Will cyber attacks switch off the lights?

A couple of months ago I lost my mobile phone. I duly called AT&T, my telephone company, to order a replacement - and received a nasty shock.

"So you are living in Shanghai," an assistant announced, quoting an entirely unfamiliar Chinese address. Baffled, I explained that I didn't live anywhere near the Bund; my residence was in Manhattan, New York.

"No, you live in Shanghai," the voice firmly replied. When I protested vociferously, the AT&T official pronounced the three words that we have all come to dread: "You've been hacked." Somebody, somehow, had managed to break into the AT&T systems and switch my cellphone billing address from New York to Shanghai. Presumably, they were Chinese.

Thankfully, I don't seem to have suffered any financial loss from this breach: my account details were corrected and, as far I can tell (though it may be tempting fate to say so), nobody in China is walking around with a free iPhone in my name. But, like millions of others who have suffered similar attacks, I was left feeling violated and uneasy. And not just in relation to my phone.

These days we all rely so much on the internet that it's difficult to imagine life without it; digital communications are intrinsic to almost every aspect of our daily existence. The terrible paradox of 21st-century living is that just as we are all becoming ever more dependent on those digital links, so the web is facing a dramatic increase in cyber attacks, either from criminals, mischief-makers or malevolent players such as terrorists. And in general we only discover just how vulnerable we are when something goes unexpectedly wrong - be it with mobile phones, bank accounts or anything else.

Electricity is one issue that has recently caught my attention. The modern western economy is highly dependent on the electricity grid, and whenever the grid has gone down in America - say, after Hurricane Sandy in 2012, or during the infamously widespread 2003 outage in America's northeast - this has resulted in profound disruption.

So far - thankfully - no one has succeeded in creating any such major disruption by hacking into the electricity grid. In that sense, the situation seems a little better than in banking, where institutions including JPMorgan and Citigroup have suffered a series of cyber breaches.

Any sense of calm among power companies is illusory, however. Last week I attended a seminar with some cyber security experts and executives from the energy sector, where I was told that the power companies are now under constant, accelerating attack, either from troublemakers or (more often) state-sponsored players (think China and Iran). Nobody will say publicly how big or serious these attacks are but an investigation by USA Today earlier this year found that between 2011 and 2014 there were 362 reports of physical and cyber attacks on electric utility companies, according to the Department of Energy. Indeed, in 2013 alone some 161 cyber attacks on the energy sector were reported to the Department of Homeland Security, more than five times the level of two years before.

The power companies are fighting back and investing more in cyber surveillance. They are also creating what are known as "air gaps" between the networks (systems that ensure the grid can split apart quickly in the event of a breach, to stop contagion). Different parts of the federal government have quietly started holding joint briefing meetings about this.

And the good(ish) news, I was told, is that the public and private sectors are co-operating relatively well in this area, at least in comparison to other sectors such as banking. One reason for this, apparently, is that events such as Hurricane Sandy have created a template for joint public-sector/private-sector planning.

But numerous challenges remain. One problem is that electric power equipment tends - ironically - to be made in places such as China, which creates obvious risks. Another issue is that the components used in power stations tend to be so customised that they are difficult to replace in a hurry if damage occurs. Companies today do not keep an inventory of spare parts.

The other big issue is that nobody entirely knows whose responsibility it is to protect against these attacks. If terrorists conduct a physical attack inside America, it is generally assumed that the state - not private mercenaries - should fight back. But is it the government's role to build inventories of a power company's spare parts? Should the state be training cyber-surveillance officers? Or should companies do this themselves - and hope that shareholders will not punish them for investing in projects that do not produce returns?

There is unlikely to be any clear answer until - or unless - a really big attack on a banking network, phone system or electricity grid proves successful. Which is an alarming thought. But in the meantime, I am checking my utility accounts, bank accounts and phone bills a little more regularly. And I now plan to collect a stash of candles, batteries and tinned food. If the lights do go out, I want to be ready; or at least a little savvier than I have so often been with my mobile phone.

[email protected]

Illustration by Shonagh Rae

© The Financial Times Limited 2015. All rights reserved.
FT and Financial Times are trademarks of the Financial Times Ltd.
Not to be redistributed, copied or modified in any way.
Euro2day.gr is solely responsible for providing this translation and the Financial Times Limited does not accept any liability for the accuracy or quality of the translation