In his first week in office, President Biden put U.S. security at great risk by giving China autonomous ability to control the national power grid.
Biden issued executive order 13990 in which, buried amid matters purportedly designed to combat climate change, was an anomalous and potentially dangerous provision that suspends a key security measure put in place last May 1 by former President Donald Trump. Biden’s executive order permits China to have full access to the U.S. power grid for 90 days.
Trump’s Executive Order 13920 declared an official national emergency with respect to the nation’s electric grid and prohibited the acquisition or installation of “any bulk-power electric equipment … designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” In sum, Trump forbade the use of grid equipment that is made in China, Russia, or other hostile nations.
Trump’s order was a common-sense response to real, proven threats. Just last year, the Wall Street Journal reported that the United States seized a Chinese-built transformer because officials believed “its electronics had been secretly given malicious capabilities, possibly allowing a distant adversary to monitor or even disable it on command.” Cybersecurity expert Joseph Weiss reported that officials found “electronics that should not have been part of the transformer — hardware backdoors” that could allow the Chinese to “effectively gain control of the transformers without any network forensics being the wiser.” Weiss also noted that China was first caught trying to hack into a U.S. grid in California as far back as 2001, and that “the Russians have been in our U.S. grids since 2014.”
According to Tommy Waller, director of infrastructure security at the Center for Security Policy, believes the security threat extends far beyond China’s 90-day access to the power grid. “We’re also worried about sensors and actuators and drives that are installed even if they are not connected to the Internet,” he said. “If that hardware installed inside of them is designed at some point to send the wrong readings, it could sabotage the safety and security of that system.”
A December 2018 report report of the President’s National Infrastructure Advisory Council (NIAC) focused on tackling a different kind of catastrophic blackout. In “Surviving a Catastrophic Power Outage,” the council examined the United States’ ability to respond to and recover from an outage “of a magnitude beyond modern experience, exceeding prior events in severity, scale, duration, and consequence.” NIAC was tasked with considering an unprecedented scenario: an outage that extended beyond days and weeks, out to months or even years, while affecting large portions of the country.
“We know how to deal with, what we’ll call ‘extended outages.’ We have lot of experience responding to those, similar to what happened in Puerto Rico with Hurricane Maria,” said Scott Aaronson, vice president of security and preparedness for the Edison Electric Institute, and a member of the report’s advisory group. “The devastation in Puerto Rico following Hurricanes Irma and Maria gave us a glimpse at how a loss of power can cascade into other sectors affecting public health and safety and the economy.”
The report concludes that “existing national plans, response resources, and coordination strategies would be outmatched by a catastrophic power outage,” adding, the “profound risk requires a new national focus.”
According to Aronson, “From a planning perspective, if you’re simply planning for things you already know how to do, that isn’t helpful.”
There has been much debate around the federal response to the disaster on Puerto Rico, and the official death toll — raised from an initially-reported 64 to 2,975 following more study — reflects the difficulties NIAC’s report addresses. A power outage of this length would be devastating and deadly with impacts reverberating far beyond utility poles and wires.
According to the NIAC report “The devastation in Puerto Rico following Hurricanes Irma and Maria gave us a glimpse at how a loss of power can cascade into other sectors affecting public health and safety and the economy.” The report uses the word “cascading” more than two dozen times, highlighting the potential for far-reaching impacts from such an event. And the findings do not inspire confidence.
The U.S. utility sector has been focused on cybersecurity for several years now, as the industry grasped the full extent of the threat it faces — and how unprepared most companies really were.
The effort to get up to speed has progressed on several fronts: The U.S. Department of Energy created the Office of Cybersecurity, Energy Security, and Emergency Response, and is now funding tens of millions of dollars in projects and research. GridEx, a biennial security event hosted by the North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center, draws thousands of participants and allows them to run through their cyberattack response protocols. And the Federal Energy Regulatory Commission (FERC) has been strengthening its Critical Infrastructure Protection (CIP) Reliability Standards to respond to more sophisticated threats.
In the face of these enhancements, a recent survey found almost half of power and utility CEOs think a cyber attack on their company is inevitable.
Despite the efforts to secure the grid from a potentially catastrophic shutdown, the threat of a devastating power disruption remains. Biden’s seemingly irrational lifting of the embargo against China, and by extension anyone else that would hope to see the America go down in flames, does nothing to protect the U.S. Instead Biden has opened the door to a cyber attack from any number of countries and terrorist originations that view the national power grid as a prime target.