Electric Grid Security

Back in December, I convened a small retreat of experts from industry, research labs, and non-profit organizations, along with the amazing Miranda Ballentine of the Rocky Mountain Institute, to talk about electric grid security. New America Fellow Michael Wu also helped organize the event, and Millennial Fellow Braxton Bridgers served as a rapporteur. New America just released a composite account of those meetings.

My original desire to hold this event dated back to my service as an energy security executive in the Department of Defense. Back then, I was concerned about emerging threats to the U.S. electric grid system, as well as to the electricity of our partners and allies, which U.S. forces often relies on. 

I was equally concerned, however, about the amount of bad information floating around. At one point, for example, a former government official apparently came to the Pentagon, insisting that Hizballah had attacked an electrical substation in Silicon Valley. The 2013 attack actually did happen, and it remains unsolved, but both the FBI and DHS long ago discounted any link to foreign terrorism. That sort of hyperbole is not uncommon when it comes to the grid, given the prevalence of consultants and self-styled experts who profit from hyping the threat. Not to mention that the catastrophic blackout seems to be a favorite Hollywood trope (electromagnetic pulses even have their own wikipedia page). Don’t get me started on Ted Koppel’s atrocious and unfortunately best-selling book.

In 2016 and 2017, however, Russian hackers crossed a new Rubicon in Ukraine with the first verified, successful cyber attack on an electric grid. A recent FBI-DHS joint alert publicly confirmed that Russia has now targeted the U.S. grid, as well. All bets are off and it’s even more important to distinguish the reality from the hype in such a dynamic threat environment. After all, the American electrical grid was designed to survive everything from squirrels to storms, which are daily hazards, but not a deliberate attack by a nation state. 

Our December event, supported by the Rockefeller Brothers Fund, was reassuring in some ways. The U.S. government, the research community, and the utilities themselves understand that the threat picture is changing and are taking measures to deal with the situation.  At the same time, there is so much more to do.

We did not talk too much about one big concern of mine, which is structural challenges within the Federal government to mounting an effective defense. The Department of Energy is the lead when it comes to energy issues, with great subject matter expertise. Indeed, Secretary of Energy Rick Perry recently announced the creation of a new office focused on grid security, a promising step. On the other hand, DOE always seemed to me, from my vantage point across the river in the Pentagon, to be a place full of excellent, top-notch individuals trapped in an incompetent institution. Forged some forty years ago during an energy crisis from a potpourri of offices and agencies, the Department of Energy has never really seemed to gel. The Department of Homeland Security, which is responsible for defending domestic critical infrastructure, is the product of the same sort of poorly-executed, crisis-driven, multi-agency merger. The result has been another weak institution, a mishmash of operational, mission-driven organizations that do reasonably well (the Coast Guard and FEMA, for example) and offices that are legendary for their poor performance. Moreover, the dividing line between DOE and DHS when it comes to energy infrastructure is not always clear. At the same time, the parts of the intelligence community that look at foreign threats don’t look inside the United States, and the FBI does not look at threats outside the United States. The handoff between these agencies is not always smooth. The Department of Defense, which relies on the civilian electric grid for its own operations, is a mission-driven, relatively competent bureaucracy, but it does not have responsibility (or expertise) for the defense of domestic critical infrastructure – again, that’s DHS.  Indeed, U.S. armed forces are legally prohibited from operating within the United States, except in support of civil authorities and a few other exceptions. FERC, of course, has regulatory responsibility for interstate transmission of electricity, but that’s a relatively limited jurisdiction when it comes to foreign threats. Basically, there are too many cooks, and they’re not always in the right kitchens — or all that good at cooking sometimes.

Of course, the grid system is owned and operated largely by private companies (and some municipal authorities), with important management and oversight at the state and regional level. So, arguably, that mitigates against Federal dysfunction, but again, it’s not reasonable to expect a Public Utility Commission to track, analyze, judge, and defend against foreign threats. That should be a Federal responsibility. There’s also the matter of who pays – utilities may or may not invest in security, if left to their own devices.

In any case, the meeting in December confirmed some of my worst fears and allayed others, but it certainly reinforced my conviction that the country needs a better defense for this electrified age.