Cyberspace Calls for New Stakeholder Roles, White House’s Daniel Says
DENVER -- Collaboration and planning are vital in combating cyberthreats, creating new roles and models, speakers said Monday at the NARUC’s meeting. “You are the ones that can actually ask the hard questions of the utilities,” White House Cybersecurity Coordinator Michael Daniel told state regulators. He outlined the Obama administration’s cyber concerns and some of the priorities as well as necessary actions that take place in a cyberspace full of what he called very real threats. They have become part of “the new normal,” he said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
NARUC President Philip Jones called cybersecurity “a persistent and primary focus of mine” and said NARUC has now visited 30 states as part of its cyber briefings. The threats to infrastructure are “real” and “dynamic” and “constantly changing,” he said. He outlined the many developments on the federal level, calling the fate of legislation “murky” and the presidential directive voluntary. NARUC is holding multiple discussions on cybersecurity at its Denver meeting this week and considering one resolution addressing the topic.
"We have to think about how the role of the federal government plays out in this shared space a little bit differently,” Daniel said. These threats have prompted people to collaborate and talk about the problem, which is good news, he said. The federal government is considering different ways of approaching this security issue, unlike past models of security such as with border control, said Daniel. “It’s not that border space is borderless -- it’s interiorless.” He emphasized the importance of information sharing among different levels of government and companies. Perhaps the federal government should use the National Weather Service model, “so you have some idea of what the cyber weather’s going to be like,” he said. Or perhaps it should serve as a Centers for Disease Control for cyberspace or act akin to disaster management, with “rolling systems” of local, state and federal responses, said Daniel. The federal government does have “very clearly some roles” given threats emanating overseas, such as from China, he said. The appropriate dialogue is happening on that, he said.
The cyber knowledge of utilities “far outstrips” that of public utility commissions, said Arthur House, chairman of the Connecticut Public Utilities Regulatory Authority. “I don’t think that shocks anyone.” He called for a new way of thinking about how state regulators should operate. PUCs are now taking the problem seriously, despite the deficit of knowledge, he said. “We need to start out on the same side before we move to the more traditional role of regulator and utility,” House said. “We're in the game together, at least to get started.” Everyone should be “hesitant to be too prescriptive at this stage,” he added.
"Utilities should be actively working with vendors,” said Norm Dicks, former Democratic congressman from Washington, on updating outdated and insecure system controls. Now senior policy adviser at the Van Ness Feldman law firm where he works on environmental regulatory issues (http://bit.ly/18vIyae), Dicks stressed the significance of the electric grid and threats to that. The federal government should share more threat information and continue research and development on how to protect critical infrastructure, he said. The Obama administration should “forcefully advocate” for necessary cyber legislation, he said. “Congress often reacts as opposed to being proactive.” Regulators, utilities and technology providers must work together to combat the threats, he said. “Many state regulators, including California, are developing cybersecurity policies."
"Every day we have 16,000 attacks that we prevent that are specifically targeted to Xcel Energy and its system,” CEO Ben Fowke said. He called cyberthreats very real. Last year, 2 to 3 percent of the company’s overall spending was devoted to these threats, he said. “We're all in this together -- this is new territory.” He emphasized security first, then compliance. There’s a crucial need for getting information in a timely fashion so the company can react to it, he said, pointing to “early warning signs.” He compared the potential attacks to a crowd acting out “the wave” in a sports stadium. Questar Corp. and others in the gas industry are “committed to raising the bar from the standpoint of cybersecurity,” said CEO Ron Jibson. “This is not static, this is not something we can address once.” The American Gas Association has created a cyber task force, he said. He noted that over 80 percent of the companies have taken some action in regards to cybersecurity. He thanked NARUC for its acknowledgment of the sensitivity of these companies’ data.
"We do need legislation, as Congressman Dicks said,” Daniel added. The government needs to enable that flow of information sharing, he said. Daniel emphasized that incentives should be in place to ensure this framework functions correctly and pressed for addressing liability rules in a way that makes sense. The key is “moving toward things like maturity models in this space,” adapting to threats that evolve, he said.