Dichotomy (Part Two)
Since this is “Part II” of our discussion about cybersecurity for critical infrastructure sectors, I’ll kick it off with the last paragraph of Part I – “I’ve often referred to this risk and reward of digitalization/cybersecurity as the ‘yin and the yang’, – we can’t have one without the other. I can’t emphasize enough how important it is to transparently acknowledge both elements when we evaluate policies and the costs and benefits of those policies. In Part II of this edition of The Essentials, I’ll get into some of those policy debates and approaches.”
Let’s jump right into another dichotomy, then, shall we?
A dichotomy within a dichotomy, as it were. In addition to the yin and yang of digitalization/cybersecurity described above, there is a policy polarity as well. On one side of the policy debate is the (legitimate) argument that digital components evolve so rapidly that regulation of the risks – especially cybersecurity – cannot keep up with these evolutions and would, therefore, end up being “feel good” measures that either would not result in improved cybersecurity or could even degrade it, the latter because critical infrastructure entities would be preoccupied with regulatory compliance instead of staying one step ahead of the bad guys. On the other side is the (also legit) argument that regulation can signal to the marketplace and governing bodies that critical infrastructures (CI) need to invest more in cybersecurity, enabling their leadership to make these investments without being criticized by boards and investors for eating into profits. For regulated entities such as for-profit investor-owned electric utilities, this regulatory “cover” is even more crucial because it could mean the difference between having cybersecurity expenses covered by ratepayers (in rate-base), rather than eating into their profit margins.
In my experience, the decision “to regulate or not to regulate” in the cybersecurity arena does not always fall along traditional party lines. For example, generally speaking, most Republicans are typically more skeptical of regulations and most Democrats are more comfortable with such mandates. Not so much with cyber. Both sides of the aisle align more toward some level of regulation on cybersecurity, at least at the federal level. Digging into this a bit, I want to be clear that, so far, most CI sectors are relatively lightly regulated on cybersecurity, if you look across the sectors. But the national policy focus on cybersecurity that began two decades ago and continues today has involved a bipartisan mix of Members of Congress calling for higher levels of regulation and with many states also looking toward or standing up their own rules and regulations.
The lenses with which different Members of Congress and agency personnel view cybersecurity vary. Many Republicans have long seen the use of offensive cybersecurity attacks on U.S. CI sectors by nation states, terrorist groups, insider threats, and others as national security threats so serious that regulation is not only acceptable but needed to bridge federal three-letter agencies’ intelligence (CIA, FBI, DHS, DOD…) with the day-to-day operations of CI sectors. The perspective is underpinned by the knowledge they receive in classified briefings about the capabilities of our adversaries. Many Democrats come to the same conclusion for some of the same reasons, but also because they often express skepticism about the willingness of corporations, including those in CI sectors, to invest in security and reliability.
With all that said, federal cybersecurity policies and policy debates have fallen into a few categories in the years since they began in earnest 20 years ago (with some foreshadowing in the few years before that). As you’ll note, some are “carrots,” and some are “sticks:”
Incentives – federal funding for CI sectors to undertake cybersecurity initiatives and build their defensive capabilities, to perform “table-top” exercises to test those cyber defense capabilities, to promote information-sharing portals and avenues, to enable some in CI sectors to obtain security clearances, etc. This is the “yin” of the policy dichotomy – involving “carrots” (a reason to act) rather than “sticks” (forceable action). Note, not all CI sectors – much less individual (especially smaller) entities within an individual CI sector - have easy access to these types of incentives.
Partnerships – as one response to 9/11, and with the creation of the Department of Homeland Security (DHS), the federal government recognized the need to better coordinate and interface with critical infrastructure sectors. The statute creating DHS in 2002 mentioned these sectors, and subsequently Presidential Policy Directive 21 designated the 16 CI sectors that I have discussed extensively in previous editions of this newsletter (plus the mining sector, which should be the 17th). This recognition initiated a stronger partnership between CI sectors and the federal government. Out of this effort came the National Infrastructure Protection Plan (NIPP), which provided the structure and guidance for each CI sector or major subsector to create Sector Coordinating Councils (SCCs) that represent a cross-section of their industries, with those SCCs then interfacing with a Sector Specific Agency (now called Sector Risk Management Agency), typically via a Government Coordinating Council (GCC) led by the SRMA (formally SSA). This setup has facilitated greater dialogue between these sectors and the federal government as well as across sectors, although more is needed of the latter. These SCCs have also served to foster dialogue within sectors. This has been particularly important with the recognition that information-sharing about cybersecurity threats is a vital defensive tool in the ongoing battle to protect our CI. These activities fall mostly into the “carrot” category.
Standards – this is the “yang” in the cybersecurity policy dichotomy – involving “sticks” rather than “carrots.” So far, the only two CI sectors with mandatory and enforceable cybersecurity standards are the electric subsector (of the energy sector) and the nuclear power subsector (of the nuclear sector). Since both involve electricity, we often hear it described as one sector. For purposes of this discussion, I will combine them.
Electric Subsector Spotlight
The electric subsector’s cyber regulations stemmed from overall electric reliability legislation developed by the industry itself and ultimately passed as part of the Energy Policy Act of 2005 (EPAct 05). In the final months leading up to passage of that legislation, the industry inserted language related to development of cybersecurity standards. It was a bit of an afterthought, honestly, because the full cyber threat was not yet apparent. At the time, I was the lead lobbyist on the reliability language for the American Public Power Association and I vividly remember this almost offhand discussion of cyber – we all agreed to include it, sensing it could become a bigger issue in the future, but little did we know at the time that what is now called “NERC CIP” (North American Electric Reliability Corporation Critical Infrastructure Protection) standards would overshadow the other, more mundane, reliability standards (things like tree trimming) we had worked so hard to craft.
Soon after passage of EPAct 05 and while the reliability standards were in the first stages of implementation, Idaho National Laboratory (INL) tested what became known as the “Aurora Vulnerability.” The findings of the test were initially only released to a small subset of the electric sector, but someone leaked a video to CNN, and then the entire world knew. The test showed that remote cyber access could cause a generator to malfunction. While, at the time, the capability to do that in the real world was slim (most utilities operate on a “closed-loop” system), eventually the industry responded to the potential vulnerability by developing a mitigation through NERC CIP. Upon initial release of the video, however, many Members of Congress questioned the preparation of the electric sector and called for even stronger standards than those envisioned by EPAct05/NERC CIP. These bipartisan leaders insisted on having the federal government alone draft standards, with little industry input beyond a regular rule-making process. The industry pushed back on this approach, arguing to allow full implementation of EPAct05 to proceed.
Eventually, and after many discussions, the industry’s approach prevailed -- but a series of cybersecurity events, including the Stuxnet attack on an Iranian nuclear power plant in 2010 and the Russian attacks on Ukraine’s state-owned utility in 2015 and 2016, kept Congress’s attention focused on the electric sector. In particular, questions arose about how utilities outside of the bulk power system would be protected. The EPAct05/NERC CIP standards cover only utilities and other electric sector entities, such as generators, that could materially impact the bulk power system if attacked themselves. Smaller distribution utilities and island utilities were exempt from the requirements because what happens on their systems cannot impact others. This was not good enough for Congress, so eventually, it passed legislation in 2015 (known as the FAST Act) pulling into some level of compliance those distribution utilities that serve federal defense critical facilities (DCFs), regardless of if they were already subject to NERC CIP or not. The electricity subsector eventually agreed to this approach after advocating to tailor it appropriately -- with the owners and operators of those systems at the table with the DCFs in identifying potential solutions or security needs.
A Broader View
In the 2012 timeframe, the Senate Homeland Security and Governmental Affairs Committee pushed for broad legislation to regulate cybersecurity for all CIs. While not successful in doing so, the pressure has since been put on other CI sectors to emulate the electric subsector’s approach.
While not yet able to broadly regulate CI sectors along the lines of NERC CIP, Congress has passed the broadest legislation yet to regulate all CI sectors on cybersecurity incident national reporting with the passage of a bipartisan bill enacted in March 2022. The legislation requires “critical infrastructure entities” to report “cyber incidents” to the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), ransomware payments and any substantial, new, or different information discovered related to a previously submitted report to CISA. Known as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), this law was criticized by some critical infrastructure sector entities as overly broad, burdensome, and duplicative of or potentially conflicting with existing requirements while making its way through the legislative process. The application to smaller entities and the quick turnaround time of 72 hours for reporting a “substantial cyber incident,” may also prove difficult to enforce. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) is currently taking comments on its draft CIRCIA implementation.
Everything in Moderation
We have not seen the end of cybersecurity policy discussions, not by a long shot, but we now have a track record of both successes and gaps. The electric subsector in the U.S. has not yet been subject to a significant cyber-attack with operational consequences, and it is better prepared now to either fend off such an attack or to respond to a successful breach. The ransomware attack on the Colonial Pipeline in 2021 had significant ramifications, and it was also an inflection point to enable the oil and gas sector to better prepare and respond to future attacks. The Transportation Security Agency (TSA) within DHS has engaged aggressively with industry in this regard, with several possible policy efforts being considered as part of that engagement – likely with both “carrots and sticks.”
Some regulation, if done with industry’s technical and design input in the first instance, must be balanced with collaboration, partnerships, training, and funding – such balance has helped CI to bridge the policy dichotomy, thereby enabling these industries to make major strides in the last 20 years and to fend off most major attacks by our adversaries. As we grapple with the benefits and drawbacks of future scenarios, such as the implications of artificial intelligence, even better collaboration across CI sectors is a must -- as is ensuring that CIs have the flexibility to grow into future capabilities without being overburdened by inflexible regulations that might blind them to either the threats or their own future capabilities.