But the biggest cyberattacks, the ones that can blow up chemical tanks and burst dams, are kept secret by a law that shields U.S. corporations. They’re kept in the dark forever.
You could live near — or work at — a major facility that has been hacked repeatedly andINVESTIGATED by the federal government. But you’d never know.
What’s more, that secrecy could hurt efforts to defend against future attacks.
The murky information that is publicly available confirms that there is plenty to worry about.
Unnamed energy utilities and suppliers often make simple mistakes — easily exposing the power grid to terrorist hackers and foreign spies. A CNNMoneyINVESTIGATIONhas reviewed public documents issued by regulators that reveal widespread flaws.
There was thePOWER COMPANY that didn’t bother to turn off communication channels on its gear at mini-stations along the electrical grid, leaving access points completely open to hackers. It was fined $425,000 by its regulator in August.
Another power company forgot to patch software on 66% of its devices, thus exposing them to known flaws exploited by hackers. It got a $70,000 fine in February.
There are plenty of other examples, and all “posed a serious or substantial risk” to portions of the electrical grid, these documents say.
And hackers do sometimes get through.
In an industry newsletter available online, the Department of HomelandSECURITYoccasionally documents hacks, though only with vague descriptions.
In early 2013, hackers attacked several natural gas pipelines in the Midwest, trying to break into the communication network that tells industrial machines what to do.
Last year, a hacker got into the network that controls industrial equipment at a public utility — but DHS won’t even say where it is in the United States.
We don’t know what happened in either case — or the dozens that stay under the radar each year. Neither do the veryCOMPUTER experts who train the nation’s next generation of hacking defenders. And even regulators can’t use this information to make safety regulations.
“Most folks don’t have any idea,” said David Kennedy, whose firm TrustedSecINVESTIGATES attacks on power plants and other critical companies.
Steven Aftergood, who leads the project on government secrecy at the American Federation of Scientists, worries that “by categorically withholding this information, the government is concealing the very factors that shape homelandSECURITY policy.”
“Instead of a precise picture of an actual threat, the public is left with only vague generalities. The resulting deliberative process is crippled from the start,” Aftergood said.
It’s not just the energy industry. Every company that’s considered “critical infrastructure” can keep major hacks secret: the telecom industry, big banks, major chemical makers.
The only reason you hear about the small time stuff — such as when a retailer loses yourCREDIT CARD — is because some states have laws demanding disclosures. The potentially dangerous hacks stay in the dark permanently.
Why all the secrecy?
In the wake of the 2001 terrorist attacks, government officials were worried aboutPROTECTING the nation’s critical infrastructure.
To encourage the sharing of information about major physical and computer-based attacks, the 2002 HomelandSECURITY Act included specialPROTECTION for U.S. companies: Any evidence they submit is considered “Protected Critical Infrastructure Information” (PCII) and kept from public disclosure.
CNNMoney reviewed a 2009 DHS policy manual explaining the policy to law enforcement, governmentAGENTS and industry. The manual explicitly explains this information is to be kept out of the hands of journalists, regulators and the public at large. The media “may not receive PCII” unless a company approves. A safety inspector “does not have a valid need-to-know” if he or she plans to use that information “for regulatory purposes.”