MorganEnergy

Today’s issue of the Wall Street Journal has a major article about cyber-attacks on the US electricity grid. Apparently spies from a number of countries, including Russia and China, have been covertly hacking into electricity systems in the US.

The espionage appeared pervasive across the U.S. and doesn’t target a particular company or region, said a former Department of Homeland Security official. “There are intrusions, and they are growing,” the former official said, referring to electrical systems. “There were a lot last year.”

Thus far no damage has been reported, and the hacking activity appears to have been more of a scouting mission than an all out attack. However, officials worry that malware may have been left behind and could be activated in the event that hostilities break out.

The other major problem is, of course, working out who is attacking you:

It is nearly impossible to know whether or not an attack is government-sponsored because of the difficulty in tracking true identities in cyberspace. U.S. officials said investigators have followed electronic trails of stolen data to China and Russia.

Russian and Chinese officials have denied any official involvement in the attacks.

Although attacks of this type have been going on for some time, it is probably no accident that the WSJ has chosen to report them now. The Smart Grid movement is finally managing to get some traction, and one of many questions being asked is whether there should be an open standard for supply of equipment, or if instead a single company should be tasked with developing a secret and supposedly hack-proof technology. The WSJ acknowledges this in a supporting article that asks whether the Smart Grid would help repel attackers, or open the door to them.

At one level this is just another one of those traditional Washington arguments where a big business tries to persuade Congress that it needs to be granted monopoly control of some aspect of the economy under some pretext or other. However, in this case the pretext could be worryingly wrong, because open standards may be the best solution.

Last week security expert Bruce Schneier worried about who should be in charge of cybersecurity in the US. He pointed out that organizations like the NSA tend towards paranoia and, if given sweeping powers, will be tempted to use those powers against imagined internal enemies rather than external ones. In addition security organizations like the NSA often have an incentive to preserve back doors in systems so that they can use them themselves, rather than plug them so that others cannot.

The main point, however, is that security systems can never be made hack-proof. As technology journalist Cory Doctorow explains, discussing a rather different area of business, the only way to be sure that a security system is actually unbreakable is to make it public and let enthusiastic hackers try to break it. Contests such as this one held last month to test the security of web browsers do far more to keep our computer systems secure than bureaucratic secrecy.