 Today we have a very interesting distinguished guest in a kind of different format than we've used in the past in the Energy Seminar, and that is a panel discussion, and our very distinguished guest is requested that most of the dialogue be between him and the students, so we have a student panel and then a lot of students sitting in the front of the audience here. So our very distinguished guest today is Ted Koppel, Mr. Ted Koppel as I call him, the Peter E. and Mimi Haas distinguished visitor for 2018 here at Stanford. He is, I think it's probably not overstating it, one of the, not the most distinguished honored and admired telejournalist in U.S. history. Not too much. And for you big data guys, I know we have a lot of those, the data supporting this. This is a pretty low bar. More so now than then, Ted has won the Most Overseas Press Club of America awards, breaking the previous record holder, Edward R. Murrow, 12, Alfred I. Dupont, Columbia University Awards, 8P Body Awards, and 42, count them, 42 Emmy Awards. And for me, I'd like to give a little personal thing. I remember in the 1980, about 1980, struggling to do oil security work and then a few things happened in the world that were kind of almost created, almost as much turmoil as we see today, mostly here in the U.S., and I would flip on a nightline at that point and find Ted Koppel kind of telling us all the truth of nothing but the truth in a very unbiased way. I wish we had more people around nowadays like that. So thank you for that at a personal level. I think that's continued through his entire career. So what we're going to do this is Ted will give a little preamble about why he wrote the book. Then I'll ask the panelists to introduce themselves and then we'll start on the panel. Questions. We'll have some time for audience questions, again focusing on students at the end. So Mr. Koppel. When I told my wife that I was going to write a book about the danger of a cyber attack on the power grid, she said, why you, you know absolutely nothing about cyber warfare and even less about the electric grid, both of which were true at the time. What got me interested in the subject was Leon Panetta, who at the time was Secretary of Defense, and he gave a speech to a group of defense contractors in which he said, among other things, that the danger of a cyber attack on our electric power grid was first of all a very real danger and secondly would be the equivalent of a cyber pearl harbor. That caught my attention. And I began to make some phone calls, not so much to determine what the, I mean how an attack like that would take place, but how prepared our government was in the event that an attack like that took place. So I began by calling FEMA and then I called the Department of Homeland Security and then I called the Red Cross and in each case I couldn't get past the phone tree. There wasn't a single human being who answered the phone at any one of those three agencies. So that intrigued me because my reasoning at that point was, if I can't get a hold of anyone, when nothing is going on, when there is no crisis, what in heaven's name is going to happen in the event that a power grid is knocked out? And that's when I began to do my research on the subject and let me very quickly just sort of give you the conclusion of it all, which is that the likelihood of a cyber attack on the grid is significant, that some of the top intelligence people who were in the government at the time that I was researching the book told me that both the Chinese and the Russians have already embedded what is equivalent to kind of a cyber landmine in our electric power grids. We only have three power grids in this country. There is one on the east coast called the Eastern Interconnect. You have one out here on the west coast and for reasons that are still not all together clear to me, Texas has its own grid. Were there to be an attack, it would be the equivalent of an act of war. In fact, it would be an act of war. The likely consequences of an attack on the power grid, a successful attack, would be the tens of millions of Americans would be without electricity for a period that could range up to several months. Thousands would die. There would be chaos in our cities. You have only to imagine what the consequences of an attack like that would be if the electric power were to go out in San Francisco or Los Angeles or Chicago or New York. Imagine it's the middle of summer and air conditioning goes out, lights go out, refrigeration goes out. Your water taps stop running because water is powered by pumps and pumps need electricity. You could try to flush your toilet, but it wouldn't flush. The consequences of no capacity to get rid of human waste in a city like New York, eight million people, hot, 90 degrees outside, it wouldn't take long before the health consequences would be huge. I'll leave the consequences of the attack at this point and just leave you with one larger question that I hope we get to. Most discussions about cyber attacks on our infrastructure focus on what can be done to prevent them. One of the rules of thumb of cyber warfare I have learned is that offense almost always trumps defense. It is all but impossible to protect against a really sophisticated cyber attack. Problem number one. Problem number two is one of attribution. How does the U.S. government respond to an attack that is going to create chaos when it cannot tell on day one, day five, possibly for several weeks after an attack with any certainty who was behind it? So with that as sort of an opening, let me turn to my colleagues here on the panel and I'll be happy to address any questions you have later on. Great. We'd like to give short introductions to each panelist, Bianca. Hi, my name is Bianca Droud and I'm a first year master's in atmosphere and energy, really interested in modernization of the power grid. Hi, I'm Alexi here. I am a junior studying computer science and political science. I have worked both on the technical side and the policy side of cybersecurity. And my main focus on campus is trying to get computer scientists like me interested in policy questions and like making our country safer. I'm Rachel Hirschman. I'm a senior studying political science and management science and engineering. My focus tends to be on cyber security and other international security issues. Hi, I'm Rafi Savlion. I'm a postdoc at Slack National Lab in Stanford University. My focus is on electric vehicle integration and renewable energy integration in the grid. Great. So we have a few questions and we'd like to start with how likely is a cyber attack on the grid and who is most likely to perpetrate it so anyone can jump in? Oh, you're asking me? Good. All right. Imagine two lines on a graph. The one line is the line of nations that have the capability or that have the greatest capability of launching a cyber attack on the grid. Russia, China, as you go down the capability scale, Iran, North Korea, Syria. And then of course you get to groups like ISIS, which don't yet have the capability. Those at the top of the capability scale are also the least likely to launch an attack. Why? Because we have the greatest interaction, the greatest number of interconnected interests with the Russians and the Chinese. As you come down the capability scale, you go up the likelihood scale. That's the other line on the graph. So that Chinese and Russians, not very likely at all, Iranians under certain conditions, North Koreans, again under certain conditions, but probably more likely than the Iranians. Syria depends. I mean, let me just point out to you, it doesn't always have to be a devastating attack. What is really important to understand about cyber warfare with regard to the United States is that because of our enormous dependence on the internet in this country, we are probably the most vulnerable nation in the world. Imagine a cyber war if you could limit it just to a cyber exchange between the United States and North Korea. There are so many times when the North Koreans are without electric power to begin with. If you've ever seen any of those satellite photographs of the Korean Peninsula and you see South Korea ablaze in light at night and North Korea essentially dark, the United States is vulnerable to a cyber attack. The United States has been hit, is being hit by thousands of cyber attacks every day. The kind that do damage, well, we've been hit by those too. About two and a half, three years ago, vacuumed up 21 million records, personnel records, of American men and women who worked for the government, State Department, Pentagon, White House, CIA, FBI, 21 million records. We the most successful intelligence crew of all time. We paid very little attention to it, the public eye. So how likely, those who can do it, not very likely, those who are trying to get the capability the further down the scale you go, very likely, but fortunately they don't have the capability yet. But they likely will. And I would imagine that sometime in the next five years we will be hit by a major cyber attack. And I'd also just jump in and say that Iran, speaking of countries with less capabilities or less intention of doing it, Iran did get into a New York dam a few years ago, which isn't the electrical grid, but it is another element of our critical infrastructure. And while the New York facilities discovered that they were there, Iran actually never executed the payload that they put in there, so an attack never happened, but they were there. And I would go out, I wouldn't be going out on a limb to say that countries are in our critical infrastructure, they just haven't actually executed an attack yet. And something else to remember is a cyber attack is usually through a virus. And a virus like a human virus is not controllable. You release it in the wild and something happens. So for example, Stuxnet, which a lot of people believe was used by the United States against Iran, an instance of Stuxnet two years after the original outbreak of it or the original release, a power plant in Germany actually was found to have this virus actively in their system. So there are externalities to using cyber weapons. And the cyber war that Mr. Koppel mentioned would affect the world. It would not just affect the United States, especially because a lot of the companies that make the internet great are housed in the United States. So attacking the US power grid or the internet broadly would be, just the global economy would not, it would be very bad, let's put it that way. There's been a recent loss of the NSA's crown jewels. Do you think that will somehow find its way in attacking us? What do you mean? I just remember reading this somewhere that there was a huge breach in a lot of their cybersecurity tools and they're just trying to find them on the black market now to see who has them and who's selling them. So you're referring to a lot of the tools that the NSA uses, their source code has been published on the internet. Yeah, that is a big concern. Actually a lot of people at the NSA, there's a really good New York Times article about this a couple of months ago, a lot of people at the NSA are very, very worried about that. Those tools are very dangerous. And in the wrong hands, they could do a lot of damage. So you were talking about as you go down the capability scale, the probability of attack increases, well if anyone in the world with a computer can use the NSA's flagship cybersecurity weapons, what can happen? Suddenly this attack doesn't seem so infeasible. A nuclear attack, it's a lot harder to steal a nuke than it is to steal a cyber weapon. And one other point, and I hope we get into a little bit of a discussion of this later on, over the years we developed, we in the Soviet Union developed a sort of a modus vivendi, a way of dealing with the reality of each side having enough nuclear weapons to in Winston Churchill's famous phrase, to make the rubble bounce. And whereas during the first few years of the atomic age, both sides were trying to find ways to defend against a nuclear attack. And that entailed, among other things, silly little propaganda films like Duck and Cover, which were ways that school children were encouraged in the event that there was a nuclear attack to get under their desk, a whole lot of good that would have done, right? And it was only after about ten years of unsuccessfully dealing with the notion of preparing ourselves against a nuclear attack that we and the Soviets eventually came to the conclusion that the best we could deal with the new nuclear reality was MAD, Mutual Achievement Assured Destruction, the notion being whatever you can do to us, even after a nuclear attack on the United States, we would still be capable of launching an equally great nuclear attack on the Soviet Union. And basically that balance of terror has sustained us, but that also involves knowing who the enemy is. It involves being able to go to the President and saying, Mr. President, the Soviets have just launched half a dozen nuclear missiles against the United States. Do you want to hit them before the missiles land or do you want to wait until after the missiles land? You've got twenty-eight minutes. But there is no question about where the attack comes from. In the case of a cyber attack, there are lots of questions and probably very few answers for the first few weeks. Yeah, so that kind of leads into another topic, which you've already touched on. How prepared are we currently for an attack cyber or otherwise on the grid? And I think each of us may have something slightly different to say on this, so if any of you want to jump in. I mean, I'll add from a technical side, there are some basic defensive measures that many corporations and the government have not yet taken with regards to the security and the cybersecurity of these systems that can involve kind of physical security measures and just protecting the intrusion of individuals into the spaces. But then there's also with SCADA systems. A lot of these systems, which are operational technology, come with default passwords that corporations rarely change. So a lot of the systems that make up are kind of the basic premise of a lot of critical infrastructure of the electrical grid have the same password. So if you get that one password, then you can infiltrate a lot of systems. And I could speak to a kind of other defensive measures, but I think that even that just proves to you that there's a lot of steps that can be taken from a technological perspective to just even have basic levels of defense with respect to the security of the grid. Yeah, another thing that we talked about kind of a different angle. There are like a million bottlenecks that exist with like different people who have different states and the importance of the cybersecurity of the power grid. And that's really scary. So you have like the utilities answer to utility commissions who answer to rate payers. And how are you going to get all of those people on the same page? Yeah, just to let's just think about that for a second. There's a default password for almost all of the of the systems that control power and et cetera, et cetera. There's one password for all of those and they haven't it hasn't been changed. Now you got to think if that's going on, what level of thinking is going on here? Like are people even thinking like anyone who has brought this problem, it's an easy solution. So to answer the question, if we're not even doing this basic level of thinking, are we doing any thinking at all? Like that's operationally like functional. I don't know. I think for a large bureaucratic establishment like a utility, first you have to mandate it by the government to do something. And then you have to give them the money to do it and then train them on how to use it. They won't do it on their own. I don't think the incentives exist. Someone could disagree with me, but I just don't think they exist. I've worked with utilities in the past and that's sort of the ed and flow. If you're going to make them stay beyond six PM, you have to give them everything. Let me just, if I may, give you a little bit of background in how the electric power industry works. There are currently 3,200 electric power companies in this country. They are all interconnected. The SCADA system that my colleague here was referring to a moment ago, that's an acronym for supervisory control and data acquisition. SCADA systems, the power grid depends upon maintaining an absolute balance between the amount of electricity that is generated and the amount of electricity that is used. I analogize it to a giant balloon with 3,200 valves. Half of them let air in, the other half let air out. Too much air in, the balloon explodes. Too much air out, the balloon collapses. If you can get into one of these SCADA systems and the huge power companies, the big ones, are indeed very well protected, but they are connected to the small ones, which are not very well connected. When I talked about the Chinese and the Russians mapping sort of a navigational system to get into these SCADA systems, they come in through the least well defended. Even if there were a better system than the one that exists, you still have the human factor. Some idiot takes his thumb drive home at night, plugs it into a laptop that is not well defended, that is not protected. It becomes infected. He brings the thumb drive back to work the next day, plugs it into his system, and the system is infected. There are so many different ways to get into these systems. One other thing, just so you have a sense of how many different ways there are of undermining our system in the United States. A number of years ago, when President Obama drew the red line in Syria and warmed the Syrians, what would happen in the event that they used chemical weapons? At just about that time when that threat was made, a bulletin went out on the Associated Press. The bulletin stated that there had been an attack, gunshots fired at the White House, that the President's whereabouts were unknown. Within three minutes, the AP discovered that they had been hacked, and that this was a phony bulletin, and they pulled it and corrected it. Within those three minutes, the market dropped hundreds of points. They found out later that the attack, the hack attack, had been committed by the Syrian government. Just tiny ways. It didn't take much. A phony story, a piece of fake news, if you will, and the market just plummeted. Yeah, so you're kind of talking about some scenarios of a cyber attack. Do any of you have any other ideas of how a cyber attack could play out? A really interesting scenario in Ted's book actually is if, for example, a Chicago in the winter needs a lot of power and maybe can't generate as much power as it needs. Florida in the winter needs less power. So Chicago says, hey, the Chicago grid needs more power. Can you pipe some from Florida? So they start doing that. Imagine a scenario where that system has been infected, where an attacker can see that happening. Florida is about to pipe power in Chicago. Chicago is accepting more power. Imagine if every other station in the United States were then to flood Chicago with power. Bam, autonomously. The attacker doesn't even know what's going on. It just has a little trigger in that system that says if Chicago is accepting power, make everyone give them power. The grid explodes. No one needs to sit there and monitor it. It can just be autonomous. It's turned on remotely. Some scary stuff. I could chime in. So after the 2003 blackout, I believe on the east coast, most people in the U.S. grid and on the technology side wanted to implement what are called synchrophasers, which are essentially, they measure not only, so the way voltage works is that it's a sinusoid. There's a magnitude. There's a phase. Prior to the development and adoption of synchrophasers, we mostly ran our system by measuring magnitude. And they wanted to push in these devices that will measure phase. And they realized that during this blackout, they weren't monitoring the phase. And the phase was going haywire and no one could look at it. So now everybody wants to put synchrophasers everywhere. But the one problem with synchrophasers is that it's based off a GPS signal. And it's very easy to imagine a few guys with an antenna and a radio spoofing, essentially a large substations set of synchrophasers and just taking it completely offline. And unlike other cyber attacks, there is no trace because all you see is your timing go off and that's it. There could be a van parked somewhere doing it and they could drive off when the grid collapses. So yeah, you can run your imagination a thousand ways on what you can do. You can also basically map out the entire transmission network. I mean this is currently the California ISO. I know the California ISO is an example. They have a computer room where they have their entire set of network models and there's an armed guard sitting outside. But I can basically just go online and map out everything, estimate essentially the resistance and inductance and all these parameters and build my own model. And I know exactly what's going on. So yeah, I think it takes maybe a master's degree and mal intent to really bring down the grid if you really, really want to. Now there is this concept of the air gap, if any of you who know more about it could explain what that is. And talk about some possible solutions for grid security and what are the obstacles to effectiveness. So an air gap, this is something that's very common, especially in the energy industry interestingly. It's the idea that when you, you have the internet, right? We've heard that term a lot. Internet means there's this giant web that connects your phone to the Google servers, to the Facebook servers, to the Stanford network. It's all connected. The idea of an air gap is that there's no networked connection between your internal network and the external network. There's literally a physical air gap between your network and the internet. Now the issue is this creates a very false sense of security, right? You have the idea that, oh, the internet can't touch my network. There's nothing. No, you bring your phone into the facility every single day. That's connected to the internet. You bring the, Mr. Koppel's example of the thumb drive, someone plugs in a thumb drive. Bam, you've just defeated the air gap, right? So the issue, you hear a lot of people saying that air gaps are bad. It's not that they're bad. It's that people believe in them a little bit too much as a catch-all solution to this sort of thing. I don't know if you guys have thoughts about that. Well, let me make another point. I think we are spending too much time as a national policy trying to find a defense against a cyber attack and not enough time at all focusing on what the government would do in the event that infrastructure, like the electric power grid, were undermined and taken offline. There are things that can be done. I mean, in the interim, while I was never able to get through on the phone, ultimately I got to interview some of these senior people, the Secretary of Homeland Security. When you ask Homeland Security, what is it that you would do in the event that a power grid was knocked offline? They have no answer, not quite accurate. The answer they have is the same answer they'll give you for a hurricane or a flood or a blizzard. Make sure you have a 72-hour supply of food. Make sure you have a 72-hour supply of water. If you are taking prescription medicines, make sure that you have a weak supply of your prescription medicine with you. And oh yes, make sure you have a battery-powered radio. So I asked the Secretary of Homeland Security, what is it you're going to tell me on my battery-powered radio after an attack like this that you can't tell me now? Is there a plan? And his response was to point to a shelf behind him and a bunch of white folders. And he said, I'm sure there's a plan up there somewhere. I'm not. And I really, just to give you a small example of how unprepared we are, I spoke to the man in charge of Homeland Security for the state of New York. And I said, how much food have you got in the event that the power is knocked out? And he said, well, we have 20 million MREs. MREs are meals ready to eat. They are the, you know, the mill. And any one of those MREs would last you certainly for a day, possibly two days. I said, wait a second, let's just do the math, shall we? You've got eight million people in New York City alone. So what you're telling me is you have a three-day supply of food. And he said, that's right. I began looking into the issue of why there are so few MREs. You know why? Because they only have a shelf life of five years. So the government doesn't want to buy 200 million MREs because if there's no major crisis after five years, they'd have to throw them all out. What we do have is freeze-dried food. Freeze-dried food has a shelf life of 25 to 30 years. It would make eminently good sense if Congress would allocate a few billion dollars for the purchase of two or 300 million freeze-dried meals. You think in the current atmosphere we're going to be able to convince Congress to do that? Not a chance. But at least then, in the event of a cyber attack, worse comes to worst, terrible news, no cyber attack, but other crises, floods, earthquakes, blizzards, the food would get used. It's not going to go to waste, but we have taken no steps to prepare ourselves for the likelihood of a cyber attack against our power grid. Bless you. Do any of you all have any other ideas about response to a cyber attack? He covered it pretty well. Any technical responses that may exist or could one day exist? Something that Europe is really big on is these certs, these computer emergency response teams. They kind of see this as a catch-all solution. So if there's a cyber attack of any kind, especially in critical infrastructure, this team would come in, identify where the attack, where it's localized, and try to kind of cauterize it, make sure that it's isolated, and then try to do attribution after that. The issue is that works well for Sweden, for example, which has one power maker and one power distributor. And so they're able to sit right on top of that facility that does all of that and monitor it. But for a place like the United States with 32,000, right, 3200, sorry, still massive, very, very difficult to have that kind of localized knowledge. In the case of an incident. So I don't know. A lot of the principles that apply to common cyber attacks, because of the complexity, the enormity, and frankly, how little we understand our power grid, it's particularly difficult. So yeah. I would imagine that would make it harder for an attacker as well. 3200, completely different systems. Some are mechanical. Some are electrical. So there's this principle in cybersecurity. But all interconnected. Yes, all interconnected. And an attacker has to get it right once. A defender has to get it right every single time. And so 3200 different companies, all an attacker can spend three years mapping those out, figuring out if this happens, I will attack this instead, blah, blah, blah. Whereas it seems like the government already isn't thinking about it. This crisis occurs. Are we going to be able to do that complicated intricate 3200 companies sort of thinking? Don't even need that. Do you know what a transformer is? Basically a transformer steps down wattage powers so that electricity can be transmitted over long distances and then steps it back up again. These giant transformers are huge. They are enormous. They are 80% of them made overseas. It takes, from the time a transformer can be knocked out with a rifle. When you drive in the countryside, just stay on the alert on the lookout and you will see sort of a chain link fence surrounding a giant piece of equipment. In the middle of a field, nobody there to defend it, nothing to protect it, it can be taken out with an AK-47. Somebody did that here in Northern California just a few years back. No defense. And the time it takes from the moment that it is ordered until the moment that it is delivered, about a year and a half. Has to come from overseas. They are so big, these transformers, that special trucks have to be designed. They have no moving parts. The average age of a transformer in the United States is 40 years, they're 40 years old. So that some of the special rail lines that delivered these transformers 40 years ago no longer are no longer active. And if you've heard about the state of our bridges and highways, these are so enormous that they would probably cause many of our bridges to collapse under the weight of transporting them. How many of these guys are there? Thousands, thousands, and here's the bad nerves, they're not interchangeable. Each one is unique. Problem, we don't talk about it. Government's not doing anything, well that's not true. The government is, what the government has done is create, you know those small tires that you have in the back of some cars that'll get you 50 miles to the next gas station. We have developed, or at least the Department of Homeland Security working together with the Department of Energy has developed the equivalent of that, something that would sort of keep the system going for a few days. But that's it. So I think we'd all agree that there's, it's, the security of the grid is really not a priority. So why does the security industry not make the power grid a priority right now? Yeah, that's a really interesting question. So cybersecurity as an industry is a very nascent sort of sector of our economy. And the main people that have a lot of money for it are the big companies. So like JP Morgan, for example, I imagine they pay many cybersecurity firms a lot of money to come in and take care of everything. I'm talking like desktop passwords, I'm talking their servers, everything because that's what's required of a financial institution. But JP Morgan can afford that, right? JP Morgan has line items in their yearly budget specifically for this. Does PG&E have a similar sort of budget? Highly doubt it. Right, it's an industry tool towards large corporations that have a lot of risk that can afford to pay tens of millions of dollars in some cases. We just, as a nation, we cannot, that system just doesn't work. Just not tooled towards a public utility. Actually, I interviewed Jamie Diamond on this very subject. Three years ago, JP Morgan had spent, I believe it was $800 million on cybersecurity. And Alex is exactly right. The big banks, this could be a cyber attack, we've only been talking about the power grid. It could be devastating to the banking industry. Absolutely devastating. And devastating to a number of western economies, including our own. By now, I am confident that JP Morgan has spent well over a billion dollars on cybersecurity alone. PG&E actually spends a ton of money on cybersecurity. PG&E is one of the best in the country. But again, I have to remind you, PG&E is connected to every tiny little electric power company whose board of governors is going to say, wait a second, you want us to spend, we only made $20 million last year and you want us to spend five on cybersecurity? Can't do it. So how does PG&E justify that to the CPUC and the rate payer? It was normally, for example, in the financial system, if there's a small amount of money, if there's a larger attack, there's a larger amount of money to be lost. So the calculus works out in the balance sheet for a bank. But for something like PG&E, it must be coming from some sort of government. I'm going to speculate here, but I'm pretty sure the state of California is pushing them to implement this and is funding them to implement this. Because they only make money by selling electricity. That's it. From my perspective, it's essentially coming from the top to do this. And you probably can't do that in every other small utility. So from your conversation with people from PG&E, how did they justify this? No, actually, I haven't talked to the folks at PG&E. I did talk to the head of one major power company. And he would only talk to me on background. In other words, I could not identify him or his company. You'll find the electric power companies, when they speak to the issue publicly, they exude nothing but confidence. They are convinced that they cannot be hacked. They are convinced that no one can break into the system, at least so they say. And I concede it would be awkward for a senior official at one of these power companies saying, yeah, we're vulnerable as hell. We're really worried about what's going to happen. Again, the problem is offense beats defense. Almost every time. And while things can be done to make it more difficult, to the best of my knowledge, there is no 100% secure system. How do you think we should incentivize even the smaller utilities to have the same level of perseverance of PG&E? Do you think it has to come from the top? Is there any way to change the system, something small, some sort of market incentive? I think actually some of the companies like PG&E are trying to help out some of the smaller companies. Because their security depends on the security of the smaller companies. But again, it's not full proof. Just one, I think we have a little time for audience questions. So we ought to open it up to see if we have a bunch of students in the front, which they see. Let's start here. We talked about how the interconnectedness of the grid brings vulnerability. But are there chances for, as you were just mentioning with PG&E, helping smaller companies to pool resources and create effective firewalls or defense mechanisms? They can certainly harden the defenses from what they have right now. I mentioned a little bit earlier, you heard us talking about SCADA systems, the supervisory control and data acquisition. Part of the problem is those SCADA systems are made by only two or three companies. So that the SCADA system that runs the power grid in Tehran or Shanghai is the same one that runs the power system in San Francisco. And at, what do they call the conference, what is it, the Black Hat Conference in, they usually have it in Las Vegas. One of these companies that creates the SCADA systems was talking about the passcode that only their company has. And of course one of the hackers at the said, oh, you mean this passcode and provided it. Again, it's, I'm not aware of any foolproof defense system. Kind of going off that as well. There are a lot of opportunities. This idea of information sharing, you hear this a lot in cyber policy. It's the idea of when an attack, when a company is attacked, it shares all the technical information of that attack with anyone who might encounter it. So if your SCADA system was attacked, you could tell every other power company in the world that has the same SCADA system. Hey, this attack happened, we noticed this on our network, this is how we noticed it, and this is how we defeated it. That sort of information is really helpful and that's something the Department of Homeland Security has been focusing a lot on for critical infrastructure is creating this sort of community of sharing when it comes to cyber. But it's really hard. Companies don't want to share if they're hacked or to what extent they were hacked. It's embarrassing. So, challenges. Hi, so, sorry. So earlier, it seems that, for example, bringing an example of transformers that having spare pieces of infrastructure is a proposed method of offense against one of these attacks. The discussion of a cyber attack on the power grid still feels a little bit abstract to me. There was the other example of power trying to be funneled to Chicago. But what I'm inferring from the discussion of people being out without power potentially for weeks or months is that physical objects will be destroyed in one of these attacks through ultimately software manipulation on the grid. What other physical pieces of infrastructure would fall victim in a cyber attack? It's not so much a physical object. It is the capacity of the SCADA system to interconnect 3,200 companies. If you have 3,200 companies, all of them trying to maintain the balance between electricity coming in and electricity being supplied to customers, I can't even begin to imagine the permutations and combinations of the interrelationship among 3,200 companies. Only the internet is capable of running those kinds of calculations at the speed of light, which is the way it has to be done. So is there a system that can defend that? Look, there are options, the creation of microgrids so that instead of depending on a gigantic grid that's taking care of the entire West Coast or the entire East Coast, more and more now, but we've done some really stupid things over the past few years. Our military bases used to be energy independent. They used to run their own energy system. And about 15 or 20 years ago, somebody decided at the Pentagon or Congress, I don't even know who it was, that this was a bad idea, that it would be cheaper if our military bases were hooked into the local power company of the nearest community, which means our military bases are now as vulnerable as our civilian power industry. One of the things that can be done to change that is, for example, to take some of these nuclear generators that have been powering our naval ships, nuclear ships, submarines. They haven't had an accident in 50 years, right? They are incredibly safe. They could be put on military bases so that not only the military base becomes independent, but it would have enough energy left over to service the local community, turn it around. All of these things, I mean, I asked someone who told me that this was an option. If the president tomorrow said, go ahead and do it. If Congress provided the money and said, go ahead and do it, how long would it take? Ten years. Let's do these two here. So we've talked about how offense is better than defense in the case of, we've talked about how offense is better than defense in the case of protecting the grid. And in the case of nuclear war, you've talked about mutually assured destruction. How would mad look like in the case of the power grid where it's difficult to attribute a cyber attack? Well, I mean, imagine this. The president is sitting in the situation room. All electricity on the east coast is out. Millions of people without electricity. The president is there with the head of the NSA, the head of the CIA, the head of the FBI. He's there with the Joint Chiefs of Staff or maybe just the chairman of the Joint Chiefs. And he's saying, fine, who the hell did this? And finally, the head of the NSA says, wellness to president, as best we can determine, the attack originated in Copenhagen. Copenhagen? You know, what the hell have we done to the Danes? Well, no, sir, it originated in Copenhagen, but then it was transmitted through Auckland, New Zealand. And then before Auckland, actually, it was Santiago, Chile. And before Chile, it was Madrid. And as best we can determine the really original point of origin, yes, says the president. Come on, cough it up. Brooklyn. Now what do you do? The Russians have cyber teams spread all over the world capable of launching attacks. Whether they can launch one sophisticated enough to take out the power grid, I can't tell you. But they are capable of launching attacks from points all around the world, as I assume we are too. And it could take a very, very long time to determine who was really behind it. And if you want a sort of preamble to what the conversation would be like between us, let's say we assume it's the Russians who did it. The conversation, Mr. Putin, I can guarantee you, would be saying exactly the same thing that he's saying now about the interference in our election system. Russian government had nothing to do with it. It may be that some patriotic Russians on their own decided to play games with the American. But I can't control everybody in this country. You know, the internet is available. What are you going to do? Okay, one last question here. Sorry, running out of time. So I've had the point made to me a number of times about cybersecurity as a growing industry, but that a lot of companies in the cybersecurity space actually lack the workforce or the qualified workforce to really tackle the problems that they're looking at. And I'm curious as to what you see the role of somewhere like the booming San Francisco Bay Area tech industry. What is their role in contributing to the solution of this problem? And not just the San Francisco Bay Area, but the global tech industry is having people building great apps that are going to be useless when you can walk your own dog and you don't have power. So I'm curious what our role is at that point. Well, I don't mind walking my own dog, actually. I really don't know what to tell you. Part of the problem is, and you sort of touched on it when you talk about the tech industry, the folks who work at the Department of Homeland Security in putting the Department of Homeland Security sort of at the point of the spear in terms of defending American infrastructure, you are taking the least competent agency in the U.S. government and charging them with the most complex because the Pentagon can't do it. It's constitutionally prohibited from doing it. The people who have absolutely the best experts in government, the National Security Agency can't do it. They could be invited in, I suppose, to help the power industry, but such is the level of competition within the power industry that they're reluctant to provide all the information that the NSA would need. Again, and maybe this is an appropriate point on which to close this conversation down, we are a reactive society. We are not a preemptive society. It is not until after disaster strikes that we begin to ask the question saying, why didn't anybody do anything about this? As long as these things are purely theoretical, I'm not sure that we're ever going to come up with the kinds of solutions that we need, but somebody mentioned before, they hadn't seen evidence of an actual attack on the power grid. The Russians knocked out the Ukrainian power grid physically, knocked it out using a cyber attack. You know what saved the Ukrainians? It is such an old system that they were able to manually turn it back on again. We couldn't do that in this country. On that note, I'd like to thank the audience for great questions, our very excellent student panel for a great dialogue, and last but not least, Mr. Kapov for his clarion call to all of us and alerting us to such a big threat with such troubling and dire consequences. I hope we all can take this information and become better citizens in interacting with our government on it. Thank you very much. Thank you very much.