Critical Infrastructure Protection – Two Decades of Failure

Why has so little critical infrastructure protection passed congress?

I just don’t get it.

I mean, I understand why Congress is struggling on health care and tax reform. The reds and the blues have different opinions and different philosophies and apparently nobody wants to compromise. I get that. It’s the same on a lot of issues, and I understand the inability of Congress to make the sausage in terms of its lack of compromising and sharing. Watching the news out of DC, it seems like we are dealing with a bunch of adults behaving like kindergarteners. I can wrap my head around all of that.

Here is what I don’t get: there is strong bipartisan agreement – and has been for decades – that critical infrastructure protection is needed. Yet, so little has been done.

Despite bipartisan efforts, in the last two decades, there have only been a few laws passed that touch on critical infrastructure protection. All three that I can name came seemingly as “afterthoughts” to the yearly National Defense Authorization Acts (NDAAs). The 2001 NDAA established the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack. The 2016 NDAA extended the EMP Commission until June 30, 2017. (Note that the EMP Commission has now unbelievably been disbanded.) Finally, the 2017 NDAA  implemented the “Critical Infrastructure Protection Act” (CIPA). This is the first meaningful legislation that requires the federal government to do something. It requires that the Department of Homeland Security:

• Develop and report on “a recommended strategy to protect and prepare the critical infrastructure of the homeland against threats of EMP and GMD.”
• Conduct “research and development to mitigate the consequences of threats of EMP and GMD.”
• Identify “the critical utilities and national security assets and infrastructure that are at risk from threats of EMP and GMD.”
• Conduct “an evaluation of emergency planning and response technologies that would address the findings and recommendations of experts, including those of the Commission to Assess the Threat to the United States from Electromagnetic Pulse Attack, which shall include a review of the feasibility of rapidly isolating one or more portions of the electrical grid from the main electrical grid.”
• Conduct “an analysis of technology options that are available to improve the resiliency of critical infrastructure to threats of EMP and GMD, including an analysis of neutral current blocking devices that may protect high-voltage transmission lines.”
• Assess “the restoration and recovery capabilities of critical infrastructure under differing levels of damage and disruption from various threats of EMP and GMD, as informed by the objective scientific analysis conducted under paragraph (1).”
• Conduct “an analysis of the feasibility of a real-time alert system to inform electrical grid operators and other stakeholders within milliseconds of a high-altitude nuclear explosion.”
• To “include in national planning frameworks the threat of an EMP or GMD event.”
• Conduct “outreach to educate owners and operators of critical infrastructure, emergency planners, and emergency response providers at all levels of government regarding threats of EMP and GMD.”

Don’t get me wrong – CIPA is awesome and a long time coming. But experts argue that it could be too little too late. The problem is that it will literally take years for CIPA to have a meaningful impact. It is a great start that will protect us years down the road (if the federal agencies and private sector entities do their jobs). But in the meantime, we are vulnerable. And, don’t expect everybody to trip over themselves over the next few years to protect the grid.

“The Grid” Strikes Back

What is “the grid”? The grid is over 3000 companies involved in generation, transmission and distribution of electrical power. “The grid” is not one thing. In fact, in the U.S., there are three “grids” which involve thousands of public and private sector utility companies. The federal government does not regulate “the grid” – it is self-regulated. Hmmm. Self-regulation worked out pretty well on Wall Street in 1929, 1987, 2000 and 2008.

So, the federal government can’t tell “the grid” to harden itself. It can make suggestions. The Federal Energy Regulatory Commission (FERC) can make suggestions to the industry’s “lobbyist” The North American Electric Reliability Corporation (NERC). Remember, NERC’s constituents are companies that are either trying to make a profit (private sector utilities) or at least trying not to lose money (public sector utilities). Convincing NERC to adopt rules requiring its constituents to spend money hardening the grid is a tough sell. “The grid” does not want to be regulated. It enjoys the current slow and lumbering bureaucracy.

I’m not saying that FERC is impotent or that NERC is evil (although I would not argue these points). What I am saying is that critical infrastructure protection is an immediate and exigent national security issue. Threats to the electric grid are existential threats to the United States. What we have needed from Congress for two decades are meaningful and immediate actions – actions that have had two decades of bipartisan support and two decades of failure to act.

Two Decades of Critical Infrastructure Protection Failure

I have been researching these issues for years. I have found that there are two decades of hearings, reports and failed legislation to protect the power grid from real and acknowledged threats. What are some of the threats?

• Weather (e.g., Hurricane Maria in Puerto Rico and the U.S.V.I.)
• Solar Flare or Geomagnetic disturbance (e.g., Quebec blackout of 1989)
• Cyber-attack (e.g., Ukraine Blackout of 2015)
• Terrorism (e.g., Metcalf sniper attack in 2013 and 9/11 Lower Manhattan)
• Earthquake (e.g., 1989 Loma Prieta quake in California)
• Pandemic (listed by FERC and DOE as a threat to the power grid)
• EMP weapon (threatened by North Korea – possible from Russia, China and Iran)
• Human / computer error (there are numerous examples of this)
• A tree branch (e.g., Great Northeast Blackout of 2003)

Even if you don’t believe that one or more on this list “could ever happen to us,” it is beyond debate that all have either happened or are possible. So we can all agree that there are threats to the power grid.

So what if the worst happened? According to a March 2017 Senate report, up to 90% of the population of the United States could perish. How is this not a matter of exigent national security? How does this not constitute an existential threat the United States?

Yet, Congress over the last two decades has failed to protect us. Instead, we are at the mercy of “the grid” which has larger concerns (money) than our meager lives and deaths.

What Congress Must Do

• Enact immediate and meaningful critical infrastructure protection measures to harden the electrical grid and increase resiliency.
• Immediately reestablish The Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack.
• Give FERC (or somebody) the authority to require “the grid” to take immediate measures to prevent a national catastrophe.
• Reintroduce and pass a resolution on civil defense and community resilience (e.g., H. Res. 762, August 2, 2012, “Expressing the sense of the House of Representatives regarding community-based civil defense and power generation.”

What We Can Do

• Contact your Senators and representatives and demand their immediate attention to critical infrastructure protection. Write your own letter or send them this post! Find Your Representative and Find Your Senator
• Don’t wait. We have been waiting two decades. Take the cue from this failed house resolution and work with your community to make sure your community is prepared in the event of an emergency (any emergency). This is called civil defense.

Make no mistake. Your family’s survival is at stake. We can no longer sit passively while Congress sits passively. We need action to protect our families and communities.