The Washington Post appears to have overreached significantly in its report last Friday that Russian hackers had penetrated Vermont’s electrical grid. Later that evening it was revealed that malware associated with the Russians was found on just one Burlington Electric laptop that was not attached to the grid. On Monday evening the Post published an updated story reporting that even that was an overstatement.
Although we don’t know yet exactly what went wrong, Kalev Leetaru’s analysis at Forbes, much of it based on looking at how the story changed over time, strikes me as very good. Leetaru writes that it appears the Post did not try to contact Burlington Electric until after the first version of its story had been published online—an important oversight if true. Certainly there was no indication in the Post’s first story that its reporters had attempted to contact the utility.
Yet I want to push back a bit on the idea that no one except the Post had reason to believe there was anything to this story. At Vermont Public Radio, you’ll find an article published on Friday, after the Post, that includes this statement from Burlington Electric spokesman Mike Kanarick:
Last night, U.S. utilities were alerted by the Department of Homeland Security (DHS) of a malware code used in Grizzly Steppe, the name DHS has applied to a Russian campaign linked to recent hacks. We acted quickly to scan all computers in our system for the malware signature. We detected the malware in a single Burlington Electric Department laptop not connected to our organization’s grid systems. We took immediate action to isolate the laptop and alerted federal officials of this finding. Our team is working with federal officials to trace this malware and prevent any other attempts to infiltrate utility systems. We have briefed state officials and will support the investigation fully.
In other words, government officials and Burlington Electric were taking this very seriously indeed—even if the Post had incorrectly reported that the grid had been breached. Yes, of course, the Post should have been more careful. But we’re in the midst of a much larger, unfolding saga of Russian hacking. Perhaps it’s time for everyone to take a deep breath.
Update: Taylor Dobbs of Vermont Public Radio, a distinguished Northeastern journalism alumnus, has an excellent follow-up. Unfortunately it’s still not entirely clear whether the Post attempted to contact Burlington Electric before publishing. Post spokeswoman Kris Coratti says yes; the utility’s general manager, Neale Lunderville, says no.