As a child of refugees in London, journalist Ted Koppel witnessed the Blitz. Traveling the world as one of America’s most distinguished television reporters, he lived through the Cold War and witnessed combat up close from Vietnam to Iraq. In his new book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving The Aftermath, he argues that the threat posed by cyber warfare is more complicated to defend against and potentially more deadly than traditional warfare, and that we are absolutely unprepared for it.
Talking from his home in New York, he recalls how witnessing his father putting out German incendiary bombs during the Blitz taught him about Civil Defence; how those most capable of launching a major cyberattack, Russia or China, are less likely to do it than a terrorist organization like ISIS; and why it is crucial for the government to start a dialog with the American people about how to cope with a major cyberattack before it is too late.
You paint an apocalyptic picture of a future hack attack on the power grid. How likely are the lights to go out in the near future?
Very likely. But I’m not the one painting the picture; I’m simply pulling together the pieces of the puzzle that the experts have given me. I started off absolutely agnostic on the subject, but came to the conclusion that when the President makes reference to it twice in successive State of the Union addresses; when then-Secretary of Defence Leon Panetta talks about the likelihood of a “cyber Pearl Harbor;” when I posed the question to Janet Napolitano as she was finishing her gig as Secretary of Homeland Security, and she says, “Oh, very likely; 80 or 90 percent;” I think that’s compelling evidence that there is a real likelihood it will happen.
You first became aware of civil defence as the child of refugees in London in World War II. Take us back to that time and tell us how those early memories inform your interest in this subject?
My recollections are those of a young child, but I do remember my father heading off with a broom and a garbage can lid with a neighbor. They were part of the Home Guard, charged with dealing with incendiary bombs, nasty little things that would land on the rooftop. They didn’t explode; they just burned through the roof top, then set the house on fire. If you could get up quickly enough and sweep it off, and if your partner could then smother it with a garbage-can lid, that was all it took.
Cybercrimes are constantly being committed. There’s hardly a day goes by when cybercrimes are not being committed at the rate of hundreds or thousands of cases a day.
I put that into this book to show even the simplest methodology can be helpful. It gives the public a sense of being empowered, a sense that there is something that can be done. I hope the book will cause people to say, both to the federal government and to state and local governments, “Have a little confidence in us! Treat us like grown-ups. If this is something that is likely to happen, let’s talk about how we will respond to that situation.” And the time to do that talking and preparation is before the fact, not after.
You have seen actual combat up close as a war correspondent. Tell us about some of those experiences and how they compare to cyber warfare?
I’ve been covering wars since 1967 when I went to Vietnam. I have been in Bosnia, Iraq, and Kuwait. Those conflicts had nothing to do with cyberwar. They were wars in their old fashioned manifestation. Cyberattacks are very difficult to pinpoint. It can be extremely hard to state with absolute certainty that a cyberattack comes from point A because it may have been shuttled over there from points B, C or D. That makes it very difficult for a nation to respond.
The other serious difference between cyberwar and war as we have known and feared in the past, by which I mean nuclear war, is that the capacity to wage this kind of war can lie in the hands of an individual with a laptop. So the traditional means by which one state or government discourages another state or government from waging war is not available.
The whole notion of the avoidance of nuclear war rested on the understanding that if the Soviet Union, for example, launched a nuclear attack on the U.S., it would have done so in the knowledge that an equally violent counterattack was likely. That, of course was known as MAD: Mutual Assured Destruction. That doesn’t exist in cyberwarfare. If you can’t determine with specificity where the attack came from, it is very difficult to respond.
You say that the Internet is not only an incredible tool but a potential weapon of mass destruction. Isn’t that an exaggeration?
[Laughs] I don’t think so. There are only three electric power grids in the US: the Eastern Interconnect, which takes most of country from the East Coast beyond Chicago; Texas; and the West Coast. If someone were able to knock out the Eastern Interconnect you would have more than twenty states and tens of millions of people without electricity potentially for as long as months. That would result in thousands if not tens of thousands of deaths. I consider that to be a weapon of mass destruction. Particularly if it was in a winter like last year.
Who is most likely to commit a major cyberattack against us?
The countries most capable of doing it are China and Russia. They are unlikely to do it because we have too many interlocking interests, though the interlocking interests with Russia seem to be diminishing week by week. The next most capable is Iran. It’s not as capable as the Chinese or the Russians. I’m not altogether sure that they could knock out a grid at this stage, but if they are not there yet they will be there fairly soon. Then you have the Koreans.
There’s an interesting diagram you can imagine in your head: that among the most capable there is less likelihood. As you go down the level of capability you increase the level of likelihood. The North Koreans are certainly more likely to engage in a cyberattack than the Chinese, Iranians, or Russians. Then you get to the bottom of the scale. It could be a group like ISIS, for example, which doesn’t have the technical capability to do it but may have the money to buy the technical expertise from others. There are parties out there who are not quite as capable but more likely to do it, and parties that are very capable, who are, at least at the moment, less likely to do it.
Presidents Obama and Xi Jinping of China just agreed not to commit cybercrime against each other. Presumably these are just hollow words?
I don’t know that they are hollow words but remember, cybercrime is a different matter altogether from cyberwar. I didn’t see anything in that agreement that said, “We’re hereby committing not to us a cyberattack against one another should the occasion call for it.”
Cybercrimes are constantly being committed. There’s hardly a day goes by when cybercrimes are not being committed at the rate of hundreds or thousands of cases a day. The Chinese, Ukrainians, Iranians, North Koreans, Russians and even the Syrians are all active. But there is a huge difference between cybercrime and cyberwar. Cybercrime is all around us.
You say, “preparing for the unknown has always been the challenge facing civil defence planners.” Are we prepared for a major cyber-attack?
We are not. When it comes to the agencies that bear the most direct responsibility for protecting and responding to attacks on the American public — the Department of Homeland Security and its subordinate agency FEMA, the Federal Emergency Management Agency — what they are prepared for is a flood or a hurricane; or a massive earthquake in California. What they are not prepared for at all is a cyberattack.
There isn’t even unanimity at the highest levels of government on what to do. I’ll give you an example: I spoke to the head of FEMA, a very bright man by the name of Craig Fugate. I asked him, “What would you do if a cyberattack hit Manhattan? Would you evacuate the city?” He said, “No, you can’t do that. Too many people and it’s impossible.”
There isn’t even unanimity at the highest levels of government on what to do.
A couple of days later I interviewed his deputy, likewise a very smart fellow by the name of Joe Nimmich, a retired vice admiral. I said to him, “What would you do if a cyberattack hit Manhattan?” “We would evacuate,” he said. Now, if the two top people at FEMA have diametrically opposed views of what you would do in the event of an attack like this, I think it’s safe to say. “We’re not ready!”
Indeed, when speaking to the current Secretary of Homeland Security, Jeh Johnson, I detect no inkling of comprehension on his part that there is a difference between a natural disaster and a cyberattack. His response is, “Everybody should get a battery powered radio.” [Laughs]
An article in Wired criticized the US government’s “paranoid and vindictive” treatment of hackers and its refusal to hire them because they smoked pot. Shouldn’t we be doing more to persuade these often brilliant young people to help us?
[Laughs] Well, if we are going to eliminate all the people who have at one time or another smoked pot, the President, by his own admission, would have to step down, wouldn’t he? But I couldn’t agree more! If I were in government I’d put them on the job and see what they could do to help.
But I am not a technical specialist. I didn’t write this book in order to say, here’s how it’s done or how it can be done. I wrote the book to establish whether the experts believed it can and most likely will happen; and then to investigate which agencies, if any, private or government, have made any preparations for an unprecedented attack. And as I feared, there are very few preparations, if any.
What inspired you to write this book?
It may have been Leon Panetta’s speech where he talked about a cyberattack being the equivalent of a cyber Pearl Harbor. Leon Panetta is a serious guy and Secretaries of Defence don’t go around making these kinds of statements randomly. When Janet Napolitano retired, after five years as Secretary of Homeland Security, she made a similar comment in her farewell press conference at the National Press Club.
So I began making a couple of phone calls to the Red Cross, the Department of Homeland Security, FEMA, to try to establish whether anyone was prepared for this. I’ve been a reporter for over fifty years and, as you well know, one of the joys of being a reporter is that you are rarely as much of an expert on a given subject as the people you interview. As reporters, we are usually just people who have an instinct there’s a story here. Then we go to the people who have the information and start teasing it out of them.
I began with the instinct that, if I take Leon Panetta and Janet Napolitano at their word, what is it that the federal government has done to prepare for this? My instinct was, nothing. And, that, indeed, is more or less what I’ve found.