By Sarah Chen and Nohl Patterson
The United States’ critical infrastructure is at risk. From healthcare to travel to energy infrastructure, communities rely on key resources to stay functional. Alaska is a prime example for understanding cybersecurity ripple effects – with supply chain issues and melting Arctic ice, low-cost, high-impact cyber attacks can create cracks. We must address these cyber threats—and soon.
Alaska is No Stranger to Cyber Threats
Alaskan infrastructure, despite its isolation, has experienced several higher-profile attacks in recent years. In May 2021, the Alaskan Department of Health and Social Services (DHSS) experienced a “highly sophisticated” cyber attack where hackers had access to “any data stored on the department’s information technology infrastructure,” including names, Social Security numbers, and other personal data. The follow-up breach report, developed with the support of cybersecurity firm, Mandiant, noted that the culprit was a “nation-state sponsored attacker… known to conduct complex cyber attacks.”
RavnAir is an Alaskan regional airline that serves over 100 communities, many rural with little to no road access. In late 2019, a “malicious cyber attack” on RavnAir’s IT network targeted the Dash 8 systems, forcing the airline to disconnect the system, resulting in six canceled flights and affecting 260 passengers. While the scale and impact of this attack was relatively small – back-up systems and re-booking over the next few days helped fill the gap – the attack highlights a consistent worry for Alaskans: the vulnerability of its infrastructure, in this case, its transportation system for rural communities.
Adversaries in cyberspace have also selected targets for strategic or political advantage. In 2018, during the trade deal discussions held in Alaska, there were over one million IP connections during the April to June timeframe, between Chinese hackers and Alaskan networks, on the Department of Natural Resources, Power & Telephone Company, and government networks. A proposed Alaskan-Chinese gas pipeline was one of the issues under discussion. While there is no direct causation between the discussion and the rise in activity, this highlights another issue with cyber attacks – whether an attack is correlated often remains to speculation.
Cyberspace and the interconnectivity of the internet pose a severe security risk for the U.S. populations, particularly because many critical infrastructure command and control systems are connected to the digital net and therefore vulnerable. With the rush of high-profile critical infrastructure attacks in recent years, such as Colonial Pipeline, some experts worry over a disruption to the Alaskan energy pipeline. Any disruption to oil import or export or electricity grid, water, route shut down would rapidly escalate the risk to civilians.
The State Sits at a Critical and Vulnerable Position for Arctic Security
Cyber attacks on critical infrastructure offer a low-cost, high-potential-gain target for hackers, particularly for smaller communities that are more vulnerable to destabilization. These risks, while seemingly limited to geographically-locked impact, can result in a strategic gain for adversarial actors.
Alaska is a prime example, as it is home to key military base operations for the Arctic and relies heavily on interconnectivity.
Military bases in Alaska oversee the Arctic region, where Russia and China are already making claims on the contested territory for its shipping advantages. Joint Base Elemendorf-Richardson (JBER) and Eielson Air Force Base are both vital bases for reaching multiple target locations. JBER is within 4000 nautical miles of cities like Berlin, Moscow, Beijing, Seoul, and Tokyo while providing coverage for the Arctic area, Washington, and Los Angeles, while Eielson reaches into Europe and Asia within an eight-hour flight. Eilson hosts about 120 aircraft, including fifth-generation fighters, JBER is the launching point for Northern Edge, the ‘largest’ U.S. military exercise in the region, with the Theodore Roosevelt Carrier participating for the first time in 2019. “The Alaskan (operating area) is critical to the INDO-PACOM region… [a] vital area to our national defense,” said Rear Admiral Dan Dwyer, who currently commands the carrier strike group.
With the 2021 release of the “A Blue Arctic,” the Department of the Navy’s “Strategic Blueprint for the Arctic,” the military recognizes Alaska’s importance for for Arctic access. Alaska is necessary for Arctic security, for rapid response to and deterrence in the Bering Strait and Northwest Passage, and for training in extreme environments.
Therefore, Alaska is a potential target for Arctic security. One vulnerability is its dependence on regular food and fuel shipments, Due to the unique environment, the reliance on container ship, trucks, and air fright due to economic costs and environmental limitations “creates a very fragile food supply that’s very easy to be disrupted,” as noted by Stephen Brown, a University of Alaska Fairbanks agriculture agent. 95% of all Alaskan food is imported, a supply chain issue made stark during the COVID-19 pandemic. Dave Bronson, mayor of Anchorage, noted that the Port of Alaska, located in Anchorage, is responsible for 50% of all Alaskan cargo, 90% of Alaskans rely on cargo from the port, and it is the sole point of entry for all aviation gas. The Anchorage port’s director predicted that Alaska could run out of food in five to seven days if shipments were stopped; a just-in-time economy. If even one ship experienced issues, the number of trucks deployed must double to make up for the order loss and delays can take weeks to fix.
There is no sufficient ‘back-up’ option for a port closure. Stephen Ribuffo, director of the port, noted that there is only one road in and out of Alaska, and that road passes through Canada, restricting not only the amount of supply that can happen but also the content. An estimated “more than 700 Boeing 747 cargo jets would be needed on a weekly basis to replace the food and goods that cross the port,” according to Mayor Bronson. Alaskan permafrost also presents a unique challenge to carting heavy loads long distances in certain areas, where warmer months literally shift and crack paved roads or transport vehicles sink in unpaved ones.
Ribuffo explained the essential cooperation between the port and the military presence in Alaska. The Alaska Port is classified as a “National Strategic Seaport,” 1 of the 19 commercial ports in the country, with 20% of its cargo slated for defense purposes. This means it supports military operations during peacetime or deployment. The Anchorage military base is right next to the port, and the two organizations have a very close and cooperative relationship, to the point where if the military requires staging area, port renters will voluntary clear space.
However, the Alaskan port is currently more resilient to cyber attacks, not because of investments in cyber security, but because infrastructure is, according to Ribuffo, still at “Neanderthal” levels – it’s all manual. Almost all communication is radio-based, which means that knocking out the internal port network will be less impactful than in a larger port in the lower 48s. However, the port still relies on electricity – specifically the Chugach Electric company, which many other businesses depend on. While there are two potential power feeds and a back-up generator system available to the port, taking out stable power – shutting down the electricity grid – would cripple port functionality.
Military bases, supporting radar and early warning technologies, rely on the same supply chain as civilian residents. Knocking out the shipping capability for Alaska for a week may not only hit a lethal threshold, particularly for rural areas where delivery is already difficult and inconsistent given road and weather conditions, but also cripple military effectiveness.
A Cyber Attack on Alaska could be Devastating for Civilians and Military
A disabling cyber attack on the electricity that powers the port could serve as an indirect crippling of military personnel at the basis, severely threaten food supply, and lead to panic with no other large-scale in-and-out shipment mechanism in the Alaskan region. Given Alaskan vulnerabilities, a cyber attack against infrastructure could preface an invasion of the Arctic with crippling results for U.S. response.
The range of second- and third-order effects of a cyber attack on Alaska is wide, from an attack that could be relatively limited (data theft) to disabling vital resources (shutting down the gas pipeline). However, speculative concerns are insufficient – instead, the critical Alaskan infrastructure and local government should work with the Department of Defense (DoD) and national security analysts to ‘game out’ these scenarios through wargaming. A long-time tool of the DoD, wargaming can support “creative decision-making,” as part of the cycle of research to help understand scenarios that would make Alaska a chokepoint for supply and support.
The government should consider building Arctic cyber wargames focusing on Alaska as an initial defense and attack starting point. Cyber wargaming allows policymakers to understand the ripple effects of the intangible arenas of cyberspace, while also playing within a consequence-free zone of hypothesis-testing solutions.
Some games could be a logistical game that builds out a layered ‘crawl, walk, run’ scenarios of route shut down due to cyber and kinetic events (over time, demand signal is increased and options are decreased over air, water, and land) could highlight the need for emergency crisis planning. Or, targeted games that ask how do compromised communications affect coordination between JBER and Eilson, and how bases should determine whether limited comms are due to unique ionospheric conditions or a cyber attack. This is more critical than ever as the port, like most infrastructure in Alaska, is planning to update its systems to more modern connectivity reliance. Cyber wargames that help highlight points of weaknesses can supplement building plans for real-world security infrastructure.
While Alaska poses unique vulnerabilities due to its isolation, just-in-time economy, and strategic importance, it is an example of a location with low-cost, high-impact cyber targets, not an edge case. As cyber-attacks become ever more frequent and actors more bold, utilizing wargaming as a tool to identify digital critical points and plan for ripple effects prior to adversary discovery will be essential to understanding the cyber risk to physical infrastructure.
About the Authors
Sarah Chen is a recent graduate of Claremont McKenna College with a dual degree in International Relations and Philosophy, Politics, and Economics. She is pursuing an MSc of Social Science of the Internet at Oxford as a Rhodes Scholar, and she has held internships with Army Cyber Command, Office of the Director of National Intelligence, and the Center for Naval Analyses. When she is not playing and developing wargames for work or for fun, she can be found hiking in her hometown of Anchorage, Alaska or reading the newest science-fiction novel.
Nohl Patterson is a recent graduate of Claremont McKenna College where he studied economics, government and computer science. He is currently working for a fintech startup. Previously he has held research positions at Harvard Law School and managed the Rose Institute of State and Local Government in Claremont, CA. In his free time he can be found down a Wikipedia rabbit hole, gesturing his hands while talking, or running in the Bay Area.