16 February 2020

Deterring Attacks Against the Power Grid

by Anu Narayanan

Increased reliance on intelligence processing, exploitation, and dissemination; networked real-time communications for command and control; and a proliferation of electronic controls and sensors in military vehicles (such as remotely piloted aircraft), equipment, and facilities have greatly increased the U.S. Department of Defense (DoD)'s dependence on energy, particularly electric power, at installations. Thus, ensuring that forces and facilities have access to a reliable supply of electricity is critical for mission assurance. However, most of the electricity consumed by military installations in the continental United States comes from the commercial grid—a system that is largely outside of DoD control and increasingly vulnerable to both natural hazards and deliberate attacks, including cyberattacks. In this report, researchers explore two approaches that DoD might consider as options for deterring attacks against the power grid: enhancing resilience and reliability to deter by denial and using the threat of retaliation to deter by cost imposition. The report represents a first step in developing frameworks and context to support DoD decisionmaking in this area.

Key Findings


The analysis focuses on two strategies for deterring deliberate attacks on the power grid: denial and cost imposition.

For deterrence by denial, the report focuses on "outside-the-fence" interventions—ways in which DoD can engage with entities or infrastructure not owned by DoD. Case studies show that outside-the-fence interventions complement rather than replace existing inside-the-fence interventions and that resilience and reliability interventions can enhance DoD's ability not only to deter attacks by a military adversary but also to sustain operations under a broader set of potential perils, such as natural disasters and aging infrastructure.

To explore options for deterring through the threat of cost imposition, the authors examine the applicability of international agreements on the law of war. For cyberattacks on the civilian electric power grid, the severity of the attack and the strength of attribution reveal several options for retaliation. Cyber intrusions on the grid launched by nation-states, for example, may be countered with legal countermeasures. And attacks reaching the level of armed attack could warrant military response.

The challenge for deterrence comes from the ambiguity of cyberspace. This ambiguity cuts in two key directions: cyberattack attribution and cyberattack severity. The ambiguity surrounding severity may lead to less-obvious problems, but there is reason for concern that a lack of clarity on the meaning of use of force in cyberspace could produce unintended escalation.

No comments: