What a Power Station Attack Says About Our National Security

HARI SREENIVASAN, CORRESPONDENT: Christiane, thanks. Juliette Kayyem, welcome back.

JULIETTE KAYYEM, AUTHOR, “THE DEVIL NEVER SLEEPS”: Thank you.

SREENIVASAN: Juliet, the power disruptions that we saw in North Carolina left tens of thousands of people without power. And I wonder, what does this say to you about the state of our kind of national power grid and bigger infrastructure?

KAYYEM: It shows both its vulnerabilities to any kind of threats, whether it’s a natural disaster, a foreign threat, or in this case, more likely than not a domestic threat, but also how long it takes to get these systems back up and running, whether it’s a day, two days or just several. The areas in North Carolina are severely impacted from their school closures to people being in shelters, to hospitals needing to bring in extra generators and electrical capacity. That – multiply that a million times, right? Not just for the energy grid, but for the 16 critical infrastructure sectors that exist in the United States that range from chemical facilities to dams, to our transportation systems and subways. To, of course, our energy infrastructure and pipelines. The vulnerabilities are immeasurable and that is why they’ll never be invulnerable, but we can certainly make them safer from the kinds of attacks that we’ve seen recently.

SREENIVASAN: The governor said this seemed too easy. Is he right?

KAYYEM: Absolutely. The vulnerabilities of our critical infrastructure have well been known. We – for the last decade, we’ve really focused on cyber security, whether anything from dams to our transportation systems, to, of course, our energy sector, all of them, part of a critical infrastructure apparatus. Whether they could be attacked by cyber attacks, ransomware from Russia, cyber attacks from China or North Korea. But what North Carolina is showing us is that the physical plant, the physical structures, are still incredibly vulnerable. This was a, this was a – just a shooting. A very targeted shooting, but one that has brought sort of misery and a lot of discomfort for large areas of North Carolina.

SREENIVASAN: So is there something from an attack like this that wakes up power utilities that serve the rest of the country, especially who have substations and rural parts of, you know, on the side of a road, kind of like this one was in North Carolina. There are so many of these places that are physically accessible, yet, as you mentioned, have a pretty low security floor.

KAYYEM: That’s exactly right. And well, every incident is going to bring sort of a focus, hopefully by those facilities. And while this is a more isolated area, it’s owned by Duke Energy. This is a major company, it can’t act surprised. It’s not, you know, it’s not just a rural company. An attack in California over a decade ago was PG&E and also a major company. We know the threat environment has changed in the United States. We know it’s changed globally, that these networks are very desirable either by by nation states or by terrorist other organizations. In the United States in 2020, there was a significant increase in the threat environment based on materials and documents that were being circulated on right wing websites about going after critical infrastructure. They viewed it as a way to make a lot of noise. And also they had this perverse sense that if you, you know, sort of put the lights out, there might be civil war or racial war. So the companies are under notice. The fixes are not hard. They are anything from sandbags to concrete walls. These are not sophisticated fixes. This is not, you know, an underwater pipeline that you have to protect a million miles of. This is just – these are the basic minimum features to protect them. Because what we now know in North Carolina, these – the substation was fully exposed so that someone from the street could shoot at it.

SREENIVASAN: So we have, kind of, different, I guess, veins or different guesses of what kind of a person would be motivated to do this. It could be very different categories of people.

KAYYEM: Yes. So I’m gonna start with the least likely, at least in North Carolina, but it’s always out there in the threat environment, is that a foreign government is testing our system. So they’re trying a low grade attack to see if they could do a higher grade. I think that’s unlikely in this case, because a foreign government would be much more likely to do a cyber attack. The second pool or category that one would always look at from my perspective, is someone who worries about critical infrastructure, is was what we call the insider threat. Someone with a motivation that has specifically to do with the company. They didn’t like them, they wanted to target them. Insider threat is a big issue for critical infrastructure owners, and there’s a lot of regulations about who has access, who can work there. The third, which I think is the going theory in North Carolina, simply given the threat environment, is that some – it’s someone with an ideological bent, whether it’s anti-government, what we call accelerator ideologies, ones that wanna accelerate the demise of America’s democracy or its diversity. Right wing organizations like Boogaloo or others that have talked about this. Those are three pools that in any critical infrastructure attack, you’re gonna, you’re gonna keep the possibility open. But there’s a reason why investigators are looking at a sort of a more political, or at least an ideological reason for this. It’s because since 2020, those organizations have been talking about this kind of attack.

SREENIVASAN: You know, and that drum beat has gotten louder. The FBI, DHS, different agencies have testified in front of Congress that they are concerned about these risks over and over again. So, I mean, I guess, what does it take for members of Congress or local governments to say, you know what, this isn’t something abstract. This isn’t just about attacking the capital of the United States. This could be our safety and security here in this small, medium town.

KAYYEM: Yes. I think that’s right. So there’s two ways to try to minimize the threat. One is to – let’s hope that North Carolina can find these people prosecute them, because those kinds of prosecutions will make others realize that this is real. This is not, you know, cosplaying a war. The California case in 2013 against PG&E has never been solved. And that’s a challenge, because if you don’t solve it, then people think that there’s an opening. The other is just clearly make it hurt for the companies. The vulnerabilities are on them. They know what the threat environment is. So you have to either try to get Congress to regulate to increase that floor, which will cost money, but certainly not prohibitive. Sandbags are not expensive. Or if they do get attacked, to fine them or other sort of penalties to get the industries to realize there’s gonna be consequences for these vulnerabilities. Look, they’re monopolies and they’re rich monopolies. They benefit from providing these services to the American public. But there’s a responsibility as well that comes with that commercial market.

SREENIVASAN: One question, I think a good number of people are asking right now is, what’s the difference between whether this is a criminal act or whether this is an act of terror?

KAYYEM: There’s really no difference in both exposing the vulnerability of critical infrastructure, nor in how long it’s gonna take to get it back up. And it provides a lesson, whatever the motivation is, for others who might be interested in doing the same kind of attacks, whether they’re foreign based or domestic, domestic based. So a line has been crossed, it’s been crossed, rarely. We’ve only had one or two in the last decade, decade and a half. But nonetheless this is not a good line to cross. So you wanna prosecute, but the difference on motivation, whether it’s, say a criminal act, someone, an insider who had something against the company, or racially, ideologically, politically motivated, will be both in what federal statutes you can prosecute against these people. They might include a political motivation or some other motivation. And then of course, the sentencing. And I do believe that tough criminal prosecution against people that would attack our critical infrastructure for their ideological purposes, is very, very important. Because what it says to others who might be attracted to doing that is that this is real, and you will go to jail for a very long time. It is – this is consistent in any sort of counter strategy against forces that would use violence in the United States. We see it with the January 6th prosecutions, and we should see it against people who think that they’re being funny or clever by simply shooting at substations. But you’ve got lots of kids who cannot go to school right now, and lots of people who are in shelters who are impacted by this kind of conduct.

SREENIVASAN: There’s also a compounding effect of the environment itself changing thanks to climate change. Right?

KAYYEM: Exactly. Exactly. I mean, look, so the risks are plentiful against these networks. So one is clearly gonna be the cyber risk. The second that we’re seeing in North Carolina is the physical risk. These are just vulnerable systems. And then the third is the climate risk. That these systems were built. They were – our wires are above ground. Our systems get flooded. Electrical substations get surrounded by water. Hurricanes, tornadoes, and other natural disasters that are recurring faster and more deadly are impacting critical infrastructure. And they are single points of failure. I mean, because these are monopolies, there’s no redundancies in the system. It’s not like you can just call another company and say, get your wires in here. We built no redundancies into our system, and you can either worry about right wing extremism or foreign, foreign countries, but, you know, we don’t have to worry too much about climate change that these systems are going down and we need to invest in making them more resilient to the frequency of disasters, or any threat that they’re likely to face.

SREENIVASAN: Different thought altogether. But, you know, in the beginning of the Russian invasion, we were hearing a lot about their potential for cyber attacks. And why aren’t we sort of seeing more of the examples that we were starting to prepare for?

KAYYEM: There are generally, sort of, three explanations that people hear about why hasn’t this happened yet? The first is that, you know, Putin’s not as strong militarily or with his cyber weaponry than we thought a year ago. And there’s evidence to suggest that given what’s happened in Ukraine, that Putin can be more bark than bite, that he just simply couldn’t do it. The second is that Ukraine and NATO in particular had been prepared and had been thinking about how to protect their systems because of the cyber attacks that had been occurring or ransomware attacks that had been occurring in the years before. It wasn’t like the physical invasion was the beginning of Russia’s hostilities against Ukraine. And I think that there is a lot to that. What I believe is that NATO was very, very smart at the beginning of this war to basically say that an attack – a cyber attack on critical infrastructure is the same as a physical attack against critical infrastructure. In other words, you can no more Putin bomb the pipelines in Germany or any other country, NATO country and not invoke Article five than you could with a cyber attack. And they were, they were consistent in this messaging that cyber attacks, while new, would invoke article five, which would, which would then invoke all of NATO in a response. The interesting thing that they did though, or at least the leadership of NATO did though, is they never made it clear what would constitute a significant cyber attack against critical infrastructure. I think that was smart. It gave them a little bit of room that they weren’t gonna go to war every time some hacker or ransomware person located in Russia went – tried to get into a banking system or transportation system. But, they left it open that they would be prepared to respond in kind whether that would be a offensive cyber attack or something more significant, if you impacted – if Russia impacted civilian life in Europe. You cannot attack a cyber system whose result is that, you know, parents can’t get water for their children and say that’s not an act of war. And I think they made that clear.

SREENIVASAN: When you look out at the kind of landscape of tools that someone has now to conduct physical attacks. You know, ironically, we’ve been watching, you know, images from Ukraine where the Ukrainian soldiers use drones, sometimes sort of off the shelf to be able to spot where the enemy is, et cetera, et cetera. We’ve seen cases of drones being used in attacks that are actually just kind of carrying, you know, something. And I wonder, I mean, this is also what kids are asking for for the holidays.

KAYYEM: there is no limit to what you can imagine could be used against critical infrastructure. And we’re just talking about energy. I mean, think about dams or water or chemical facilities ,whether it’s sophisticated or unsophisticated drones, guns and improvised explosive devices that are simply thrown in somewhere, or honestly, scissors. I mean, in the California case, it was – they just used scissors to cut the wires. So we know that there are sort of limitless threats and means to effectuate attacks on critical infrastructure. And that is why one does, or these companies and regulators need to focus on, well, what would have the biggest impact if it in fact went down? In other words, you wanna focus on what we call those single points of failure. Those, you know, substations, that if someone were able to shoot, you know, you’re gonna, you’re gonna knock out 30 or 40,000 people and you try to fortify those better. And then of course, on the other side, you try to prosecute or make the company get better at what it’s – in protecting its critical infrastructure. But we’re never gonna get the vulnerabilities down to zero, not with the networks that we have, nor with the increasing tools and instruments that bad actors or actors with whatever motivation might use against them. It is why critical infrastructure in the 16 sectors are taken more seriously in terms of at least creating some floor, but also providing best practices and training and other services to these companies so that they take seriously what is, what is their vulnerability. One solution that is thrown out there, just for interest’s sake, is that the boards of these companies are often filled with friends and, and rich friends of major critical infrastructure companies like energy companies, gas companies, offshore drilling companies. And so one solution that has been proposed is that the boards, especially these public companies, have to have people within the law enforcement or preparedness space on their boards, ensuring that these companies take it seriously. These are not just for profit companies. They serve a public service, they benefit greatly from that public service, but they ought to and need to take seriously their responsibility to to take the most basic of measures to protect their systems.

SREENIVASAN: Juliette Kayyem, thanks so much.

KAYYEM: Thank you.