Third-party contractors — our weakest cyber link — need to be held accountable
Cybersecurity threats to US infrastructure warrant 'moonshot' response
Serious threats to U.S. infrastructure, and especially to the electrical grid, have grown significantly in the past year and, as National Intelligence Director Dan Coats reiterated to Congress recently, "the warning lights are blinking red."
What do those warning lights look like? According to the Worldwide Threat Assessment of the U.S. Intelligence Community, issued on Jan 29:
- China is able to launch cyber attacks that cause localized, temporary disruptive effects on critical U.S. infrastructure for days to weeks;
- Russia is able to execute cyber attacks on electrical distribution networks, and "Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage";
- Iran is trying to develop cyber capabilities that enable cyberattacks against the critical infrastructure of the U.S. and our allies; and
- North Korea has the ability to use cyber attacks to steal from financial institutions, including a successful heist of some $81 million from a New York Federal Reserve account.
Additionally, a separate, chilling National Intelligence Strategy report from Coats' Office of National Intelligence noted in mid-January: "Cyber threats will pose an increasing risk to public health, safety and prosperity as information technologies are integrated into critical infrastructure, vital national networks and consumer devices."
This is not speculation or hyperbole - these capabilities exist and actions are being used against the United States constantly. And whether it is a gas pipeline, a bank, an airport, a gas station, major dam or a cell phone, the central fault line is the electrical grid. Without the electricity supplied through the grid, nothing else works for long, even with emergency backup systems.
Against this backdrop, Congress and some federal agencies seem to be exhibiting what Sen. Angus King (I-Maine) recently described as "a weird calm" in the face of repeated warnings and hard evidence of foreign infiltration of our electric grid. At a hearing of the Senate Energy and Natural Resources Committee on Feb. 14, King expressed frustration that federal agency witnesses were "entirely too calm" about the situation, which he called "the most serious threat facing our country," one that "needs to be addressed with a real sense of crisis."
We also need to acknowledge the billions of individual devices - from industrial machinery to consumer electronics - that are interconnected and linked to the grid. Each of those connections creates a potential grid vulnerability that could be exploited deliberately by a foreign agent or tripped unintentionally by a U.S. citizen at work or at home.
Clearly, the time has come for Congress, the regulatory community and every American utility to come together and commit to undertaking the "moonshot" effort necessary to secure and strengthen the electric grid. As a nation, we must marshal a level of talent, money, focus and determination equivalent to that which made it possible for us to land on the moon 50 years ago. Taking strong, decisive action no longer is a subject for debate, or a luxury, but instead is a matter of genuine national security.
An attack on even limited parts of the grid would severely affect businesses and people over a wide geographic area. For example, a 2015 report by Lloyd's of London and the University of Cambridge outlined an attack on just a few power generators in the Northeast and estimated the impact on the U.S. economy from the resulting 15-state blackout at $243 billion, with a potential to exceed $1 trillion.
It is true that Congress and some federal agencies are endeavoring to make meaningful progress, and the leaders in electricity generation and delivery are working to make the grid more secure and resilient. But we need a more comprehensive approach, based on generally accepted best practices, with the flexibility to anticipate the changing threats and unique conditions of each state and their utilities.
Such a program must include innovative, flexible funding mechanisms to incentivize large and small utilities to make necessary investments in cybersecurity with some measure of guarantee that effective, prudent expenditures to implement best practices will be recouped. Some form of equitable cost-sharing might be necessary to provide funding to smaller utilities, and an approach similar to a "war bond" program should be evaluated.
We need a moonshot effort, and the costs of that effort must be borne by government, utilities and customers alike - but in a in a manner that minimizes the short-term impact on customer rates while still providing the necessary capital to make our electric grid more resilient.
With credible threats from China and Russia, and other nation states and individual threat actors ramping up their cyber arsenals, it is unacceptable to leave in place known vulnerabilities by failing to adequately protect the electric grid.
We must pay attention to the threats, and we must do so now. The enemy is inside the gate.
Richard Mroz is immediate past president of the New Jersey Board of Public Utilities and former chairman of the National Association of Regulatory Utility Commissioners Committee on Critical Infrastructure.
Suedeen Kelly is a former member of the Federal Energy Regulatory Commission. Both serve on the leadership team of Protect Our Power, a nonprofit organization whose mission is to strengthen the reliability and resilience of the U.S. electric grid.