Shining sunlight on a massive cybersecurity cover-up

“Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.”           

 – Supreme Court Justice Louis Brandeis

On May 12, the Senate Energy Committee Chairwoman, the Honorable Lisa Murkowski (R-Alaska) and her committee colleague, the Honorable James Risch (R-Idaho), filed the “Energy Infrastructure Protection Act of 2020,” (S. 3688) claiming that it “takes important steps to ensure that information critical to utility operations is not unintentionally exposed, as that could surrender America’s energy security to foreign adversaries.”

In fact, this proposed legislation intentionally codifies the systemic coverup of electric grid standard violations by the industry and their self‐regulator, the North American Electric Reliability Corporation (NERC), which has been enabled by the Federal Energy Regulatory Commission (FERC).

Senator Murkowski was made aware of this cover-up in January 2019 in a letter from a prominent grid security researcher, Command Sergeant Major Michael Mabee (U.S. Army Ret.) which pointed out that FERC/NERC have concealed the names of companies violating Critical Infrastructure Protection (CIP) Standards, on nearly 1,500 occasions, even when there is no reasonable “national security” reason to do so, because the violations have already been corrected and therefore are of no use to adversaries.

The identities of these violating utilities have been affirmed by FERC to be “Critical Energy Infrastructure Information” or CEII.  Mr. Mabee’s letter explained that the overuse of CEII and consistent lack of disclosure creates little incentive for utilities to fix their grid security problems.

Then, in August 2019, FERC opened Docket AD19-18-000 with a “White Paper” requesting comments from the public on this issue of disclosure and transparency. Sixty-one individuals and/or organizations (and even some state governments) filed comments in favor of increased transparency and twelve filed comments against it – all of which were electric utilities or groups that represent them.

As Mr. Mabee’s investigation continues, he has documented extensively how electric utilities have routinely abused CEII as an excuse to conceal violations of law, inefficiency, and administrative error and to prevent embarrassment. He has also chronicled how the elected officials which oversee the grid’s regulators are lobbied extensively by the utility industry, mostly through trade organizations, such as the Edison Electric Institute (EEI).  EEI is funded by American ratepayers and also through contributions from its members, which include companies owned by Communist China.

In November 2019, Mr. Mabee reported that, “in total, the electric utility industry spent $24,725,200 in political contributions and spent $122,281,276 on lobbying in 2018. That is a total of over $147 million reasons why “they” (Congress) finds it difficult to pass grid security legislation which their benefactor (the electric utility industry) opposes.”

According to the Center for Responsive Politics, Senator Murkowski received $592,562 and Senator Risch received $61,500 of the total $3,329,692 in contributions made by the electric utility industry to members of the Senate Energy Committee in 2018. In fact, nearly 90% of the industry’s 2018 contributions to the entire Senate were made to members of this powerful oversight committee.

Meanwhile, the Senate Energy Committee’s new S.3688 proposes to give utilities free reign to expand the repugnant practice of abusing CEII and will enable its captive regulator – FERC – to grant them indefinite anonymity for violations of security standards. It also would prevent a concerned public from utilizing the Freedom of Information Act (FOIA) to ascertain which utilities have violated standards, broken laws, and put their ratepayers at risk.

Not only would this bill stifle needed changes in electric industry corporate culture, but it also appears to conflict directly with and counteract progress made by the Cyberspace Solarium Commission (CSC), which was established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.”

Today, leading members of the Secure the Grid Coalition, including the former Director of Central Intelligence during the Clinton Administration – Ambassador R. James Woolsey, voiced their concerns about this legislation to the Commission’s Co-Chairs: Senator Angus King (I-Maine) and Representative Michael Gallagher (R-Wisconsin) in a 56-page letter.

As long as this proposed legislation stays active, the Coalition will continue to inform the public—and expose who in Congress is sponsoring the bill and why.

We will also inform appointed government officials, and especially those at the state level – such as public service commissioners – on how this bill is against the public interest. As we say in our letter, this bill will only hurt the electric industry in the long run because it will stifle security and resilience investments and prevent cost recovery:

“Utilities now face issues with paying for necessary security and reliability upgrades because they are a “victim of their own success” in obscuring from public scrutiny the challenges they face on these fronts since their violations have been covered up for so long. This bill will “codify that coverup” and enable even more safety, security, and reliability violations to be lumped in as “CEII” and further distance the industry from achieving cost recovery mechanisms. The bill severely disadvantages state public service commissioners in being able to maintain visibility over the industry’s vulnerabilities, making the industry less capable of justifying rate increases to pay for resilience.”

Citizens who are proponents of transparency and security and who are concerned about the resilience of our nation’s electric grid can join the Coalition in its opposition to S.3688 by encouraging their own elected officials at the state and federal level to read and share this important letter and to join the debate on the side of transparency and security rather than special interest.  On Twitter, they can use #SunlightSaves.

STG-Coalition-Letter-SB3688

About Tommy Waller

Tommy Waller serves as the Director of Infrastructure Security at the Center for Security Policy.  Tommy manages the Secure the Grid Coalition – a group of policymakers, defense professionals, and activists working diligently to secure America’s most critical infrastructure – the U.S. Electric Grid.  Prior to joining the Center, Tommy served in the U.S. Marine Corps as an Infantry and Recon Officer with combat service overseas in numerous theaters.  His full bio can be found here.