto that smacked of ideological zeal. But now the region's budgetary problems cannot be explained away by the crisis and the need for belt-tightening, and deep-seated inequity in the state financing model is roiling tensions.

And it is not just Catalonia and its quest for greater independence that is challenging Rajoy's dictates. This summer, five of Spain's 17 regions, including Catalonia and the Basque Country, declared themselves in rebellion against the central government's instructions that illegal immigrants were no longer to be given health care unless they paid for it. Andalusia is resisting Madrid-imposed cutbacks in public education, and PP-run Extremadura recently attempted to make its own stand by not applying across the board a recent hike in the value-added tax.

More colorful, no doubt, is the campaign of resistance being waged by the leftist mayor of Marinaleda, in Andalusia. Juan Manuel Sánchez Gordillo has led his band of farm laborers to occupy large estates owned by the government and rich landowners, as well as launch "subsistence theft" raids on supermarkets to feed his followers.

In effect, these local administrations are taking a cue from some of the civil disobedience tactics that have proliferated among protest groups since the initial 15-M coalescence last year. Activists in several cities now use mobile social networks to gather quickly at protest sites before police or authorities can evict them. And they have a lot to protest. Rising unemployment and the bursting of the property bubble have combined to leave hundreds of thousands unable to finance their homes, while the banks have sucked up billions of euros of bailout funds from the government. There is a kind of vacuum, with central government on the one hand enacting policies to meet the external demands of financial markets, while, on the other hand, individuals on the ground and local institutions try to provide solutions to the grave social ills arising from a prolonged recession.

For César Molinas, a well-known financial consultant whose recent essay, "Theory of Spain's Political Class," enjoyed phenomenal success when published in El País last month, Spain's institutions are incapable of dealing with the current crisis. "They have yet to adapt to the fall of the Berlin Wall and globalization," he argues. The institutional pact between major political parties, business groups, and labor unions that grew up in the post-Franco transition of the 1970s and early 1980s did work, says Molinas, in terms of uniting the country around the goals of consolidating democracy and integrating Spain within Europe. But, echoing the arguments of the 15-M movement, Molinas claims those interests have now become "entrenched" and "dysfunctional."

In the essay, which is an advance extract of the book ¿Qué hacer con España? (What to Do With Spain?), to be published next year, Molinas describes how political parties have created a self-serving network of regional authorities, savings banks, and other subsidized institutions that have led to disastrous investment decisions and a lack of economic flexibility and competitiveness -- all of which was cruelly exposed by the bursting of the real estate bubble on the back of the global credit crunch.

But not everybody accepts that the country's plight has such endemic roots. José Ignacio Torreblanca, a leading political commentator and director of the European Council on Foreign Relations' Madrid office, contends that this is not a specifically Spanish crisis, dismissing what he sees as "gloomy" arguments that hold that Spain is predestined to underachieve, a common theme down the ages. "There was even a theory about chickpeas [a Spanish staple], which went that they didn't give enough protein," says Torreblanca. "But in the United States there was also a real estate bubble, and they are much cleverer than us and eat more proteins."

"It is not a problem of a lack of scientific knowledge, like a meteorite approaching and no one has the answer. The techniques are known," Torreblanca argues, though he accepts that the nexus of financial and political power, the unraveling of which can be seen in the 60-billion-euro hole in Spain's banking system, still requires attention. "We have reformed everything except two powers: the financial sector and the political sector, which, what's more, are highly interconnected. What we do not know is if in the end the agent of change is going to be Spain's angry people or it is going to come from the outside, from the troika," he adds, in reference to the possibility of Rajoy requesting a new bailout overseen by Brussels, the European Central Bank, and the International Monetary Fund.

But beyond the need for internal reform, Torreblanca fears a Spanish Catch-22: Austerity policies will only depress the country further unless external demand prods the economy into life, yet at the same time, Spain is unable to bring about a change in European policies to make growth the new focus. "You can bring in reforms to reduce labor costs all you like, but if there is no demand, people do not start up companies. We are always hearing that businesses create employment, and that's a lie; it is demand that creates employment."

Meanwhile, Rajoy continues to play for time and tries to do good political business even with the poor hand he has been dealt. Presented Sept. 27, the state budget for 2013 includes a 1 percent pension increase with an eye on October's elections in Galicia -- a region with a high proportion of seniors -- though Finance Minister Cristóbal Montoro refused to confirm that the customary end-of-year consumer-price-index inflation changes would be administered to pensions. Reforms to boost competitiveness or stimulate new areas of the economy were once again conspicuous by their absence.

Spain's ultra-cautious conservative leader does not seem to be the man to "rethink Spain," as Molinas insists is imperative at this juncture. The analyst argues that the country is crying out for a "new political and social pact," starting with electoral reform to do away with the closed-list system that foments the gravy-train tendency that packed savings banks' boards with politicians and brought about financial disaster. "It's make-or-break time," Molinas says. "And the answer has to be 'make' because the 'break' is already here."


National Security

Forget Revolution

What would really happen if the lights went out.

Government officials sometimes describe a kind of Hieronymus Bosch landscape when warning of the possibility of a cyber attack on the electric grid. Imagine, if you will, that the United States is blindsided by an epic hack that interrupts power for much of the Midwest and mid-Atlantic for more than a week, switching off the lights, traffic signals, computers, water pumps, and air conditioners in millions of homes, businesses, and government offices. Americans swelter in the dark. Chaos reigns!

Here's another nightmare scenario: An electric grid that serves two-thirds of a billion people suddenly fails in a developing, nuclear-armed country with a rich history of ethnic and religious conflict. Rail transportation is shut down, cutting off travel to large swathes of the country, while many miners are trapped underground.

Blackouts on this scale conjure images of civil unrest, overwhelmed police, crippled hospitals, darkened military bases, the gravely injured in the back of ambulances stuck in traffic jams.

The specter of what Defense Secretary Leon Panetta has called a "digital Pearl Harbor" led to the creation of U.S. Cyber Command, which is tasked with developing both offensive and defensive cyber warfare capabilities, and prompted FBI Director Robert Mueller to warn in March that cyber attacks would soon be "the number one threat to our country." Similar concerns inspired both the Democrats and Republicans to sound the alarm about the cyber threat in their party platforms.

But are cyber attacks really a clear and present danger to society's critical life support systems, capable of inflicting thousands of casualties? Or has fear of full-blown cybergeddon at the hands of America's enemies become just another feverish national obsession -- another of the long, dark shadows of the 9/11 attacks?

Worries about a large-scale, devastating cyber attack on the United States date back several decades, but escalated following attacks on Estonian government and media websites during a diplomatic conflict with Russia in 2007. That digital ambush was followed by a cyber attack on Georgian websites a year later in the run-up to the brief shooting war between Tbilisi and Moscow, as well as allegations of a colossal, ongoing cyber espionage campaign against the United States by hackers linked to the Chinese army.

Much of the concern has focused on potential attacks on the U.S. electrical grid. "If I were an attacker and I wanted to do strategic damage to the United States...I probably would sack electric power on the U.S. East Coast, maybe the West Coast, and attempt to cause a cascading effect," retired Admiral Mike McConnell said in a 2010 interview with CBS's 60 Minutes.

But the scenarios sketched out above are not solely the realm of fantasy. This summer, the United States and India were hit by two massive electrical outages -- caused not by ninja cyber assault teams but by force majeure. And, for most people anyway, the results were less terrifying than imagined.

First, the freak "derecho" storm that barreled across a heavily-populated swath of the eastern United States on the afternoon of June 29 knocked down trees that crushed cars, bashed holes in roofs, blocked roads, and sliced through power lines.

According to an August report by the U.S. Department of Energy, 4.2 million homes and businesses lost power as a result of the storm, with the blackout stretching across 11 states and the District of Columbia. More than 1 million customers were still without power five days later, and in some areas power wasn't restored for 10 days. Reuters put the death toll at 23 people as of July 5, all killed by storms or heat stroke.

The second incident occurred in late July, when 670 million people in northern India, or about 10 percent of the world's population, lost power in the largest blackout in history. The failure of this huge chunk of India's electric grid was attributed to higher-than-normal demand due to late monsoon rains, which led farmers to use more electricity in order to draw water from wells. Indian officials told the media there were no reports of deaths directly linked to the blackouts.

But this cataclysmic event didn't cause widespread chaos in India -- indeed, for some, it didn't even interrupt their daily routine. "[M]any people in major cities barely noticed the disruption because localized blackouts are so common that many businesses, hospitals, offices and middle-class homes have backup diesel generators," the New York Times reported.

The most important thing about both events is what didn't happen. Planes didn't fall out of the sky. Governments didn't collapse. Thousands of people weren't killed. Despite disruption and delay, harried public officials, emergency workers, and beleaguered publics mostly muddled through.

The summer's blackouts strongly suggest that a cyber weapon that took down an electric grid even for several days could turn out to be little more than a weapon of mass inconvenience.

"Reasonable people would have expected a lot of bad things to happen" in the storm's aftermath, said Neal A. Pollard, a terrorism expert who teaches at Georgetown University and has served on the United Nation's Expert Working Group on the use of the Internet for terrorist purposes. However, he said, emergency services, hospitals, and air traffic control towers have backup systems to handle short-term disruptions in power supplies. After the derecho, Pollard noted, a generator truck even showed up in the parking lot of his supermarket.

The response wasn't perfect, judging by the heat-related deaths and lengthy delays in the United States in restoring power. But nor were the people without power as helpless or clueless as is sometimes assumed.

That doesn't mean the United States can relax. James Lewis, director of the technology program at the Center for Strategic and International Studies, believes that hackers threaten the security of U.S. utilities and industries, and recently penned an op-ed for the New York Times calling the United States "defenseless" to a cyber-assault. But he told Foreign Policy the recent derecho showed that even a large-scale blackout would not necessarily have catastrophic consequences.

"That's a good example of what some kind of attacks would be like," he said. "You don't want to overestimate the risks. You don't want somebody to be able to do this whenever they felt like it, which is the situation now. But this is not the end of the world."

The question of how seriously to take the threat of a cyber attack on critical infrastructure surfaced recently, after Congress rejected a White House measure to require businesses to adopt stringent­ new regulations to protect their computer networks from intrusions. The bill would have required industries to report cyber security breaches, toughen criminal penalties against hacking and granted legal immunity to companies cooperating with government investigations.

Critics worried about regulatory overreach. But the potential cost to industry also seems to be a major factor in the bill's rejection. A January study by Bloomberg reported that banks, utilities, and phone carriers would have to increase their spending on cyber security by a factor of nine, to $45.3 billion a year, in order to protect themselves against 95 percent of cyber intrusions.

Likewise, some of the bill's advocates suspect that in the aftermath of a truly successful cyber attack, the government would have to bail the utilities out anyway. Joe Weiss, a cyber security professional and an authority on industrial control systems like those used in the electric grid, argued that a well-prepared, sophisticated cyber attack could have far more serious consequences than this summer's blackouts. "The reason we are so concerned is that cyber could take out the grid for nine to 18 months," he said. "This isn't a one to five day outage. We're prepared for that. We can handle that."

But pulling off a cyber assault on that scale is no easy feat. Weiss agreed that hackers intent on inflicting this kind of long-term interruption of power would need to use a tool capable of inflicting physical damage. And so far, the world has seen only one such weapon: Stuxnet, which is believed to have been a joint military project of Israel and the United States.

Ralph Langner, a German expert on industrial-control system security, was among the first to discover that Stuxnet was specifically designed to attack the Supervisory Control and Data Acquisition system (SCADA) at a single site: Iran's Natanz uranium-enrichment plant. The computer worm's sophisticated programs, which infected the plant in 2009, caused about 1,000 of Natanz's 5,000 uranium-enrichment centrifuges to self-destruct by accelerating their precision rotors beyond the speeds at which they were designed to operate.

Professionals like Weiss and others warned that Stuxnet was opening a Pandora's Box: Once it was unleashed on the world, they feared, it would become available to hostile states, criminals, and terrorists who could adapt the code for their own nefarious purposes. But two years after the discovery of Stuxnet, there are no reports of similar attacks against the United States. What has prevented the emergence of such copycat viruses?

A 2009 paper published by the University of California, Berkeley, may offer the answer. The report, which was released a year before Stuxnet surfaced, found that in order to create a cyber weapon capable of crippling a specific control system ­­-- like the ones operating the U.S. electric grid -- six coders might have to work for up to six months to reverse engineer the targeted center's SCADA system.

Even then, the report says, hackers likely would need the help of someone with inside knowledge of how the network's machines were wired together to plan an effective attack. "Every SCADA control center is configured differently, with different devices, running different software/protocols," wrote Rose Tsang, the report's author.

Professional hackers are in it for the money -- and it's a lot more cost-efficient to search out vulnerabilities in widely-used computer programs like the Windows operating system, used by banks and other affluent targets, than in one-of-a-kind SCADA systems linked to generators and switches.

According to Pollard, only the world's industrial nations have the means to use the Internet to attack utilities and major industries. But given the integrated global economy, there is little incentive, short of armed conflict, for them to do so. "If you're a state that has a number of U.S. T-bills in your treasury, you have an economic interest in the United States," he said. "You're not going to have an interest in mucking about with our infrastructure."

There is also the threat of retaliation. Last year, the U.S. government reportedly issued a classified report on cyber strategy that said it could respond to a devastating digital assault with traditional military force. The idea was that if a cyber attack caused death and destruction on the scale of a military assault, the United States would reserve the right to respond with what the Pentagon likes to call "kinetic" weapons: missiles, bombs, and bullets.

An unnamed Pentagon official, speaking to the Wall Street Journal, summed up the policy in less diplomatic terms: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks."

Deterrence is sometimes dismissed as a toothless strategy against cyber attacks because hackers have such an easy time hiding in the anonymity of the Web. But investigators typically come up with key suspects, if not smoking guns, following cyber intrusions and assaults -- the way suspicions quickly focused on the United States and Israel after Stuxnet was discovered. And with the U.S. military's global reach, even terror groups have to factor in potential retaliation when planning their operations.

None of these considerations is an argument for dismissing the risk of cyber attacks. However, they do suggest the need to keep the degree of risk in perspective. In an op-ed last year in The Hill, the Center for a New American Security's Kristin M. Lord and Travis Sharp warned the United States to avoid "billion dollar solutions to million dollar problems."

"A collective sense of urgency is needed about the growing threats in cyber space," they wrote. "But so too is pragmatic levelheadedness expressed through a U.S. cyber security strategy that prioritizes intelligently. Such a strategy will enable the U.S. government to craft policies that ensure safe access to the Internet without breaking the bank."

Strengthening U.S. cyber security is common sense, like locking your door at night. But it's one thing to turn the lock -- and another to spend the night hunched in your living room with a shotgun.