In their recent report on Smart Grid Cyber Security, the Government Accountability Office (GAO) made some interesting observations (thanks to Andy Bochman of Smart Grid Security Blog for pointing this out). The Smart Grid is the way of the future in electricity management. It is needed, and is, frankly, the smart way to go.

That said, many experts worry about the vulnerabilities of a system that is based on gathering data from millions of wireless transponders on the electrical meters of houses and buildings. For all the efficiencies that can be gained, there are many weaknesses introduced if not executed with wisdom and technological savvy.

GAO lists several major challenges on the highlights page of the July 2012 report. The last four challenges partially address utilities and partially the larger industry ecosystem:

  • A focus by utilities on regulatory compliance instead of comprehensive security;
  • A lack of security features consistently built into smart grid systems;
  • The electricity industry did not have an effective mechanism for sharing information on cybersecurity and other issues; and
  • The electricity industry did not have metrics for evaluating cybersecurity.

There is much room for comment on all four of these, but the basic focus should be on the first one listed. There is a “default setting” on businesses and government entities that seems to drive them toward regulatory solutions. It is a harmful tendency in our modern world.

This issue is highlighted by the GAO comment. If you set a regulatory standard, everyone immediately moves to ensure full regulatory compliance. Who would not? Fail to comply and you get fined, or shut down. The problem is that in the fast-paced world of cybersecurity, by simply meeting the minimal standard of regulatory compliance, you are NOT really secure. Entities must go further and develop comprehensive security.

The recently defeated Cybersecurity Act of 2012 was based primarily on a regulatory framework. This aspect was softened in the pre-vote negotiations but not enough to assuage concerns of many. My criticism of this aspect of the bill was heavy.

I received a great deal of push back for my comments on this, one even asking me if I had suddenly started to believe cybersecurity was not important. My answer was that I most certainly did still believe in the importance of improved cybersecurity, but frankly, this regulatory medicine will, one, not solve the problem, and two, probably have exactly the effect indicted by the GAO report.

We must find ways to share information, to leverage the capabilities of the combined private and public sector enterprise, and to continue fostering innovation and creativity. If we can find the right vehicle to do all that, I believe the United States will continue to flourish.

Simply put, regulation is NOT the right vehicle.

Dr. Steven Bucci is director of the Allison Center for Foreign Policy Studies at The Heritage Foundation. He was previously a lead consultant to IBM on cyber security policy. Bucci’s military and government service make him a recognized expert in the interagency process and defense of U.S. interests, particularly with regard to critical infrastructure and what he calls the productive interplay of government and the private sector. Read More
  • Andy Bochman

    Bravo Steve. This dynamic (asking if you had suddenly started to believe cybersecurity was not important) reminds me of Captain Black’s laughable Glorious Loyalty Oath Crusade in Heller’s Catch 22. Those who critique the substance of the recommended regulation, or the approach, in general, of using regulation to improve cyber posture, must be “against cybersecurity” for critical infrastructure. Geez.

    When you have a minute, please read the wonderful talk, introduced in this post, by a veteran FERC auditor who’s been in the trenches on these matters. Bonus: he’s got a great wit which really livens up the often enervating topic of cultures of compliance:

  • Jeff Gaynor

    Dead on-target Steven. Another in a long line of Cold-War Era Critical Infrastructure Protection (CIP) policy and program failures. We have set the cyber and physical infrastructure preparedness bar at an undefinable level of “protection.” The Nation continues to pay for doing so in lives lost, prolonged human suffering, property, economic and social damage. The inadequacies of CIP policies and programs have only worsened over time. It has been better than 6.5 years since the Homeland Security Advisory Council recommended dramatically raising the infrastructure preparedness bar to Critical Infrastructure Resilience. In the wake of the breathtaking rejection of that recommendation, the nation has very slowly evolved and is now considering “the concept.” The operationally proven technologies, methodologies and metrics required to correct the Nation’s cyber and physical infrastructure death spiral and make Critical Infrastructure (and by extension national) Resilience a reality have been and remain immediately available. All that is needed is the courage to implement them.