Does FERC Seek War Powers?
One could infer that by reading the words of Joseph McClelland. He's director of the Office of Electric Reliability at the Federal Energy Regulatory Commission, the federal agency with jurisdiction over interstate electricity sales and wholesale electric rates.
In prepared testimony delivered Thursday at a hearing on cybersecurity and the critical electricity infrastructure before the Senate Committee on Energy and Natural Resources, McClelland said that any new legislation should allow the commission to take action before a cyber or other national security incident occurs to prevent a significant risk of disruption to the electrical grid. His statement read:
"In order to protect the grid, it is vital that the commission be authorized to act before an attack."
In order to protect the grid, it is vital that the commission be authorized to act before an attack.
McClelland didn't provide details in his prepared remarks on what he meant by "authorized to act before an attack." No doubt, the government should use nearly any means to prevent a real or virtual attack on the nation's critical infrastructure, including our electrical system. Any significant power loss would devastate our nation and economy. Using cyberspace as an offensive weapon to prevent attacks is appropriate.
But we shouldn't authorize specific commissions or agencies to provide the virtual weaponry to deploy against our online adversaries. That should be placed at the White House level or through a joint cyberspace defense command being organized by the military.
The electrical grid, no doubt, is part of the nation's critical infrastructure. Yet, it seems, not every owner and operator of power generators sees itself as being critical.
In his testimony, McClelland told the Senate panel a disturbing fact culled from a recent survey by the North American Electric Reliability Corp., a not-for-profit corporation that promotes electrical bulk power transmission: Only 29 percent of power generation owners and operators reported at least one critical asset. It's unclear what portion of the U.S. generation capacity that 29 percent represents or what portion of the designated critical assets represent, he said. "Thus, it's not clear - even today - what percentage of critical assets and their associated critical cyber assets has been identified. It is clear, however, that this issue is serious and represents a significant gap in cybersecurity protection."
What are your thoughts about the-best-defense-is-the best-offense approach to securing our critical IT infrastructure. Should it be centralized, and if so where? Or, should each organization develop its own plans, even if it means making virtual attacks against adversaries abroad? Share your thoughts below.