State utility commissions can strengthen the cybersecurity of U.S. critical infrastructure – particularly the electric grid – by advancing several relevant
recommendations of the Cyberspace Solarium Commission report released last month.
Two of the Solarium Commission’s members – Southern Company Chairman, CEO and President Tom Fanning and former National Security Agency Deputy Director Chris Inglis – briefed utility commissioners on the report’s key pillars during a webinar. The event was cosponsored by the National Association of Regulatory Utility Commissioners and the not-forprofit Protect Our Power organization.
“Every aspect of society – from critical infrastructure, banking, education, and healthcare – relies on safe, reliable utility services and communications networks. The layered cyber deterrence approach outlined in the Cyberspace Solarium Commission's report may serve as a practical roadmap to protect our critical infrastructure,” said NARUC President Brandon Presley, of the Mississippi Public Service Commission. “I am pleased that our association is able to work collaboratively with Protect our Power to share this important information with our regulators and the broader utility community.”
The Cyberspace Solarium Commission was established by Congress to "develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences." The finished report, consisting of more than 80 recommendations organized into six key pillars, was presented to the public on March 11.
“The battles of the future will be fought on our nation’s energy infrastructure, telecommunication networks and financial systems,” said Fanning. “The Cyberspace Solarium Commission was created to reimagine military doctrine for this new digital reality. Fully 87 percent of the critical infrastructure in the U.S. is owned by private industry, making the collaboration between the private sector and government in protecting our American way of life that much more vital.”
The six key pillars of the Solarium Commission report are:
- Reform the U.S. Government's Structure and Organization for Cyberspace. While cyberspace has transformed the American economy and society, the government has not kept up. Existing government structures and jurisdictional boundaries fracture cyber policymaking processes, limit opportunities for government action, and impede cyber operations. Rapid, comprehensive improvements at all levels of government are necessary to change these dynamics and ensure that the U.S. government can protect the American people, their way of life, and America’s status as a global leader.
- Strengthen Norms and Non-Military Tools. A system of norms, built through international engagement and cooperation, promotes responsible behavior and dissuades adversaries from using cyber operations to undermine American interests. The United States and others have agreed to norms of responsible behavior for cyberspace, but they go largely unenforced. The United States can strengthen the current system of cyber norms by using non-military tools, including law enforcement actions, sanctions, diplomacy, and information sharing, to more effectively persuade states to conform to these norms and punish those who defect from them. A coalition of like-minded allies and partners willing to collectively support a rules-based international order in cyberspace will better hold malign actors accountable.
- Promote National Resilience. Resilience, the capacity to withstand and quickly recover from attacks that could cause harm or coerce, deter, restrain, or otherwise shape U.S. behavior, is key to denying adversaries the benefits of their operations and reducing confidence in their ability to achieve their strategic ends. National resilience efforts rely on the ability of both the United States public and private sectors to accurately identify, assess, and mitigate risk across all elements of critical infrastructure. The nation must be sufficiently prepared to respond to and recover from an attack, sustain critical functions even under degraded conditions, and, in some cases, restart critical functionality after disruption.
- Reshape the Cyber Ecosystem. Raising the baseline level of security across the cyber ecosystem—the people, processes, data, and technology that constitute and depend on cyberspace—will constrain and limit adversaries’ activities. Over time, this will reduce the frequency, scope, and scale of their cyber operations. Because the vast majority of this ecosystem is owned and operated by the private sector, scaling up security means partnering with the private sector and adjusting incentives to produce positive outcomes. In some cases, that requires aligning market forces. In other cases, where those forces either are not present or do not adequately address risk, the U.S. government must explore legislation, regulation, executive action, and public-as well as private-sector investments.
- Operationalize Cybersecurity Collaboration with the Private Sector. Unlike in other physical domains, in cyberspace the government is often not the primary actor. It must support and enable the private sector. The government must build and communicate a better understanding of threats, with the specific aim of informing private-sector security operations, directing government operational efforts to counter malicious cyber activities, and ensuring better common situational awareness for collaborative action with the private sector. While recognizing that private-sector entities have primary responsibility for the defense and security of their networks, the U.S. government must bring to bear its unique authorities, resources, and intelligence capabilities to support these actors in their defensive efforts.
- Preserve and Employ the Military Instrument of National Power. Future crises and conflicts will almost certainly contain a cyber component. In this environment, the United States must defend forward to limit malign adversary behavior below the level of armed attack, deter conflict, and, if necessary, prevail employing the full spectrum of its capabilities. Conventional weapons and nuclear capabilities require cybersecurity and resilience to ensure that the United States preserves credible deterrence and the full range of military response options. Across the spectrum from competition to crisis and conflict, the United States must ensure that it has sufficient cyber forces to accomplish strategic objectives through cyberspace.
Two recommendations on pages 4 and 5 of the report make clear the critical need for a more resilient electric grid by calling for actions to protect “critical functions” that are dependent upon a reliable power supply:
- Congress should direct the U.S. government to develop and maintain Continuity of the Economy planning in consultation with the private sector to ensure continuous operation of critical functions of the economy in the event of a significant cyber disruption.
- Congress should codify the concept of “systemically important critical infrastructure,” whereby entities responsible for systems and assets that underpin national critical functions are ensured of the full support of the U.S. government and shoulder additional security requirements befitting their unique status and importance.
The full report is at https://www.solarium.gov.