Behind the scenes of every new artificial intelligence (AI) app and program is a staggering amount of energy needed to power its data centers. We’re already in the throes of the AI revolution and with unprecedented energy demand comes the increased need for proactively protecting the energy sector from cyber adversaries like the People’s Republic of China (PRC).
The increased demand for power is coming quickly. Today, AI accounts for just 14% of global data center electricity demand, but that will double in the next two years alone, according to Goldman Sachs. By the end of the decade, we will need a whopping 165 times as much energy to support the explosion of AI, growth that comes with an estimated cost of $720 billion in electric utility investment.
COMMENTARY
Let’s break down how we get to such explosive energy demand. Today, a single query into ChatGPT uses about 10 times as much electricity as a simple, traditional Google search. A server rack at a traditional data center uses about 7 kW of electricity, but an AI server rack consumes 30 kW to 100 kW, anywhere from a three- to fourteen-fold increase. And by 2035, AI data centers are estimated to be using the same amount of electricity as all of the households of New York, California, Texas, and Florida combined.
It is clear the fate of U.S. AI supremacy is directly tied to our ability to produce greater supplies of energy. Rep. Julie Fedorchak (R-ND), who recently stood up the AI and Energy Working Group on Capitol Hill, stated, “To be AI dominant, we must first be energy dominant.” She is absolutely right.
This reality also leads to electric systems becoming a larger and more attractive attack surface for malign cyber actors, like the PRC, Russia, Iran, and North Korea—and the threat from these actors is real. PRC-linked cyber adversaries have been targeting large portions of U.S. critical infrastructure. The so-called “typhoon” cyber actors make up a perfect storm of threats, and include Volt Typhoon, Salt Typhoon, Flax Typhoon, and Silk Typhoon. Volt Typhoon has been found to be targeting information systems and networks of critical infrastructure, including energy, whereas Salt Typhoon specifically targeted U.S. and allied telecommunications firms. Flax Typhoon took the form of a more traditional espionage campaign penetrating Internet of Things (IoT) devices. Silk Typhoon has primarily targeted information technology (IT) providers.
In This Issue
Full issueFor the PRC, cyber attacks on our infrastructure, including the systems that power our electric grid, are part of a new era of gray-zone warfare, where lines between armed conflict and cyberspace are blurred. It is squarely within Beijing’s interest to be able to damage or disrupt the American energy sector in an instance where, say, the U.S. is defending Taiwan or protecting contested waters in the South China Sea.
Now, as the AI race heats up between the U.S. and China, risking the ability of a foreign adversary to drive a knife into the heart of the energy supply of such technology is of grave concern. With the Trump administration exiting its first hundred days and with a clearer understanding of who will be helming cybersecurity efforts in the coming years, it is time to double down on efforts to secure our power grids. Agencies like the Cybersecurity and Infrastructure Security Agency (CISA), the White House Office of the National Cyber Director (ONCD), and the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) should be working closely with utility owners and operators to root out Volt Typhoon, exercise attack responses, improve incident coordination, and update protections to both IT and operational technology (OT) systems.
This is currently being done through projects like the CESER-supported Southeast Regional Cybersecurity Collaboration Center (SERC-3)—a partnership between Oak Ridge National Laboratory, the Department of Energy, and Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, where we work. Our project will run attack simulations across OT systems commonly used by electric utilities across the country, generating data on how to improve the protection and resiliency of these systems. But this is only a start and should be replicated with other partnerships across the U.S. to provide security to energy companies as they seek to scale their power generation to meet rising demand driven, in large part, by AI.
We’re at a moment in history where the potential of AI, the ingenuity to power it, and the proactive collaboration to protect these systems all must come together, and it’s happening as the new administration and Congress appear eager to act. But the current malaise of federal and state regulations facing the energy sector not only on the cyber front, but also when trying to expand infrastructure for energy production, puts our ability to meet the moment at risk. The regulatory environment must be streamlined in order to both secure our future from cyber adversaries, but also create the supply needed to realize that future.
—Frank Cilluffo is the director of the McCrary Institute for Cyber and Critical Infrastructure Security and Professor of Practice at Auburn University, and Kyle Klein is the deputy director for policy and partnerships at the McCrary Institute for Cyber and Critical Infrastructure Security.
