Ted Koppel released a book, “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath,” A couple weeks ago. The book was not received all that well by the electric industry. I haven’t read the book yet, mainly because I don’t want to add money to the sales figures. I’m sure I could find it somewhere online on that Deep, Dark Web, but I generally don’t pirate things just on principle.
He has given several interviews as part of his book tour, though. Among them, one was on the Diane Rehm Show, which has the transcript available here, another was with Hugh Hewitt, with the transcript here, and one with CSO Online available here.
Koppel (from Rehm Show): as great as the tragedy of Paris is, it’s still a conventional form of terrorism that tragically we have grown accustomed to over the years. And what worries me far more is if a group like ISIS, which already has a cyber war capability, and is already probing on the cyber front, they will have the capacity to reach out from wherever they are in the world.
Right at the start, I have to question his terminology. ISIS has not shown any “cyber war” capabilities. This grossly hyperbolizes what ISIS has done. While their propaganda machine uses technology is has been successful, that does not mean that they have a “cyber war capability.”
Koppel (from Rehm Show): There is no way – I mean, the notion that we can keep out terrorists when the terrorists end up being 19 and 20 years old and if you ran into them in the street, you know, unless you can look into their hearts and minds and see what’s going on there, how can you tell?
This is one point where he does make sense. One of the problems with the “War on Terror” idea is that the U.S. tried to fight a war against an idea by using physical troops and weapons. Unless you’re willing to simply exterminate everybody who holds, or likely might hold, the view you disagree with, that isn’t going to work.
Koppel (from Rehm Show): And what ISIS is successfully doing is imbuing in us a sense of fear and suspicion of all Muslims, which is just going to be devastating to the Muslim community, but also devastating to us.
Koppel has talked and been around politics for a long time. When he’s talking about that, he actually seems to be making sense. This is one of the problems with the “Keep all Muslims out of the US” idea.
Koppel (from Rehm Show): We have become now so dependent upon so many different aspects of the internet, that we fail to see that the internet has now become a weapon mass destruction.
And now he starts to go off the rails. To compare the Internet to a WMD is ridiculous.
Koppel (from Rehm Show): They have plans for every possible natural disaster, but the plan is get yourself a two to three supply of food, make sure you have a radio with adequate batteries. Make sure you have flashlights. Make sure you have water and enough medicine to take care of you for two or three days.
I’ve been to presentations by disaster recovery and emergency preparedness professionals. This does not describe what they do. The problem is, the level of follow-through by people in the public is not that great. They give smaller advice like this because they know that if they have this level of advice, people might follow throug on some of it. If you tell them to have a month’s worth of food ready, most people aren’t going to do anything because they don’t know where to start for a problem of that scale.
Koppel (from Rehm Show): the chamber of commerce has done such an effective job of blocking cyber regulation because there are concerns the power industry is deregulated. On one level, that’s good for all of us because it brings the price of electricity down. But that deregulation means it’s not subject to, as the term implies, it’s not subject to very much federal regulation.
This is disingenuous, at best. Koppel’s book is about the Bulk Electric System (BES) going down, not just an outage at some municipal power company or something. And the BES does have cybersecurity regulations, as well as reliability regulations. There may be some debate over how good they are, but it is regulated.
Koppel (from Rehm Show): the deputy director of FEMA is a former vice admiral in the Coast Guard – a very nice man and couldn’t have been more gracious to me – but he said, Ted, I just think you’re wrong. I don’t think this is going to happen. I don’t think we’re vulnerable to this kind of an attack.
…taking out, let’s say, the City of New York? What would you do? Well, he said, I’d have to evacuate.
The next day, I went to see his boss, the administrator of FEMA. Yes, he said, he is absolutely convinced that this can happen and very likely will happen. Well, I said, what happens if the attack targets New York City? Do you evacuate? Oh, no, he said. You can’t evacuate New York City. Too many people. Where are you going to put them? Now, here are the two top people at FEMA in total disagreement, A, about whether it can happen and, B, about what you would do if it does.
This is completely believable (and I’m not being sarcastic). Isn’t bueracracy great?
Rehm: But isn’t NERC the National Electric Regulatory Commission?
Koppel (from Rehm Show): No, NERC is actually the industry body.
I don’t think most people in industry would take this view. The short version is, NERC (the North American Electric Reliability Corporation) is tasked by FERC (Federal Energy Regulatory Commission) with writing and enforcing the rules. Whenever NERC writes the rules, though, they have to be approved by FERC before going into effect.
Koppel (from Rehm Show): But in the final analysis what journalism ought to be about is alerting the public to potential danger.
This is the problem with journalism. Journalism should be about informing and educating. When you view your job as reporting on every threat and every possible danger is when people get an unrealistic view of what dangers they actually face in life. It’s why more people are scared to fly in a plane than ride in a car, even though airplane travel is demonstrably safer.
Koppel (from Rehm Show): There are 3,200 companies out there and several hundred of them are not that big, they’re small. They’re not that wealthy. They don’t have the money to spend on cybersecurity. And if you can get into one of those – and that’s pretty easy – then nations like the Chinese and the Russians have learned how to trace it all the way back into the central SCADA systems.
I’m not even sure what he means by this. Is he saying that if an attacker gets a small rural cooperative distribution company, they can then get easy access to controlling the largest high-voltage lines? Because that’s ridiculous.
Hewitt: I go back to the Durkovich interview. I went and looked her up after I read Lights Out, and I’m sure she’s very competent. She graduated from Duke University in 1994, and she’s done a lot of interesting things. But the military people you talk with who are more my age, 59, or have been out of command for a couple of years versus the youngsters, they’re just much more sober about this, realistic about this.
I don’t think that being older leads to a better understanding of the cybersecurity field. Realistically, I don’t think that matters a bit, other than to say that people who are retired, formerly high-level government workers aren’t necessarily who I’d be asking for a current assessment of how things are.
Koppel (From Hewitt Show): And frankly, I’m not an expert on it today. I am simply, as I have been doing for most of my professional life, reporting what people who know more about a subject than I do tell me.
We’ll come back to this one. Just remember, it’s important to pay attention to who you decide to interview when you realize you don’t know about something and want to write a book on it.
Hewitt: There’s no more chilling anecdote than at the 2011 Black Hat conference, Ted Koppel, where you say someone stood up and gave out the password to all of the SCADA’s.
Koppel: Yup, that’s right.
I’m pretty sure he’s talking about this presentation by Dillon Beresford. This literally makes no sense, though. That Koppel would just agree with something as ridiculous as giving out the “the password to all of the SCADA’s” is almost beyond belief. I know he said he wasn’t an expert, but if you’re going to write a book on it, you need to at least realize that doesn’t make sense.
And then there’s the best interview response of them all.
CSO Online: Did you interview penetration testers who have experience in the electric generation/transmission sector for this book?
Koppel: No, I did not.
He writes an entire book, brags about spending a year-and-a-half on it and how many people he’s interviewed, and he didn’t bother to even ask one person who actually has experience in doing what he says is going to happen? If you want to be educated on hacking the power grid, maybe you should talk to somebody who actually knows how to hack SCADA systems.
Hewitt: I would say on Pages 96–99 is perhaps the most, an account of the most disturbing interview I’ve read in a long time. You’re sitting down, and all honor to Jeh Johnson, the Secretary of Homeland Defense, he’s a public servant and a good man, but when you sit down and you talk to him about the threats to the power grid, I quote here, “Johnson’s answer ran slightly more than 13 minutes, and he never addressed the question. It was,” you concluded a little later, “not an area in which he had any expertise.”
I think that last sentence could just as easily have been applied to Ted Koppel, himself.
Workentin's Cybersecurity Blog 