Biden admissions on “coming Russian cyberattack” should prompt lawmakers to act and emergency managers to prepare

On Monday March 21^st, the White House released a “Statement by President Biden on our Nation’s Cybersecurity,” followed by public statements where Biden warned about the prospect of a Russian cyberattack, saying “it’s coming.”

Both the written and verbal comments reinforced the fact that “the federal government can’t defend against the threat alone” and Biden went on to tell U.S. critical infrastructure owners that “under U.S. law…the private sector…largely decides the protections that we will or will not take.”

Nothing could be truer about the protections of the nation’s most critical infrastructure – the electric grid – and this a major problem, one that must be addressed by both the White House and Congress.

The reality is that the Russians have infected the U.S. electric grid with the same malware previously used to take down the Ukrainian grid and despite years’ worth of warnings and even official complaints levied with the grid’s federal regulators by some of the most experienced and credible cybersecurity experts in the world, there is still no requirement to detect, mitigate, or remove that malware.

Nor are there any mandatory cybersecurity standards for real-time grid operations – an issue highlighted constantly over the years by former National Security Agency (NSA) Chief Information Officer (CIO) George Cotter.  In a 2019 letter warning federal regulators about the penetration of the grid by Russian hackers, he assessed that the electric power industry’s claim that the bulk power system “hasn’t suffered any outage” due to cyberattack is “totally due to Russian restraint” not industry action.

The current Secretary of Energy, Jennifer Granholm admitted nearly a year ago that adversaries have capability of shutting down grid and just yesterday White House Deputy National Security Advisor for Cyber & Emerging Tech, Anne Neuberger, warned that “the Russian government is exploring options for potential cyberattacks on critical infrastructure in the United States.”

And, unfortunately, the grid is vulnerable to much more than just cyberattacks.

A recent shocking episode of 60 Minutes highlighted that the grid has been subjected to more than 700 acts of sabotage over the last decade and that an adversary targeting just 9 electric substations could take out the entire grid for months or years. The show also revealed that there remains no enforceable standard established by government to defend against simultaneous physical attacks on multiple substations.

When questions arose about why these vulnerabilities persist, and why there aren’t effective regulations to secure the grid, White House Homeland Security Advisor, Dr. Liz Sherwood-Randall, flatly admitted, “In my view as the government, we can’t impose the regulations you’re suggesting.”

This is exactly the problem. The U.S. government has been concerned about the cybersecurity of the critical electric infrastructure since at least 2003, the security of the electric grid from physical threats since at least 1981, geomagnetic disturbance (GMD) threats since at least 1990, and electromagnetic pulse (EMP) threats since at least 1972 – and neither the President, nor his Homeland Security Advisor, are willing to impose regulations upon the electric utility industry to protect its infrastructure from any of these real and present dangers.

Nor does the self-regulated electric power industry want to add security “requirements” themselves.

This calls for urgent action by Congress to adopt legislation mandating that all entities, public or private sector, that are part of the electric grid take reasonably prudent actions needed to address cybersecurity, physical security, EMP/GMD protection and hardening for severe weather events.

A frequent excuse by government and industry pushing back against regulations to secure the grid is that there “shouldn’t be a one-size fits all” mandate. This type of legislation wouldn’t be “one size fits all” but rather would force the industry to look at all available solutions to secure their infrastructure.

Additionally, the Chief Executive Officer of each critical electric infrastructure entity should be required to certify periodically and publicly, as to well as state and federal authorities, that reasonably prudent grid security actions have been taken.  Similar to the provisions of the Sarbanes–Oxley Act of 2002 on the financial sector, there must be civil and criminal penalties for false certification or failure to submit them.

Unfortunately, Congress’ track record for fixing the grid’s vulnerabilities is abysmal, thanks to undue influence of the electric utility industry. However, the recently passed $1.2 trillion Infrastructure Bill contains ample resources that can be rapidly allocated toward the purpose of hardening the grid – something that could turn industry detractors, who have some justifiable concerns about unfunded mandates, into grid security advocates.

Ultimately, if the White House refuses to mandate grid protections by executive order and Congress allows this regulatory capture to persist and not rapidly allocate needed resources to protect the grid, our nation’s most critical infrastructure will remain extremely vulnerable to the “coming” Russian cyberattack and other threats.  For these reasons, emergency managers should take steps to be better prepared for if the lights go out.