Why the U.S. Government Should Fund Cybersecurity Efforts of Private Companies Protecting the Power Grid
FBI Director Christopher Wray, while speaking at the Vanderbilt Summit on Modern Conflict and Emerging Threats in Nashville, Tennessee, in April, warned that U.S. critical infrastructure is a prime target of the Chinese government.
“The fact is, the PRC’s [People’s Republic of China’s] targeting of our critical infrastructure is both broad and unrelenting,” he said. Wray also noted that the immense size and expanding nature of the Chinese Communist Party’s hacking program isn’t just aimed at stealing American intellectual property. “It’s using that mass, those numbers, to give itself the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” he said (Figure 1).
Wray noted that during the FBI’s recent Volt Typhoon investigation, the Bureau found that the Chinese government had gained illicit access to networks within America’s “critical telecommunications, energy, water, and other infrastructure sectors.” Some cybersecurity experts have likened this activity to an act of war, although NATO hasn’t defined it as such just yet. In any case, it is a serious threat to national security.
“In this country, critical infrastructure is operated by the private sector, most of which are publicly traded companies,” said Alex Santos, CEO of Fortress Information Security, a company that specializes in cyber supply chain security for organizations that operate critical infrastructure including utilities and government agencies. Santos was speaking as a guest on The POWER Podcast. “Somehow, the private sector has taken on the responsibility to defend these acts of war, which I was always taught is the responsibility of the government,” he said.
While having private companies protecting the grid could be considered a strategic problem, Santos noted a tactical problem exists because of current interest rates. “Something that I think we all need to be acutely aware of is our critical infrastructure operators are under significant cost pressures because of interest rates,” he said.
“Critical infrastructure operators, especially utility companies—power companies—depend on interest rates to drive their business in two key ways. First, they need interest rates to be low to be able to fund capital projects. And, second, they need interest rates to be low to attract capital from investors that would otherwise be investing in bonds. With interest rates as high as they are, neither one of those is true,” he said.
As a result, critical infrastructure operators are having to cut costs across the board, according to Santos. And the costs that get cut first are often those that fall into the non-revenue-generating bucket, which is where information technology, including cybersecurity initiatives, generally reside. “Chief Financial Officers naturally are going to target information technology budgets for reduction,” Santos said.
“I think what’s really the point here is that the government is asking us to do more. We’re being attacked more by the adversaries. Regulations are coming in. It’s becoming more and more complicated with technology change. And, our budgets are being cut,” said Santos. Thus, while Wray can be commended for pointing out the national security problem Chinese hackers present to critical infrastructure, his words fall flat if the government doesn’t put its money where its mouth is, Santos suggested.
That’s not to say money isn’t being spent by the U.S. government. “The government is spending a lot on cybersecurity to help companies, but it’s going to research and universities,” Santos said. “How many research studies do we need to tell us that cybersecurity is a problem? How many research studies do we need to tell us that we don’t have enough cybersecurity workers? How much research do we need to give us 10 recommendations for how to increase the capability of our cybersecurity workforce? At some point, we need to actually do the work.”
Santos suggested money could be better spent helping companies repair vulnerabilities or by getting small businesses to install basic security precautions like endpoint protection and network monitoring. “Does the government study how to build a tank or do they build tanks?” Santos asked rhetorically. “The government builds tanks and they buy bullets,” he answered.
“So, think of it that way. We need to buy more tanks and bullets, and less research studies on which tanks, how many tanks, what kind of tanks—tanks with wheels, tanks with tracks—you know, let’s buy some tanks,” he said.
To hear the full interview with Santos, which contains more about cyber risks including how supply chains impact risks, how an SBOM (software bill of materials) can help lessen risks, the effect artificial intelligence could have on cybersecurity both in the short and long term (and it’s not a positive effect), why the concept of deterrence is important, and more, listen to The POWER Podcast. Click on the SoundCloud player below to listen in your browser now or use the following links to reach the show page on your favorite podcast platform:
For more power podcasts, visit The POWER Podcast archives.
—Aaron Larson is POWER’s executive editor (@AaronL_Power, @POWERmagazine).