Every Friday, I present a topic or question for our merry band of thinkers, leaders, and pirates to discuss in an open thread. Here is this week’s conversation starter:
President Biden is rolling out a massive $2 trillion “infrastructure plan.” The plan includes at least $100 billion for a variety of infrastructure priorities, including modernizing the electric power grid and protecting it from cyber threats.
Question: Should the US government fund, or help fund, making critical infrastructure more cyber resilient — even though more than 70% of this infrastructure is privately owned?
Virtually all of the "privately-owned" power grid assets in the US are owned by regulated utility and generation companies. Among other regulations, these companies are subject to oversight by NERC (the North American Electric Reliability Corporation), which is responsible for ensuring energy industry compliance with Critical Infrastructure Protection (CIP) standards
The proper role of the federal government would be to ensure that CIP standards adequately addressed cyber threats, including providing technical and research support to NERC as required.
The cost of whatever additional measures the utility and generation companies needed to take to meet cyber-augmented CIP standards would be borne by those companies and passed to their customers (us). This is a far more efficient way to fund cyber hardening than if the federal government directly funded it, and raised our taxes to do so.
Why? Because the cost would be borne directly and proportionately by those who benefit. The federal government may collect additional taxes in the name of solving specific problems, but then spends the money for other political priorities.
A simple example is the Highway Trust Fund, an entity originally set up to collect federal motor fuel taxes and fund the maintenance and expansion of nation's highway infrastructure. It worked well for a while, but ultimately the federal government began looting the HTF to use for welfare and other political priorities. The result is that the nation's highway infrastructure has been severely neglected for over four decades, with the "new" answer being more taxes to fund a $2 trillion infrastructure program.
Jim, this is an excellent articulation of the historical conservative position. And I agree with most of it. The challenge, however, is that over the last several decades, private companies either cannot, or have chosen not to, make the investments that are required to meet the threat. It's arguable that NO company could operate profitably if they are expected to keep pace with nation-state actors on their own. And yet, any significant vulnerability to their systems could pose a systemic threat to the broader network/nation. What happens, for example, when the market will not support the costs of securing this infrastructure and when this insecurity is an unacceptable risk to the nation?
First, cyber-threat resistance in the design and implementation of cyber systems, which I believe should be handled by the potential targets under standards promulgated by industry or government, is different from cyber defense (i.e. identification of bad actors and cyber-countermeasures), which should legitimately handled by the federal government (as is military defense).
These two aspects compliment one another. If defense fails or is abrogated at the national level, then indeed the cost and risk of defending (or repairing) private cyber systems could exceed what the market can bear for the related services offered. Again, the analog is military defense, which provides a relatively secure environment in which our economy can operate.
Regarding the ability to fund the needed investment, utility and generation companies are very well-capitalized and have ready access to financing vehicles (usually bonds), so capital would not be a problem.
The federal government should perform ONLY those duties that are explicitly enumerated in the Constitution, OR (1) are necessary to support the common defense and general welfare of the nation AND (2) cannot be performed effectively by the states, the private sector, or individual citizens. Writing checks to businesses in the name of cyber security would be the antithesis of this philosophy.
To be brief, I guess what I'm wondering is if USG investment in cyber resilience does meet both of your requirements (1 and 2)? When you speak with the utilities, they do not say they are well capitalized and their investment in their core capacity (or lack thereof) -- let alone in cybersecurity -- seemingly demonstrates this lack of resources. Your point about the military proving a relatively secure environment may be ignoring the core point: that it is the private sector that provides 70+% of the environment for secure networks, not the government. And yet, these networks are critical for the "common defense."
Agree! HTF is a great example. And, of course, also the SSA. Just stick to enforcement of the regulatory function already on the books. This massive expansion of federal overreach is unwarranted. Where does it end? Look at Argentina.
In a situation like this the government reasonably has a role creating uniform standards and requirements that are a framework for success. Requirements should be effects-based: what the utilities must achieve in cyber-security, not how. Meanwhile the standards should form the testing criteria against which the utilities' compliance is tested.
There are critical nodes that are of national security significance that should be protected and yes, even if they are in part or in whole owned by private sector entities, they play a crucial role in daily operations and the safety of the citizenry. Therefore, their protection is also the responsibility of the government.
Very glad to see this Bill as our infrastructure is a mess right now and not just the grid but also bridges, dams and roads. This is something we desperately need to improve travel, logistics and security within the US.
Thanks, JJ. It's unfortunate that critical issues like these get lumped in with so many "bridges to nowhere" or completely unrelated pet projects -- it confuses the whole matter and consistently leads to critical issues going unaddressed. But, it's also how the sausage is made in DC ... so, there's that.
What the federal government should is adopt a more secure system/standard for communications such as ATM or switched virtual circuits. The world has demonstrated that it’s impossible to secure Internet Protocol communications.
This bill pushes forward a left wing agenda. It contains some needed federal infrastructure repairs and mostly pet projects that the markets have avoided because there has been no public desire. The government needs to focus on their Constitutional duties which doesn’t include trans surgeries for the military while we fall behind China in hypersonic. Most of this is wasteful.
They should require all defense and government contracted companies to meet the necessary cyber standards and put laws in place for the protection of consumers and repercussions if a private company fails to secure their data.
I absolutely agree that there is far too much government in everything, and asking them to update our power grid is like handing the keys for hen house over to the fox. There's nothing as permanent as a "temporary" government anything! However, with that said, our power grid is in desperate disrepair. For example, as evidence in California, they had blackouts during the fire season last year because of the terrible state of their power lines, which has occurred under decades of Democrat-control mismanagement. Unfortunately, Californians are the ones left to suffer the consequences, not the politicians, most notably the governor. Although California is likely the worst-case scenario in the country, many studies have indicated power grids throughout the country are old, failing and need hardening against a possible EMP attack. It's obvious the cited rules and regulations are not addressing the problem, nor holding the private ownership(s) to account with hefty fines and maybe prison time, so what other options are available? We, as a nation, can ill afford a massive power grid failure in one or several states, let alone the entire country! As abhorrent the idea is of having the federal government take over yet another facet of our lives, perhaps it's the only viable solution at this point???
Agree that Feds should provide the criteria & enforcement to secure our electric grid but no way do they need to take over private ownership. SSA is good example of politicians unable to keep their hands of money that belongs to others.
Virtually all of the "privately-owned" power grid assets in the US are owned by regulated utility and generation companies. Among other regulations, these companies are subject to oversight by NERC (the North American Electric Reliability Corporation), which is responsible for ensuring energy industry compliance with Critical Infrastructure Protection (CIP) standards
The proper role of the federal government would be to ensure that CIP standards adequately addressed cyber threats, including providing technical and research support to NERC as required.
The cost of whatever additional measures the utility and generation companies needed to take to meet cyber-augmented CIP standards would be borne by those companies and passed to their customers (us). This is a far more efficient way to fund cyber hardening than if the federal government directly funded it, and raised our taxes to do so.
Why? Because the cost would be borne directly and proportionately by those who benefit. The federal government may collect additional taxes in the name of solving specific problems, but then spends the money for other political priorities.
A simple example is the Highway Trust Fund, an entity originally set up to collect federal motor fuel taxes and fund the maintenance and expansion of nation's highway infrastructure. It worked well for a while, but ultimately the federal government began looting the HTF to use for welfare and other political priorities. The result is that the nation's highway infrastructure has been severely neglected for over four decades, with the "new" answer being more taxes to fund a $2 trillion infrastructure program.
Jim, this is an excellent articulation of the historical conservative position. And I agree with most of it. The challenge, however, is that over the last several decades, private companies either cannot, or have chosen not to, make the investments that are required to meet the threat. It's arguable that NO company could operate profitably if they are expected to keep pace with nation-state actors on their own. And yet, any significant vulnerability to their systems could pose a systemic threat to the broader network/nation. What happens, for example, when the market will not support the costs of securing this infrastructure and when this insecurity is an unacceptable risk to the nation?
First, cyber-threat resistance in the design and implementation of cyber systems, which I believe should be handled by the potential targets under standards promulgated by industry or government, is different from cyber defense (i.e. identification of bad actors and cyber-countermeasures), which should legitimately handled by the federal government (as is military defense).
These two aspects compliment one another. If defense fails or is abrogated at the national level, then indeed the cost and risk of defending (or repairing) private cyber systems could exceed what the market can bear for the related services offered. Again, the analog is military defense, which provides a relatively secure environment in which our economy can operate.
Regarding the ability to fund the needed investment, utility and generation companies are very well-capitalized and have ready access to financing vehicles (usually bonds), so capital would not be a problem.
The federal government should perform ONLY those duties that are explicitly enumerated in the Constitution, OR (1) are necessary to support the common defense and general welfare of the nation AND (2) cannot be performed effectively by the states, the private sector, or individual citizens. Writing checks to businesses in the name of cyber security would be the antithesis of this philosophy.
To be brief, I guess what I'm wondering is if USG investment in cyber resilience does meet both of your requirements (1 and 2)? When you speak with the utilities, they do not say they are well capitalized and their investment in their core capacity (or lack thereof) -- let alone in cybersecurity -- seemingly demonstrates this lack of resources. Your point about the military proving a relatively secure environment may be ignoring the core point: that it is the private sector that provides 70+% of the environment for secure networks, not the government. And yet, these networks are critical for the "common defense."
Agree! HTF is a great example. And, of course, also the SSA. Just stick to enforcement of the regulatory function already on the books. This massive expansion of federal overreach is unwarranted. Where does it end? Look at Argentina.
In a situation like this the government reasonably has a role creating uniform standards and requirements that are a framework for success. Requirements should be effects-based: what the utilities must achieve in cyber-security, not how. Meanwhile the standards should form the testing criteria against which the utilities' compliance is tested.
There are critical nodes that are of national security significance that should be protected and yes, even if they are in part or in whole owned by private sector entities, they play a crucial role in daily operations and the safety of the citizenry. Therefore, their protection is also the responsibility of the government.
Very glad to see this Bill as our infrastructure is a mess right now and not just the grid but also bridges, dams and roads. This is something we desperately need to improve travel, logistics and security within the US.
Thanks, JJ. It's unfortunate that critical issues like these get lumped in with so many "bridges to nowhere" or completely unrelated pet projects -- it confuses the whole matter and consistently leads to critical issues going unaddressed. But, it's also how the sausage is made in DC ... so, there's that.
What the federal government should is adopt a more secure system/standard for communications such as ATM or switched virtual circuits. The world has demonstrated that it’s impossible to secure Internet Protocol communications.
That the founders "envisioned"
The Federal govt is involved in far more things than the original founders ever invisible. Stay out of private business, reduce red tape.
This bill pushes forward a left wing agenda. It contains some needed federal infrastructure repairs and mostly pet projects that the markets have avoided because there has been no public desire. The government needs to focus on their Constitutional duties which doesn’t include trans surgeries for the military while we fall behind China in hypersonic. Most of this is wasteful.
So ... should the USG provide industry funds for cybersecurity?
They should require all defense and government contracted companies to meet the necessary cyber standards and put laws in place for the protection of consumers and repercussions if a private company fails to secure their data.
I absolutely agree that there is far too much government in everything, and asking them to update our power grid is like handing the keys for hen house over to the fox. There's nothing as permanent as a "temporary" government anything! However, with that said, our power grid is in desperate disrepair. For example, as evidence in California, they had blackouts during the fire season last year because of the terrible state of their power lines, which has occurred under decades of Democrat-control mismanagement. Unfortunately, Californians are the ones left to suffer the consequences, not the politicians, most notably the governor. Although California is likely the worst-case scenario in the country, many studies have indicated power grids throughout the country are old, failing and need hardening against a possible EMP attack. It's obvious the cited rules and regulations are not addressing the problem, nor holding the private ownership(s) to account with hefty fines and maybe prison time, so what other options are available? We, as a nation, can ill afford a massive power grid failure in one or several states, let alone the entire country! As abhorrent the idea is of having the federal government take over yet another facet of our lives, perhaps it's the only viable solution at this point???
Thanks, Meledie. My hope is that there's some room between a complete failure of the grid and "total government takeover." Guess, we'll see.
Agree that Feds should provide the criteria & enforcement to secure our electric grid but no way do they need to take over private ownership. SSA is good example of politicians unable to keep their hands of money that belongs to others.
No one is proposing government takeover of industry. We're talking about making funds available to industry for cybersecurity investment.