The book is called Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath. It’s currently going for less than $20 and was apparently a New York Times Bestseller. It seems that nearly every book anymore is a New York Times Bestseller, but we digress.
Speaking to CSO Online, Ted Koppel was forced to confess that he had not bothered to get much in the way of expert opinion in researching his book. This means that even if his premise is correct, that critical parts of American infrastructure are significantly insecure and vulnerable, whether or not it’s true can be called into question.
The book largely refers to hacking as some mythically talented individuals rather than a section of the network security community that is perhaps a bit less governable. Example, from Chapter 4, “Attack Surfaces”:
Getting into a piece of critical infrastructure is one thing, but it’s worth repeating that navigating an electric grid is a highly complex operation. The reconnaissance required to understand the system sufficiently to compromise it can take years, challenging the skills of even the most cyber-competent nation-states. We’ll get into what the experts call “preparing the battlefield” in a later chapter. (Several nation-states, most prominently the Russians and the Chinese, have already spent years conducting just such reconnaissance.) For the moment, suffice it to say that it’s difficult to keep hackers out of the system.
Notice that he uses no references or footnotes here. It’s just his feeling on the matter. However, there are quotes from security professionals peppered throughout the book, such as Richard Clarke, who says this in the same chapter:
If you go into a big, modern power station in Shanghai, or a big, modern power station in California, you’re going to find the same SCADA software.
Clarke’s area of expertise is cyber warfare with states like China and Russia. He does not specialize in penetration testing the power grid. Nevertheless, he is relied on throughout the book.
Also read: Cyber Warfare: The New Arms Race
CSO Online asked Koppel the million dollar question: Did you interview penetration testers who have experience in the electric generation/transmission sector for this book? His response:
No, I did not.
In a separate article at CSO Online, which reviews the book and talks to security professionals intimate with the security of the power grid, it turns out that while everyone agrees with Koppel on the vulnerability and high-risk of the power grid system, things are not as bad as some in the military-industrial complex and the likes of Koppel would have us believe. The article quotes CTO of Cigital, a firm which “help[s] organizations build security in,” who said:
[Ted Koppel] has jumped on the cyber FUD bandwagon (led by) cyber warmongers. We must do all we can to build security into all modern systems, but the sky is not falling.
Books like Koppel’s are good at keeping certain things in the consciousness of the public, but they also instill an undue fear of amorphous “hackers” who are seen as coming to destroy everything. It leaves out key components of the hacking ethos, like determination and resilience – meaning that it could take several detectable efforts before a successful hack ever were to succeed.
The threat of cyber war is real in an era where nearly all critical infrastructure is networked, and defenses should be increased, but stirring up fear is a tactic which would be better left in the past.
Featured image from Shutterstock.