On Wednesday, administration and military officials simulated a cyber attack for a group of senators in an attempt to show a dire need for cybersecurity legislation. All 100 senators were invited to the simulation, which “demonstrated how the federal government would respond to an attack on the New York City electrical grid during a summer heat wave, according to Senate aides.” Around 30 Senators attended. Some post-game reactions:
After the briefing, [Sen. Jay] Rockefeller spokesman Vincent Morris said: “We hope that seeing the catastrophic outcome of a power grid takedown by cyberterrorists encourages more senators to set aside Chamber of Commerce talking points and get on this bill.” [Sen. Mary] Landrieu said the simulation “just enhanced the view that I have about how important” cybersecurity is. She added: “The big takeaway is it’s urgent that we get this done now.”
So how catastrophic did the simulation get? How many casualties? What was the extent of the simulated damage? Did thousands die a la 9/11? A “cyber 9/11” if you will? We’ll likely never know because such a simulation will be classified.
Yet as policymakers consider the cost-benefit of cybersecurity legislation, I hope they’ll remember that we’ve already had many a blackout in New York City in real life and, well, they didn’t lead to catastrophic loss of life, panic or terror. As Sean lawson has explained:
[A]ttacks upon the electrical grid are often featured prominently in cyber-doom scenarios. But historically, just what has happened when the power has gone out? As mentioned above, a series of blackouts in New York City in the 1930s indicated that people did not panic and society did not collapse at the loss of electrical power (Konvitz, 1990). That pattern continued through the remainder of the last century, where “terror, panic, death, and destruction were not the result” of power outages. Instead, as Nye (2010: 182–183) has shown,
“people came together [and] helped one another,” just as they do in most disaster situations.
In August 2003, many initially worried that the two-day blackout that affected 50 million people in the United States and Canada was the result of a terrorist attack. Even after it was determined that it was not, some wondered what might happen if such a blackout were to be the result of intentional attack. One commentator hypothesized that an intentional “outage would surely thwart emergency responders and health-care providers. It’s a scenario with disastrous implications” (McCafferty, 2004). But the actual evidence from the actual blackout does not indicate that there was panic, chaos, or “disastrous implications.” While the economic costs of the blackout were estimated between four and ten billion dollars (Minkel, 2008; Council, 2004), the human and social consequences were quite minor. Few if any deaths are attributed to the blackout. A sociologist who conducted impromptu field research of New York City residents’ responses to the incident reported that there was no panic or paralysis, no spike in crime or antisocial behavior, but instead, a sense of solidarity, a concern to help others and keep things running as normally as possible, and even a sense of excitement and playfulness at times (Yuill, 2004). For example, though the sudden loss of traffic lights did lead to congestion, he notes that the situation was mitigated by “people spontaneously taking on traffic control responsibilities. Within minutes, most crossing points and junctions were staffed by local citizens directing and controlling traffic … All of this happened without the assistance of the normal control culture; the police were notably absent for long periods of the blackout” (Yuill, 2004). James Lewis (2006) of the Center for Strategic and International Studies has observed that “The widespread blackout did not degrade U.S. military capabilities, did not damage the economy, and caused neither casualties nor terror.”
Lawson goes on to explain that citizens are not terrorized by loss of power. More than anything, we are “irked” and we redouble our efforts to be resilient in the face of adversity. This is not to say that we should simply lie down and accept cyber attacks as they may come, but policymakers and the public should resist being scared into hasty policy decisions that will have many long-term consequences. Fear is not an appropriate basis for policymaking, and we should never allow it to supplant critical thinking.
For example, the Rockefeller spokesman notes that the simulation was of “a power grid takedown by cyberterrorists,” yet as Thomas Rid has shown, “terrorists are unlikely culprits of an equally unlikely cyber-9/11.” The more likely scenario of a cyber attack blackout is one carried out by a foreign state power in conjunction with a conventional attack. And thinking about conventional attack on the homeland requires a completely different type of analysis.