June 4, 2020
The Honorable Angus King
The Honorable Mike Gallagher
Cyberspace Solarium Commission
2900 Crystal Drive, Suite 250
Arlington, VA 22202
Dear Senator King and Representative Gallagher:
We represent a large coalition of national security experts, policymakers, government civil servants, and patriotic American citizens who are rightly and deeply concerned about the security of our nation’s most critical infrastructure – the electric grid. We are writing first to commend you on the excellent work of the Solarium Commission. Secondly, we write to warn you about the danger to the security, reliability, and safety of the electric grid created by a bill recently filed by Senators Murkowski & Risch in the Senate Energy Committee: S.3688.
As you will see in Appendix A, we collectively conclude that there is no way this bill could be amended and still be helpful for the cybersecurity of energy infrastructure. It appears that it was drafted by the utility industry for the express purpose of codifying the current “security through obscurity” regime that keeps us vulnerable and betrays the public trust. This systemic coverup of electric grid standard violations by the industry and their self‐regulator, the North American Electric Reliability Corporation (NERC) has been enabled by the Federal Energy Regulatory Commission (FERC).
As you will see in Appendix B, one of our Coalition members – Command Sergeant Major Michael Mabee (U.S. Army, Retired) – wrote to Senators Murkowski and Manchin 18 months ago with his concerns about this coverup and how, since it began in 2010, there have been far fewer incentives for grid operators to fix grid security issues. Mr. Mabee’s letter was met with no response.
As you will see in Appendix C, Mr. Mabee created the CIP violation database to disclose to the public the identities of violators of Critical Infrastructure Protection (CIP) standards as his investigation continues. Unfortunately, Mr. Mabee was forced to file a lawsuit against FERC under the Freedom of Information Act (FOIA) due to FERC’s delay and denial of his FOIA requests.
On August 27, 2019, FERC opened Docket AD19-18-000 with a “White Paper” requesting comments from the public on the issue of transparency. As you will see in Appendix D, there were 61 individuals and/or organizations which filed comments in favor of increased transparency and 12 which filed comments against it. Clearly, the public and state governments favored increased transparency.
Two very important findings of your Commission that S.3688 seriously challenges are (1) the current vulnerability of national security facilities in many of the 50 states, including Alaska and Hawaii and (2) the systemic weaknesses of the FERC/NERC CIP standard, i.e., how few (less than 10%) of the lower 48 state Transmission systems are covered by those standards. Alaska and Hawaii are further menaced by the exclusion of those states from Section 215 of the EPA which S.3688 ignores.
Similarly, the Executive Order on Securing the United States Bulk-Power System (13920) issued on May 1, 2020 declared a national emergency with respect to the threat to the United States bulk-power system and improved the conditions through which your Commission’s recommendations could be applied to the electric power industry, especially with regard to mitigating supply chain vulnerabilities. In fact, numerous security experts have pointed out that the current NERC CIP standards on cybersecurity do not comport with this Executive Order, prompting FERC to open a legal docket on this important matter (Docket EL20-46-000). S.3688 could make it extremely difficult for independent security experts to analyze inconsistencies such as these and thus curtail the much-needed public policy debate on how to improve the nation’s cybersecurity.
The Solarium Commission’s major recommendation on Deterrence critically needs early implementation to establish a solid base for cybersecurity defense of the nation; clearing the way for subordinate actions on DoD and IC defensive measures, regulatory standards, EO13920 tasks, and other pending congressional legislation. S. 3688 stands in the way.
We hope that this letter and its associated appendices make it clear to your Commission that the S.3688 was crafted in order to further obscure from public scrutiny the types of real reforms needed to improve security – and especially cybersecurity – for the electric grid, that it is contrary to the public interest, and that it should be met with opposition from elected officials who place transparency, accountability, and security above the special interests of the industries regulated by government.
Appendix A – Irreparable Issues with S. 3688
Appendix B – Letter to Senators Murkowski & Manchin, January 30, 2019
Appendix C – Website: CIP Violation Database and FOIAs
Appendix D – Article: Multiple States to FERC: “The public has a right to know”
cc: Senate Energy and Natural Resources Committee