Washington, D.C. – The Bipartisan Policy Center (BPC)’s Energy and Homeland Security Projects are establishing the Electric Grid Cybersecurity Initiative to develop recommendations for how multiple government agencies and private companies can protect the North American electric grid from cyber attacks. The initiative will consider how to allocate responsibility for cyber attack prevention and response, facilitate the sharing of intelligence about cyber threats and vulnerabilities with electric power companies, and ensure appropriate privacy protections for customer data.
The effort will be led by three co-chairs with diverse expertise on electric power and national and homeland security issues: General (Ret.) Michael Hayden, Principal at The Chertoff Group and former Director of the Central Intelligence Agency and National Security Agency; Curt Hébert, Partner at the Brunini Firm, former Federal Energy Regulatory Commission (FERC) Chairman, and former Executive Vice President of Entergy Corporation; and Susan Tierney, Managing Principal at Analysis Group and former Assistant Secretary for Policy at the Department of Energy and Massachusetts public utility commissioner. The co-chairs will consult with an advisory group of industry experts, former government officials, and other cybersecurity specialists.
“The threats to our nation’s critical infrastructure are very real, and we are launching this initiative to ensure our cybersecurity policies stay ahead of the threats. We will look at the appropriate roles for the various federal and state government actors to ensure security of the grid, as well as ongoing industry-led efforts to address cybersecurity issues,” said General (ret.) Michael Hayden. “We will also explore ways to ensure that the response of government and industry is swift and coordinated if there is an attack.”
Currently, there are many efforts throughout the government to protect infrastructure from cyber attacks, including those in President Obama’s Executive Order to establish voluntary cybersecurity guidelines and to encourage information sharing between private companies and the government. Congress has also been active on this issue and the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA) in April 2013. Nevertheless, concern lingers that federal agencies will establish uncoordinated or inconsistent policies to address specific cyber threats in different sectors.
“FERC already has standard setting authority through the North American Electric Reliability Corporation (NERC) for large portions of the electric grid, but its authority doesn’t cover local distribution systems, which are regulated by states. One key question is whether additional mandatory standards are necessary or whether gaps can be filled through a system of voluntary standards and incentives,” said Curt Hébert.
“The electric power sector has already made important progress in addressing cybersecurity. Given how important electric system reliability is to the nation’s economy, along with its interdependence with other sectors, such as telecommunications and natural gas pipelines, the electric system makes it an interesting case study for cybersecurity governance,” noted Sue Tierney. “There are important regulatory and other policy questions related to who invests in and pays for electric grid cybersecurity protections,” she added.
The three co-chairs of BPC’s Electric Grid Cybersecurity Initiative will release a white paper in the fall with recommendations for policymakers. In addition, BPC plans to hold a public workshop this summer with the co-chairs, advisory group, and other relevant experts to explore the topics discussed above and to get further input and advice.