U.S. must prep for a cyberattack that coincides with a natural disaster, industry council says

A presidential advisory council has warned that a catastrophic months-long power outage on top of a cyberattack represents a “profound threat [that] requires a new national focus.”
National Infrastructure Advisory Council
Water comes over a retaining wall in Kemah, Texas during Hurriacane Harvey. The National Infrastructure Advisory Council wants the government to prepare for a cyberattack that could occur at the same time as a natural disaster. (Getty)

A presidential advisory council has warned the White House and Department of Homeland Security in no uncertain terms that a catastrophic months-long power outage represents a “profound threat [that] requires a new national focus.”

The president’s National Infrastructure Advisory Council, a group of executives from the public and private sectors tasked with issuing advice on protecting critical infrastructure, in a December report calls on the government to enhance its efforts to prevent widespread electrical failures in the event of a natural disaster.

“Significant action is needed to prepare for a catastrophic power outage that could last for weeks or months,” the report found, adding that a cyberattack timed to coincide with a natural disaster could be especially problematic.

“Although emergency authorities are understood at a high-level, how they are implemented in practice is unclear,” the report states. “There is a better understanding for physical events that are more frequently practiced, but it is less clear for cyber-physical events and larger-scale disasters.”


While the U.S. power grid has not experienced a natural disaster at the same time as a major cyberattack, both threats appear to be becoming more urgent. Extreme weather events ranked as the largest risk facing the world over the next five years, followed by large-scale hacking, according to the World Economic Forum’s Global Risks Report 2018.

The prospect of both instances happening at the same time is enough for NIAC to encourage the government to take steps to mitigate potential consequences following such an event.

In preparation, the council suggests that the federal government should clarify which department has what authorities in the event of a natural disaster affecting grid security. Cybersecurity agencies within the Department of Energy, the Department of Homeland Security and the Department of Defense should have specific budget appropriations and authorities to consider security following a disaster, according to NIAC.

The government must exercise the National Cyber Incident Response plan with the private sector to ensure it will work as intended in a real-world incident, NIAC states.

Stakeholders also should “conduct a series of regional catastrophic power outage exercises that identify the second- and third-order cascading failures of an outage over time, as backup resources and mutual aid agreements are exhausted, and examine cross-sector supply chain and cyber risks that could delay re-energizing the grid,” the report says.


The federal government has been testing what responses would be like to such an event. Last month, contractors working with the Defense Advanced Research Projects Agency (DARPA) conducted an exercise with engineers from prominent utilities to try to restore power following a hypothetical cyberattack.

Other recommendations include developing an emergency communication protocol build on self-powered technology and designing incentives to encourage companies, non-governmental organizations and municipalities to implement NIAC recommendations.

NIAC was founded after the terrorist attacks of September 11, 2001 in order to provide the executive branch with possible solutions to threats facing U.S. critical infrastructure industries. Eight members of the council resigned in August 2017 citing President Trump’s “insufficient attention” to critical vulnerabilities in U.S. national security.

Rich Baich, Wells Fargo’s chief information security officer, is scheduled to join the council later this week, as CyberScoop previously reported.

Latest Podcasts