We Found the Blueprints for Top Secret Facilities and No One Gives a Shit

I work at a cyber risk company called UpGuard. One of the things we pay people to do is discover data stores that should not be publicly exposed, but are. We do this not just so that the owners can secure their data and hopefully learn to do better, but also so that the public learns how companies have defrayed the cost of information security by compromising the personal safety of consumers who have entrusted them with their business.

The day UpGuard broke the story of the Republican National Convention leak, our website got more traffic than we had ever seen. The story was everywhere: the data of 198 million potential voters, leaked online. Apologists on behalf of the data analytics firm claimed that it was not a big deal because the data was already public. That was obviously a bad faith claim — the RNC paid people to assemble that data collection, meaning they (“the market”) recognized value in that labor — but it does speak to a larger way in which it doesn’t matter at all. The psychographic data in the RNC store is already legally in the hands of organizations whose goals are to strip health insurance, civil rights, and voter protections from Americans. The only way it could be worse is if it could somehow be used to actually blow up — like with bombs, not through legislation — critical infrastructure.

Well, we did find another leak, this one from Texas-based engineering firm Power Quality Engineering, and that’s pretty much what it was. The documents contain assessments of energy infrastructure, including weaknesses discovered during their safety checks of facilities. There is a file called “computer stuff.docx” with passwords to other systems. There are schematics for energy plants and Sensitive Compartmented Information Facilities — rooms designed to be impervious to spying because whatever is going on is critical to the national interest. It is a collection of documents that sounds like something you would retrieve in a Call of Duty mission because it is self-evident that having them will allow you to do crippling and immediate harm to the guys you stole them from.

And no one gave a shit. With scarcely any media pickup, the announcement fell stillborn from the press. When I was a kid, the spectres of Three Mile Island and Chernobyl hung heavy over the acceptable discussion of energy policy, but even as the radiation of Fukushima continue to bleed into the water today, such nightmares have no weight in the American political imaginary. It’s just an ecological disaster, and not even at the top of that list. The ease with which terrorists (foreign or domestic) could bring down the energy grid for major metropolitan areas should freak people the fuck out. (In fact, North American energy companies are regulated precisely because their outages have led to deaths.) But no matter the real, tangible risk, the threat of an attack on infrastructure has no room to breathe in a media environment where some kind of scandal is needed for table stakes.

The RNC leak was a great story — it tapped into (legitimate) anxieties about political manipulation, the aching in the Democratic machinery to balance the humiliation of the Podesta emails, the Trump campaign’s involvement with Russian operatives. More damaging to the country’s ability to sustain itself than any foreign interference is this cramp in political discourse that excludes the perception of risks that can’t be yoked to one’s identity.

There are a lot of ways that a lot of people might die right now, and it’s addictive and profitable to focus on the means that people are already talking about. But if you’re actually trying not to die, or to at least die later, or at the very least to die less violently, the Power Quality Engineering leak is the most important story you could have read yesterday. North Korea — or the next Timothy McVeigh or Mohammad Atta — does not need a nuclear weapon to wreak havoc on American soil. All they need is a Linux manual.