Officials at the Burlington Electric Department spent much of their holiday weekend cleaning up someone else’s mess.
Soon after The Washington Post published a story that included the false claim that “Russian hackers penetrated the U.S. electricity grid through a utility in Vermont,” Burlington Electric was named as the utility in question, and officials there began the days-long effort of recovering from a public relations disaster.
Except the entire scare – the suggestion that foreign hackers could gain control of America’s electric grid – was unfounded. The most sinister thing that happened, according to utility officials, is a Burlington Electric employee tried to go to Yahoo.com on a company laptop.
Here’s how it unfolded:
“You know, it’s said that no good deed goes unpunished, and it certainly felt like the case here,” said Burlington Electric General Manager Neale Lunderville.
At the request of Homeland Security officials last week, Burlington Electric began monitoring its computer systems for malicious code or internet traffic potentially associated with Grizzly Steppe, an effort by Russian hackers that federal authorities say included interference with U.S. elections.
This kind of monitoring was nothing new, Lunderville said.
“As part of what we do, we’re always scanning for new potential cyber threats,” he said. “On Thursday, the Department of Homeland Security released new information regarding various websites and other items that they said we should be looking for, and they said it was linked to the Grizzly Steppe.”
Lunderville said Burlington Electric started scanning for the list of potential threats on Friday morning.
“When an employee came in and opened the computer and went to go to Yahoo.com to check email, we detected some suspicious internet traffic because of the scanning we were doing,” Lunderville said in an interview Tuesday. “We immediately moved to pull that computer off of our business network and isolate it, and we immediately alerted authorities.”
The Washington Post story published Friday evening included all of that information, but it was wrong on a key point.
“It’s really important to note that this computer was not connected to our grid systems – our grid control systems or any part that controls our electric grid here in Burlington. There’s no indication of compromise of our grid systems or of any customer data,” Lunderville said.
The Post story had it wrong. The story, based on anonymous sources, said the U.S. electrical grid was compromised, and remained online for a full hour after state and local officials set the story straight. A statement from Burlington Electric and state officials confirmed that that there was a cyber threat detected, but said the grid was safe; no unauthorized user ever had the ability to tamper with electricity service in Burlington at the press of a button.
Lunderville said federal officials have also told Burlington Electric that it's unclear if the cyber threat even originated in Russia.
The Washington Post has since corrected its story (and written a follow-up story Monday evening, which Lunderville said got the facts straight), but the initial wave of publicity and social media shares was well-underway. Lunderville said national news outlets jumped on the story so fast that he had trouble figuring out where the inaccurate information was originating.
“Once we figured out it was The Washington Post, we were at that point very close to putting a statement out, so we just released the statement. Our press officer, Mike Kanarick, made sure that The Washington Post got it at that point and that there was no ambiguity that the grid had not been penetrated,” Lunderville said.
By about 10 p.m., just over two hours after The Washington Post published the story, the news was all over the place. Gov. Peter Shumlin and Sen. Patrick Leahy brought more attention to the Post report by issuing statements condemning the hack.
“We were just trying to stop this onslaught of bad information from continuing to push out further and further, but it’s amazing: Here’s one story that gets posted at 8 o’clock on a Friday night, and within two hours it’s an international press story entirely based on wrong information,” Lunderville said.
Lunderville said he was frustrated, in part because of how easily the whole episode could have been avoided.
“It could have easily been corrected, well first, had this federal official not leaked this information inaccurately, and second had the news outlet got in touch with us to confirm it or deny it, and we would have told them, 'Not so. That’s not the case.' And they could have printed a correct story the first time around,” Lunderville said.
The Post seems to have violated its own ethical rules by publishing the story without seeking confirmation from Burlington Electric.
Under the Posts’s “Attribution of Sources” policy, it says anonymous sources should only be used as a last resort.
“Before any information is accepted without full attribution, reporters must make every reasonable effort to get it on the record,” the policy states. “If that is not possible, reporters should consider seeking the information elsewhere.”
The information was readily available from sources at Burlington Electric and the Vermont Department of Public Service, where sources such as Lunderville and Public Service Commissioner Chris Recchia were both able to provide an on-the-record account of what happened and were willing to be named in media reports.
Apparently, the Post didn't initially look to those sources for confirmation. Lunderville said The Post didn’t make an effort to contact Burlington Electric until 10 minutes after publishing its story.
Kris Coratti, the vice president of community and events at The Washington Post, disputed Lunderville’s claim in an email.
“When we first reported the story, sources had not yet confirmed which utility had been compromised,” Coratti said in an email. “Nonetheless, we had contacted the state’s two major power suppliers, as these sentences from the first version of the story attest: ‘It is unclear which utility reported the incident. Officials from two major Vermont utilities, Green Mountain Power and Burlington Electric, could not be immediately reached for comment Friday.’”
But that’s not what the original version of the Post story said.
According to an archive of the story captured by the internet archive’s Wayback Machine, the first version of the story simply said, “While it is unclear which utility reported the incident, there are just two major utilities in Vermont, Green Mountain Power and Burlington Electric.”
There was no mention of any effort to contact utilities in Vermont.
Coratti’s claim that the Post reached out to Burlington Electric before publication came after Forbes published multiple stories on the Post’s mistake, including one titled ‘How The Washington Post’s Defense Of Its Russian Hacking Story Unraveled Through Web Archiving.'
The Post also refused Tuesday to name the source that gave two Post reporters bad information on Friday.
Lunderville said his main concern was Burlington Electric’s customers who may have feared for their personal information – or even wondered if they could count on the lights staying on.
“We take pride in making sure we provide open, honest transparent communication with our customers,” he said. “Whether it’s good news or bad news, we want to be the first ones to tell it, and in this case it was neither good nor bad, it was just false, and we didn’t have that opportunity. So it’s been very frustrating to fight this back.”
Lunderville expressed disappointment with the unidentified federal official who leaked the story to the Post. But he said the incident won't make Burlington Electric any less cooperative with federal authorities, which he says serve as partners in protecting utilities and their customers from cyber threats.
Update 6:16 p.m. This story was originally published with the headline "False Washington Post Report Launches Burlington Electric Into National Spotlight." After discussion, the word "false," which connotes a deliberate intent to deceive, was changed to "botched."