Report: Administration, Congress, Others Must Better Shield Electricity Grid Vs. Cyber Attack
Posted at 9:10 a.m. on July 15, 2014
WINSCOMBE, U.K. – The sun goes behind an electricity pylon that is sited besides the M5 motorway near Winscombe on Nov. 6, 2012. (Matt Cardy/Getty Images)
A high-level report on the security of the electricity grid, set for release Tuesday afternoon and led by a former White House chief of staff and Department of Homeland Security secretary, is complimentary of the Obama administration’s efforts to protect it and faults Congress for not doing enough.
Yet protecting the grid — “the most critical of critical infrastructure” and “the backbone of our modern society” — requires more action from everyone, from the executive branch to the Hill to industry, the report by the Center for the Study of the Presidency and Congress concludes.
The extremely thorough 172-page report — chaired by former White House Chief of Staff Thomas McLarty III and former Homeland Security Secretary Tom Ridge (Ridge (Ridge also chairs the National Security Task Force of the U.S. Chamber of Commerce) — details the nature of the threat, from which countries it emanates, what has been done about it and should be done about it in all branches of government, from the state regulatory level to within the private sector. If it leaves anything out, it’s Israel’s cyber capabilities and intents vis-a-vis the United States; a chart on the subject doesn’t even mention Israel, which is extremely capable and at least willing to conduct cyber espionage against America.
The report’s dozen recommendations include passing information sharing legislation; incorporation of levers from the insurance and financial sectors into cybersecurity; better coordination in Congress between various committees with jurisdiction over cybersecurity and the electrical grid; and greater attention to the potential complications for the electricity grid caused by shifts to more renewable energy sources.
Some passages of note, starting with a reference to roundtable discussions:
Many of the participants voiced the necessity for comprehensive cybersecurity legislation to serve as a foundation for regulating and protecting various sectors—especially the electric grid—against cyber threats. Even through there have been over 100 resolutions and bills related to cybersecurity introduced since the beginning of the 111th Congress, there has not been a major piece of cybersecurity legislation that has been signed into law since 2002.
With the expansion of the capabilities of possible threat actors, this lack of legislation has left many aspects of critical infrastructure unregulated and vulnerable to attack. Many of the obstacles that have hindered the ability for lawmakers to pass cybersecurity legislation include privacy and liability concerns related to information sharing within the post-[Edward] Snowden environment; forming and implementing standards for critical infrastructure; the development of trust between the private sector and the federal government; and the designation of the roles and scope of federal agencies, such as DHS and NSA.
Additionally, one of the major challenges inhibiting the passage of new legislation is the varied nature of the industry. Electric utilities come in a variety of sizes, and they report to regulatory institutions both in the public and private sectors. There are also a multitude of government agencies, committees, regulatory bodies, and utility companies that have a stake in securing the grid. These organizations cross local, state, federal, and even international boundaries. As discussed previously, these organizations also have different—although sometimes overlapping—responsibilities.
Legislation needs to be able to address these varied needs and avoid a one-size-fits-all mentality. In additional, the majority of the legislation that has been introduced within Congress has not focused specifically on the electrical grid but rather on the 16 sectors of critical infrastructure.
Another, on the punitive nature of existing policies:
The incentive structure in the electric grid is off-balance, according to experts and roundtable participants. Following the “carrot-stick” analogy (carrots as rewards and sticks as punishments), the current system has too many sticks and not enough carrots. Legislation should help facilitate a new balance, one that does not over-emphasize regulation at the cost of trust and goodwill among sectors.
On the executive branch’s approach, and the need for more:
It is encouraging for utilities that the Obama Administration has been actively engaged in the issue of grid security and cybersecurity, as it is clear the executive branch recognizes the importance of addressing the cyber vulnerabilities in critical infrastructure. In the current political environment, the president is capable of advancing cybersecurity and critical infrastructure policies without formalized legislation. Because of the current Congressional gridlock, this alternative pathway is necessary. While ideally both the executive and legislative branches will work together to improve grid security, in lieu of legislation, the Administration’s actions are more critical than ever…
While recent executive action is a useful step forward for grid security, progress cannot end now. With or without legislation, the administration needs to either begin or continue to address information sharing, industry exchange, balance of agency responsibilities, and research & technology.
The project directors are Maxmillian Angerholzer III, president and CEO of the Center; Frank J. Cilluffo, director of the Homeland Security Policy Institute at George Washington University; and Dan Mahaffee, the Center’s director of policy.
The chairman and top Democrat on the House Intelligence Committee are slated to appear at the unveiling of the report Tuesday.