America isn't prepared for a 2 a.m. cyberattack

America isn't prepared for a 2 a.m. cyberattack
© ThinkStock

At 2 a.m. on a Sunday, the White House operator takes a call from the 24-hour Command Center at NASA. There’s a grid or cyber emergency. The operator asks if it’s the Russians. If it is, it would be an act of war. “Not this time.” The NASA officer says smugly. “It’s from a far more deadly source.” Fifteen hours earlier, NASA’s solar observatory satellite had detected an enormous ejection of plasma from the Sun’s surface, creating a huge geomagnetic storm in space.

The odds that this storm would intersect Earth’s orbit were infinitesimally small. But after tracking it NASA realized that it would, indeed, strike the Earth. In a little over two hours! NASA calculated that the geomagnetic storm was so huge that it would produce an electromagnetic pulse (EMP) equal to a “Carrington Event” — one that would shut down all electrical systems on the entire planet. A total blackout. No lights. No power. No Internet.

 

The president is awakened. The staff at the White House have the presence of mind to get the president to declare a “grid emergency” under the Federal Power Act and turn the responsibility for dealing with it over to the secretary of Energy. No one in Washington is prepared for a grid emergency caused by the sun. Russia, yes. The sun, no.

There are 8,084 electric power-generating stations in the United States. The secretary herself has four Power Marketing Administrations in her own department. The Federal Energy Regulation Commission (FERC), has five Independent System Operators (ISOs) and two Regional Transmission Organizations (RTOs). Each state has some kind of energy agency in addition to a Public Utility Commission (PUCs) that regulates the power industry.

So, as the secretary starts making phone calls to the almost 8,200 players in the grid emergency game, she glances at the clock. It’s been two hours since the NASA warning call. Just then, her home goes dark and the phone line goes dead.

On Aug. 29, 2005 Hurricane Katrina blew ashore south of New Orleans. Over 1,800 people died and over $100 billion of damage was done. It was the most devastating storm to hit the United States since 1928. Thanks to a multi-state agreement adopted in 1996 called the “Emergency Management Assistance Compact” (EMAC), help for Katrina’s victims came from all over the country. The numbers reported by the National Emergency Management Association are impressive:

  • More than 1,300 search-and-rescue personnel from 16 states searched more than 22,300 structures and rescued 6,582 people.
  • More than 6,880 sheriff's deputies and police officers from 35 states and countless local jurisdictions deployed across Louisiana and Mississippi.

The key letter in the EMAC acronym is “C.” It stands for “compact” or, more specifically “interstate compact,” which is a type of hyper-agreement among two or more states plus the federal government.

The EMAC sets forth the legal framework for interstate cooperation during an emergency. The “how” the mutual aid will be furnished is left to state officials who work through the National Emergency Management Association (NEMA).

So, what do the EMAC and the NEMA have to do with the poor secretary of Energy sitting alone in her dark living room trying to “manage” the grid emergency? Nothing, but if there were “cyber clones” of these two entities, they could be the answer to the secretary’s prayers. If there were a “Cyber Emergency Compact” (CEC) and a “Cyber Emergency Management Association” (CEMA) composed of all the major utilities, power distribution companies, and state agencies, then the secretary wouldn’t have to make almost 8,200 phone calls, she could just make one — to CEMA headquarters.

Once they heard from the secretary, CEMA would implement their “Cyber Emergency Plan” that had been developed and approved by each of the states as well as the federal agencies that were parties to the compact. So the almost 8,200 organizations would simply get out their copy of the Plan and follow the instructions agreed to.

So, what do we do when there’s a real cyber emergency — another Carrington Event that will fry all of the electric circuits on earth? Right now we pray that the secretary will complete her 8,200 phone calls. But if we were smart we’d get our government energy people to create an interstate compact for grid/cyber emergencies.

Cyber threats from the sun may be rare, but not so cyber threats from the Russians. The compact would work against both.

Michael Curley is a lawyer who has published four books on environmental finance and law and taught courses on those subjects at the Johns Hopkins University, George Washington University, and the Vermont Law School. He served on the Environmental Financial Advisory Board at EPA for 21 years under four presidents.