Although the world enjoys unimagined accomplishments from digital communication, the dark side also compels our attention.
Cyber offense and defense are rapidly evolving forms of warfare. Our
public utilities are among the targets foreign powers have penetrated.
Our vital public services are vulnerable. U.S. national security
leadership has seen the exercise of cyber probes and weaponry, some in
overt military action and others, including foreign actions in the
United States, more exploratory "battlefield preparation," in military
terms.
For public utilities and the states that regulate them, cyber threats
risk denial of electricity, water, natural gas and telecommunications.
Our state emergency managers include cyber threats in their portfolio of
hurricanes, ice storms, other natural disasters and physical sabotage.
Cyber threats present a new dimension to emergency management with
potentially devastating consequences and without the certainty of
adequate defenses.
The threats are serious and obviously unwelcome to utilities and
their consumers, who have three basic interests at stake: assurance of
high-quality service, resilient systems to deliver those services and
reasonable cost. State regulators have enough work paying attention to
all three, especially given aging infrastructure and the changes posed
by cheap natural gas and the advent of renewable energy options.
Hurricanes and the like already provide enough resiliency difficulties.
What should state regulators do in light of this major challenge,
which is a modern weapon, and therefore —- like other national security
matters — appropriately in the hands of the intelligence community and
military? Most utilities, and certainly Connecticut's larger utilities,
take the threat seriously and manage protective systems, while
intelligence officials are concerned by foreign penetration and the
adequacy of our nation's utility security systems.
What should utilities spend to upgrade their defenses? To what extent
should they engage one of our nation's greatest cyber assets — private
sector firms — to assess and remedy security gaps?
The costs of defense are financial and social. Today, the cost of
physical security — both systems and armed forces — at some nuclear
generation facilities equals the cost of operations. Storm-related
outages provoke public outrage over service interruption. How much more
should the ratepayer contribute to cyber security, and how should the
money be spent? How can state regulators determine where adequacy ends
and unnecessary costs begin?
As for social costs, the tension between individual liberties and
security is clearly at play. Stringent controls to thwart cyber
disruption might significantly diminish civil liberties. The obviously
unacceptable alternative of a police state would make us safer from
cyber attacks. But how much risk can and should we accept to protect
those freedoms that define who we are?
Firearms and automobiles have brought security and mobility, but the
costs of death and suffering have compelled reckoning and regulation.
Similarly, cyber threats are a dark side of the revolutionary life
changes enabled by the computer, Internet and digital revolution. The
possibility of a hacker or nation-state disabling a water system, gas
pipeline or electric grid, or leaving us unable to communicate or access
financial or health data, are real. The public deserves to know what
the threats are, and how their government is responding.
We have work to do at all levels of government. At the federal level,
we count on intelligence and defense officials to protect us — but also
to communicate with us. Trust depends upon credibility and requires
active, skilled management. Inadequate information and weak
congressional oversight and partnership do not build public confidence.
State regulators cannot become national security officers to combat
what is basically a national security challenge. But they can set
standards, collaborate with public utilities and accept reasonable,
well-designed expenses to enhance safety. Connecticut is intensifying
its work with its public utilities, which long ago started their cyber
defense programs and initiated planning for dealing with disruption.
Several strengthening steps are possible, such as requiring utilities
annually publish a statement from a reputable security company affirming
(or not) that the company takes reasonable steps to ensure cyber
security.
The most difficult adjustment lies with all of us — understanding and
accepting the reality of cyber vulnerability and its unpredictable
consequences. In the past, Americans have been able to take action, find
reasonable solutions and do what makes sense without giving up the
essential. We can do it with cyber, but it's time to kick into gear. The
threat is real, and the work will be demanding
No comments:
Post a Comment