When it comes to cyber attacks, the campaign meddling in 2016 that led to indictments of 12 Russian military intelligence operatives this month was just the tip of the iceberg. Ukraine knows how much more serious it can get. One month after the U.S. election, hackers — likely operating with the approval, if not at the direction, of Russian President Vladimir Putin’s government — shut down the grid supplying power to thousands of Ukrainian business and homes on a bitterly cold winter night. The lights went out across Kiev, and the proverbial warning lights flashed red for homeland security experts in Washington.
The threat of a similar attack targeting U.S. power utilities no longer is theoretical. Knowing that cyber weapons can be deployed with low cost, high impact and plausible deniability, Russia, Iran and North Korea have become much more aggressive in recent years. In March, the FBI and the Department of Homeland Security released details of “a multistage intrusion campaign by Russian government cyber actors” targeting the U.S. power grid and other critical infrastructure. As assistant secretary of Department of Defense (DoD) for Homeland Defense and Global Security, and later as chief of staff at DoD, part of my job was to ensure the military was taking aggressive steps to protect the American people from such attacks. Now, more than ever, we need to raise our game.
{mosads}But rather than focus national efforts to combat the very real threat that cyber poses to the U.S. power grid, President Trump, citing national security — and the threat of cyber attacks in particular — is proposing to spend billions of dollars to bail out economically uncompetitive coal and nuclear plants. The administration claims that the power plants at issue are critical for energy resilience, a claim disputed by companies that actually operate the grid and the president’s own appointees at the Federal Energy Regulatory Commission.
If the goal is to mitigate the cyber threat, the plan makes no sense. Bailing out uneconomic power plants would do nothing to improve cyber security for the energy sector. In fact, it wouldn’t even improve cyber security at the subsidized plants themselves. Meanwhile, it would siphon off much-needed resources from the real work of protecting our energy grid.
Ironically, a leaked memo outlining the administration’s plans actually gets some things right about the threats we face. It points to the “growing threats of multi-point attacks” on the electrical grid, to the “vulnerabilities of industrial control systems” used to operate our energy transmission and distribution network, and to the growing number of attacks on critical infrastructure by hostile cyber actors. From my old office in the Pentagon, I saw these same worrisome trends. The president’s plan, however, would do nothing to reverse the very threats it has identified.
It isn’t surprising that the Department of Energy’s own “Multiyear Plan for Energy Sector Cybersecurity” issued in March makes no mention of preserving uncompetitive coal and nuclear capacity. Instead, the report urges policymakers to focus on the areas of highest risk, stating: “Resources are limited and all systems cannot and should not be protected in the same manner.”
But instead of focusing on the greatest cyber risks, the Trump White House is using national security as cover to advance what appears to be simply a political objective — bailing out select utilities and segments of the ailing coal industry.
The price for such actions would be steep. It will cost real money — one study estimated as much as $11.2 billion per year — to prop up uncompetitive coal and nuclear plants. Power companies forced to buy more expensive power will pass that cost along to customers, or under the Cold War-era law Trump apparently plans to invoke, could possibly even be reimbursed out of the defense budget — money that should be spent fortifying our cyber defenses and training and equipping our troops to fight real threats to our country.
There is much work to do to protect critical energy infrastructure. It will not be easy or cheap. If Russian or North Korean hackers try to turn the lights off in American cities, aging coal or nuclear plants won’t stop them. That will take thoughtful, careful and integrated cybersecurity and resilience planning. Congress and the American people should demand that the president abandon his ill-advised plans and focus on real threats to American energy security.
Eric Rosenbach is co-director of the Belfer Center on Science and International Affairs at Harvard Kennedy School and director of the Defending Digital Democracy Project. He is a former chief of staff to the secretary of the Department of Defense, assistant secretary of Defense, and national security advisor for Sen. Chuck Hagel (R-Neb.).