President Trump ordered the federal government to prepare for a devastating cyber attack against America's electric grid amid growing fears foreign states are set to carry out attacks aimed at plunging the nation into darkness.
A presidential order signed Thursday directed key federal agencies to assess preparations for a prolonged power outage resulting from cyber attacks designed to disrupt the power grid.
An assessment of the danger must be carried out by the Energy Department, Homeland Security, DNI and state and local governments to examine the readiness of the United State to manage a shutdown of the power grid. The assessment will also identify gaps and shortcomings in efforts that would be used restore power.
New cyber security measures outlined in the executive order come as the commander of Cyber Command warned two days earlier that America's critical infrastructure is vulnerable to disruption by foreign cyber attacks.
Cyber command chief Adm. Mike Rogers said several nations, including Iran, have been tied to disruptions and remote intrusions into U.S. critical infrastructures, such as the electric grid, financial networks, and others.
Rogers said destructive cyber attacks on critical infrastructure are one of his two worst case scenarios. The second involves the threat of cyber intrusions aimed at manipulating data within networks.
Iran tried to disrupt the function of a dam in upstate New York in 2013, and Russia has used industrial control malware called BlackEnergy to attack Ukraine's electric grid, Rogers said.
"Infiltrations in U.S. critical infrastructure—when viewed in the light of incidents like these—can look like preparations for future attacks that could be intended to harm Americans, or at least to deter the United States and other countries from protecting and defending our vital interests," Rogers said.
The report on electric grid cyber attacks must be provided to the White House by Aug. 9.
The new order is the result of a Trump administration policy review aimed at improving cyber security for both the government and private sector.
The order states that federal agency heads will be held accountable for protecting networks from cyber attack, an apparent reference to China's cyber attack on the Office of Personnel Management that led to the theft of some 22 million records on federal workers, including very sensitive personal data.
Homeland Security Adviser Tom Bossert told reporters at the White House in announcing the new order that the OPM hack highlighted the need for improved federal government software and hardware that will focus on sharing services and securing data.
"We saw that with the OPM hack and other things," he said. "We've got to move to the cloud and try to protect ourselves, instead of fracturing our security posture."
The order does not seek to define an act of war in cyberspace.
However, the directive requires the Pentagon and other security agencies to report within 90 days on cyber warfighting capabilities and defending the industrial base from cyber attacks.
Foreign hackers pose threats to the technology and equipment supply chain including U.S. military systems.
Military cyber warfare efforts are mentioned vaguely in the order. It states that security agencies must "assess the scope and sufficiency of United States efforts to ensure that the United States maintains or increases its advantage in national-security-related cyber capabilities."
Federal agencies also will draw up "options for deterring adversaries and better protecting the American people from cyber threats," the directive says.
Declining to telegraph U.S. responses to foreign cyber attacks, Bossert nonetheless said: "If somebody does something in the United States of America that we can't tolerate, we will act."
Bossert said the trend line of cyber attacks is moving in the wrong direction. "We see additional attacks, additional numbers, additional volume and occasionally additional successes that trouble us," he said.
The administration will increase spending for cyber security by $1.5 billion in the coming year, Bossert said.
On infrastructure cyber security, Bossert said additional measures to bolster critical functions are a key element of the order.
Most critical infrastructures are not owned by the federal government, complicating efforts to protect them from foreign attacks.
"The executive order not only requires his departments and agencies to help those critical infrastructure owners and operators, and the most important ones, but to do it in a proactive sense," Bossert said. "The message is a tilt toward action."
Bossert said Russian cyber attacks during the 2016 election were not the motivation for the new policy. Several adversaries threaten American cyber security and the new policy is a "United States of America-motivated issue."
"The Russians are not our only adversary on the Internet, the Russians are not the only people that operate in a negative way on the Internet," he said.
"The Russians, the Chinese, the Iranians, other nation-states are motivated to use cyber capacity and cyber tools to attack our people and our government and their data," Bossert added. "And that's something we can no longer abide."
Former DNI James Clapper told a Senate hearing this week that he too worries about foreign cyber attacks on U.S. infrastructure.
"I worry about the worst case which is an attack on our infrastructure," he said. "And I think the Russians have, particularly, have reconnoitered it, and probably at a time of their choosing, which I don't think right now is likely, but I think, if they want it to, could do great harm."
The order also highlights the growing threat from automated cyber threats, such as botnets—thousands of hijacked computers operating in concert to conduct cyber attacks.
Under the order, the government will seek to improve security for private sector computers that could be used in botnet attacks.
Paul Rozenzweig, a former Homeland Security cyber security expert, said the order is a good start.
"This order is just a starting point, with a number of reports required over the next few months and significant obligations on the federal agencies to make recommendations for improvement," he said.
"The rubber will meet the road when we get to the point of deciding which recommendations to implement."