Technological advancement follows a rapid upward trajectory, and from its windfall, we are vested with an incredible and terrifying amount of power. As our capabilities continue to expand, a morbid fascination with the ‘dark side’ of technology prevails among pop culture, through media content steeped with dystopian images of society on the verge of collapse. This deep-seated fear of technological abuse is perhaps best evinced by popular TV series like Mr. Robot and Black Mirror, which portend what can happen when specialized knowledge falls into the wrong hands. As such, this sensational fixation with the coming of a ‘technological doomsday,’ so to speak, frames a collective mentality rooted in paranoia and hypervigilance. Mr. Robot, in particular, reflects a chronic and pervasive social anxiety that a massive hacking operation could lead to the breakdown of the financial system. Accordingly, popular discourse regarding cyber security revolves around identity theft and preemptive measures by responsible corporations, specifically as they relate to securing the financial industry.
What we don’t commonly realize, however, is that something much larger is at stake: our very mode of existence. The ability for people to brush their teeth or for doctors to treat patients in the ER room, or even for traffic lights to facilitate the flow of vehicles, may seem out of reach for cyber attackers—but it’s not. All of these capacities hinge on the functioning of critical infrastructure—from dams and transportation, to communication systems and the energy grid. Our lives are so dependent on these technologies that we don’t even see our dependency. Cooking dinner on the stove, filling a water bottle from the faucet, and working after dark under a lamp are activities so routine that we often don’t even acknowledge the critical infrastructure that underlies these processes. This is the very essence of what sociologists call ontological security—a state of mind based on the assumption that our daily functions are a given. But what if they’re not?
The Department of Homeland Security (DHS) claims that critical infrastructure is “so vital to the United States that [its] incapacitation or destruction would have a debilitating effect on [physical] security, national economic security, national public health or safety, or any combination thereof.” Of its 16 sectors, the energy grid is arguably the most crucial, as energy underpins all other sectors in one way or another. By extension, energy is the mainstay of society and the economy. In no uncertain terms, the nation would come to a grinding halt without it. Picture intersections without traffic lights, grocery stores without refrigeration, and phones unable to be recharged—and it’s easy to get a sense of the disorder that would ensue. What’s more, smart grids account for the increasing interconnectedness of the “5.5 million miles of distribution lines that bring power to millions of homes and businesses” across the country. Like dominoes, this means that an attack on one part of the energy grid could potentially lead to a colossal, system-wide collapse.
So, in returning to the question, “Are we secure?”, the answer is a resounding no: it is precisely this “growing interdependency” that makes our energy grid so vulnerable. A report from the National Infrastructure Advisory Council has determined that the US is “falling short” in measures of cybersecurity, while the Department of Energy asserts that the “US grid is in imminent danger” in its second installment of the Energy Quadrille Review. A myriad of research backs this conclusion, and nearly all private and government institutions recognize this reality.
And while we as citizens may not perceive the immediate threat that underlies these claims, they are far from unsubstantiated. Consider, for a moment, how the tsunami-induced electrical outage in Fukishima led to nuclear meltdown. Now imagine a premeditated interference with the United States’ electrical grid and the catastrophic damage it could cause. In the face of rising instances of cyber attacks, the US is increasingly concerned that its grid will become an enticing target, specifically for nation-states like Russia, North Korea, China, and Iran, which possess “sophisticated cyber capabilities.” This fear is not unfounded, especially in light of Russia’s attack on Ukraine in 2015—which left 230,000 people without electricity for six hours in the dead of winter—as well as the United States’ participation in Stuxnet, a joint US-Israeli cyberattack on Iran’s nuclear program. Within this climate of fear, Deputy Secretary of Defense William J. Lynn III states: “Our assessment is that cyber attacks will be a significant component of any future conflict, whether it involves major nations, rogue states, or terrorist groups.” Former Director of the CIA and Secretary of Defense, Leon Panetta elaborates: “Whether it’s North Korea, Russia, China, Iran or ISIS, almost all of the flash points out there now involve a cyber element…That’s the threat we’re going to face in the near future.” Indeed, there is a heightening sense that the future of war is cyber war. But what we neglect—which is quite evident in these statements and in the media’s fixation with localized terrorist and missile threats—is that countries possess cyber capabilities now. Cyber war is not merely a nebulous, impending threat but a concrete issue of the here and now.
As 80% of the nation’s critical infrastructure is privately held, this casts the federal government into a particularly delicate position when it comes to addressing national security. How, for example, should the government work with private owners to minimize vulnerability and maximize autonomy? To what extent are regulations and executive orders viewed as overreaches by Congress and the President? How should these issues be addressed in an era of increasing public distrust in government institutions? And, for argument’s sake, should the government have the power to take over critical infrastructure in a state of total war, much as it did with factories during WWII? These questions, representative of the shaky line between public and private responsibilities with respect to the energy grid, raise important considerations of the appropriate relation between the two.
In February of 2013, President Barack Obama issued Executive Order 13636 in recognition of the government’s need to step up its game in matters of cybersecurity. It reads: “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” Despite some blowback that the use of an executive order was in and of itself an overreach of presidential authority, Obama’s order actually works to protect private ownership and the public at-large by respecting “security, business confidentiality, privacy and civil liberties.” Indeed, the executive order nurtures a productive private-public partnership that leverages the strengths of both parties. The public-private partnership is predicted to protect US citizens from facing a similar electrical crisis as Ukraine. The North American Electric Reliability Corporation (NERC), a nonprofit international authority independent of the government, sets industry standards for reliable electrical power for over 1900 organizations. Here, the specialized knowledge and expertise from the private sector are combined with the government’s foreign intelligence and prosecutorial capabilities in order to create a solid front.
This is not to say, however, that there are no obstacles to this partnership. With an understanding of the repercussions of the Patriot Act post-9/11, we must consider the size and extent of the power we are willing to vest in the national government. On this basis, an analysis from NYU on Cyber Security Partnerships ascertains several barriers to public-private collaboration, among which are distrust and control, disclosure and exposure, and liabilities and regulations. Most commonly, the private sector fears the potential for the national government to “unduly interfere with operations” through the imposition of stringent regulations. However, a 1998 presidential directive from the Clinton administration deals directly with this fear, outlining a plan that leverages market incentives to accomplish greater security for critical infrastructure, while proposing the use of regulations only in cases of clear market failure. This directive incentivizes private owners of critical infrastructure to maintain and better protect their holdings. But despite these hesitancies, the government’s respectful approach to private-public collaboration maximizes public security with minimal private intrusion.
Cybersecurity is perhaps most interesting because of what it reveals about power. Technology weaves a complex and often contradictory web of power relations between citizens, government, and the private sphere—and these relations are incredibly dynamic. As we continue to make headway in technological innovation, we are vested with a tremendous and sometimes terrifying amount of power: power that has the potential to do a world of good, but power that can be exploited.