We learned this week that a hacker tried to poison the water supply in a town outside Tampa, Florida. An operator at the plant noticed the intrusion, and there was no significant damage done to the city’s water supply. But the thing is, a lot of our critical infrastructure is connected to the internet, and not all of it is very secure.
I take a deeper look in “Quality Assurance,” where we examine a big tech story. I spoke with Nicole Perlroth, who covers cybersecurity for The New York Times and is the author of the new book “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race.” I asked her how we could start to tighten things up. The following is an edited transcript of our conversation.
Nicole Perlroth: I think we could just start by pausing the things we are hooking up right now. We’ve already identified the systems we define as critical infrastructure. It’s things like hospitals, election infrastructure, water-treatment facilities, the power grid, the nuclear plants. We need to go back and do some inventory to see where we have these open connections where we shouldn’t have them and turn them off. We need to add more segmentation around the crown jewels. So at the water-treatment facility, should it be possible for someone to up the amount of chemical in the water? No. We just need to make smarter decisions about how much of our critical infrastructure should be digitized.
Molly Wood: It’s frustrating to see that here in the United States, with the pandemic just being one example, it’s like we need the most painful proof before we will act. Do you think we’re going to have to have something far, far worse, the worst-case scenario, before we actually have awareness?
Perlroth: Yeah, it’s so frustrating. Everything meaningful to us that could be intercepted, has been: our personal data, our medical records, our intellectual property, our power grid has been infiltrated. We know Russia breached into our nuclear plants at one point. Now we know they’re buried in our federal IT networks. So it’s really, really bad. And I do worry it’s going to take the big explosion for people to wake up.
Wood: What about money and funding? I mean, if we, for example, have a federal government who takes cybersecurity really seriously, who elevates protection of critical infrastructure, could that unleash some funding to bring things up to snuff?
Perlroth: There were attempts at legislation that had real teeth. It never passed. Any rules that have been put in place came from executive orders, first from Obama, and then Trump. But really, they’re pretty toothless. These executive orders that came out just identified critical infrastructure and said, “Here are some voluntary suggestions for you to meet basic security.” So I do hope that with the SolarWinds attack and the new administration coming in, there will be a real opportunity here to reprioritize defense.
Wood: You talked a lot about how water-treatment plants are at the top of the list of worst-case scenarios. Is it that they are inherently easier to hack, less secure than, say, an electrical grid? Or is it just like it’s a silent killer with mass-casualty probability?
Perlroth: Yeah, it’s all of the above. Every time I talk about critical infrastructure for our readers on the Upper West Side or whatever, who don’t really realize that their drinking supply has been digitized, I always put it at the front of the list before I mention power plants, nuclear plants, railways, air-traffic control because it’s hard for people to conceptually understand that their drinking water supply is in any way remotely accessible to hackers. But it is, and I think it is the scarier silent killer because it’s very possible for someone to hack into the controls at these wastewater-treatment plants and drinking water-treatment facilities and up the level of chemicals. So it’s always been the threat that just keeps me up at night the most.
And it happened almost a year ago in Israel, right at the start of the pandemic, when they first put in place the stay-at-home orders. They announced that Iranian hackers had gotten into their water-treatment facility. And they ended up responding with an attack on a Iranian port. But one thing that was interesting about their response was Israeli officials decided that they weren’t going to go tit for tat, they weren’t going to hack into the Iranians’ drinking water supply because they decided that that was way beyond the realm of what they wanted to do. It was so dangerous and deadly. And so they responded instead on this Iranian port. But yes, this is a real threat that’s happening here a year later. [It] happened in this tiny town. Can you imagine if it had been successful and sent 15,000 people to a hospital right now, when they’re already under siege with the pandemic? It would have been a nightmare. So thank God we caught it, but it was a close call. And now it’s time to really reevaluate the security and accessibility of these systems.
Related links: More insight from Molly Wood
Speaking of critical infrastructure and cybersecurity, the former guy in charge of both of those things, Chris Krebs, testified before the House Homeland Security Committee on Wednesday. And he, among others, urged the Biden administration to be aggressive in responding to cybersecurity threats from Russia and other countries — but especially Russia. Lawmakers who lead the committee said cybersecurity is a, if not the, national security threat to our country.
Also, this week, the Biden administration announced that it had already — like in the first day in office, actually — appointed a senior official from the National Security Agency to investigate the SolarWinds federal IT hack and figure out any potential response.