House 108-23. September 4 & 23, 2003. Implications of power blackouts for the nation’s cyber-security and critical infrastructure protection. House of Representatives. 246 pages.
THE ELECTRIC GRID, CRITICAL INTERDEPENDENCIES, VULNERABILITIES, AND READINESS
Curt Weldon, Pennsylvania. The greatest threat would be a low-yield nuclear weapon, which we now know that North Korea has and Iran is trying to obtain, and the ability to put it up into the atmosphere, which we know that both Iran and North Korea have, a low-complexity missile; and by detonating that low-yield nuclear weapon off of the coast in the atmosphere The electro-magnetic pulse (EMP) would fry all the electronic components within a given range within the U.S. In fact, our military has tested this type of capability in the past. In testimony before the Armed Services Committee, we have not hardened our systems. Only our ICBM system is hardened, and almost the entirety of our energy complex in America would be vulnerable to any EMP laydown.
I am familiar with Russian nuclear doctrine. Their first attempt at attacking us would be to lay down an EMP burst off of our coast with a nuclear weapon that would not hurt one person, but would fry all of our electronic components, including our electrical grid system. It would shut down America, including our vehicles, which have chips in them that would stop on the roads. Now, we tested this capability in 1962 when we did four tests at the Kwajalein Atoll in the Pacific. We were startled that within 800 miles everything was shut down, streetlights. We stopped cars dead in their tracks, and we fried the major electronic components of our telephone system. We did those tests in 1962. That is not classified. That has been reported in the media, and in fact it was just in a book put out by Dan Verton called ‘‘The Black Ice.’’ In 1999, we in the House held hearings on this phenomenon, not because of 9–11, but because we knew of the implications. Directed energy has become the weapon of choice for the future for nations that want to bring us down or harm us. We are doing research ourselves, and so are other countries on directed energy, let alone the EMP phenomenon.
There is no greater threat to our security and our quality of life than a terrorist using electromagnetic pulse (EMP), and there are now 10 countries that have nuclear capability, and 70 countries with missiles that they could launch off of our coast using low-yield weapons that would not harm one person.
COFER BLACK, Office of the coordinator for counter terrorism, department of stateThe phrase ‘‘critical infrastructure’’ covers many elements of the modern world. To cite a few examples: the computers we use to transfer financial information from New York to Hong Kong and other cities, the air traffic control systems for international and domestic flights and, of course, the electric grid systems. The global critical infrastructure is both a contributor to, and a result of, the interdependence that exists among nations today. Critical infrastructure essentially means all the physical and virtual ties that bind us together, not only as a society but as a world. Terrorists know this, and they see attacking the very bonds that hold us together as one more way to drive us apart.
Christopher Cox, California, Chairman Select committee on Homeland Security. The blackout shutdown over 100 power plants, including 22 nuclear reactors, cutoff power for 50 million people in 8 states and Canada, including much of the Northeast corridor and the core of the American financial network, and showed just how vulnerable our tightly knit network of generators, transmission lines, and other critical infrastructure is.
Cyber attacks are a real and growing threat. The problem of cyber-security is unique in its complexity and in its rapidly evolving character. Cyber attacks are different from physical attacks since they can be launched from anywhere in the world and be routed through numerous intermediate computers. Cyber attacks require a different skill set to detect and counter, and are not limited to the risks posed from Al-Quaida. They include threats posed by those criminals and hackers who are already attacking our infrastructure for their own amusement or using it to steal information and money. As the most information technology-dependent country in history, we remain uniquely vulnerable to cyber attacks that can disrupt our economy or undermine our national security.
The dependence of major infrastructural systems on the continued supply of electrical energy, and of oil and gas, is well recognized. Telecommunications, information technology, and the Internet, as well as food and water supplies, homes and work sites, are dependent on electricity; numerous commercial and transportation facilities are also dependent on natural gas and refined oil products.
Physical or cyber attacks can amplify the impact of physical attacks on this critical infrastructure, and diminish the effectiveness of emergency responses.
- Harlem’s sewage treatment plant shut down without power for its pump.
- Seven oil refineries in the U.S. and Canada temporarily shut down, worsening an already tight gasoline supply situation.
- Many airports were closed because of inoperable systems on the ground. Refueling of aircraft stopped as hydrant systems and fuel farms lacked power.
- Nearly all manufacturers in southeast Michigan ground to a halt with the blackout.
- The 911 emergency systems in New York and Detroit failed during the blackout.
- New York City’s computer-aided dispatch system for its fire department and rescue squad crashed. Water systems in Cleveland and Detroit could not handle the drop in power.
- Ohio Governor Bob Taft declared a state of emergency in Cleveland after all four pumping stations that lift water out of Lake Erie went out and residents were ordered to boil their water for days.
- The beaches were off limits for swimming after a sewage discharge into Lake Erie and the Cuyahoga River sent bacteria levels soaring.
- More than 50 assembly and other plants operated by General Motors Corp., Ford Motor Co., DaimlerChrysler, and Honda Motor Co. were idled by the cascading blackout.
- NOVA Chemicals shutdown plants in Pennsylvania, Ohio, and Ontario, Canada.
- Walmart closed 200 stores in Canada and the United States.
- Marriott International saw 175 of its hotels in the Northeast lose power at the height of the blackout.
- Hundreds of airline flights were cancelled. For many airports throughout the U.S. and Canada, the power failure exposed the risk of fuel supply interruptions from electricity outages, since most hubs in North America are fed by pipeline systems.
- Tightened security measures established after 9–11 could not be maintained as power was not available for baggage screening machines.
- Without railroads to deliver coal, the nation loses 60% of the fuel used to generate electricity.
- Without electricity, fueling stations cannot pump fuel.
- Without diesel, the railroads will eventually stop running.
- When railroads stopped running after 9/11 to guard hazardous materials in only two days the city of Los Angeles was out of chlorine and faced the threat of no drinking water—the railroads began operating again on the third day.
Blackstart of grid – restoring power. Restoring a system from a blackout required a very careful choreography of re-energizing transmission lines from generators that were still online inside the blacked-out area, from systems from outside the blacked-out area, restoring station power to off-line generating units so they could be restarted, synchronizing the generators to the interconnection, and then constantly balancing generation and demand as additional generating units and additional customer demands are restored to service. Many may not realize it takes days to bring nuclear and coal fired power plants back on-line, so restoring power was done with gas-fired plants normally used for peak periods to cover baseload needs normally coal and nuclear-powered. The diversity of our energy systems proved invaluable.
Robert Liscouski, assistant secretary, Infrastructure protection, Department of homeland security. While the national focus was primarily on the blackout and its cause, our teams were hard at work assessing the cascading effects into other sectors. Interdependencies among the sectors were again demonstrated by this event. Seven major petroleum refineries suspended operations, many chemical manufacturing plants were shut down, grocery stores lost perishable inventories, air traffic ceased at several major airports, and emergency services capacity was tested. Web sites were shut down. ATMs did not work in the affected areas and the American Stock Exchange did not operate for a period of time. The effect of the blackout highlighted what we already knew at the department. If one infrastructure is affected, many other infrastructures are likely to be impacted as well. Indeed, all the critical infrastructure sectors were affected by this event. Understanding the vulnerabilities and interdependencies associated with cascading events is an area of great importance to the department.
Jim Turner, Texas. This incident demonstrated that there are literally hundreds of thousands of potential targets that terrorists could choose to strike. These include power systems, chemical and nuclear plants, commercial transportation and mass transit, skyscrapers, and sports and concert venues. In addition to physical assets, we also need to protect cyber assets. Recent computer disruptions have had unexpected consequences on nuclear plants and other utilities. Eighty-five percent of our critical infrastructure assets are privately owned. We must, therefore, work in partnership with the private sector to improve our national security. But we can’t rely too heavily on voluntary private action. Companies seeking to maximize profits simply are unlikely to have the economic incentives to voluntarily make the investments necessary to raise security levels to where they need to be. In the absence of sufficient action by critical infrastructure owners, we have a duty to take the initiative to protect the American people.
Paul H. Gilbert. Gilbert us a member of the National Academy of Engineering and was Chair of the National Research Council Panel responsible for the Chapter on Energy Systems for the NRC Branscomb-Klausner Report, Making the Nation Safer: The Role of Science and Technology in Countering Terrorism
Over the past decade our electric supply system has been tasked to carry ever-increasing loads. It has also undergone a makeover from being a highly regulated, vertically integrated utility to one that is partially deregulated, far less unified, not as robust and resilient as it was. The generation side is essentially deregulated and operating under an open market set of conditions. At the same time the transmission sector remains fully regulated, but under voluntary compliance reliability rules, resulting in diminished investments in maintenance and spare parts and lower reliability. Another concern is that in seeking to reduce operating costs, the operating companies have installed automated cyber-controllers, or SCADA systems, to perform functions that people previously performed. These open architecture cyber units are an invitation for those who would seek to use computer technology to attack the grid.
The in-place electrical utility assets today are typically being operated at close to the limit of available capacity. In this mode another characteristic of such complex systems appears. When operated near their capacity, these systems are fragile, having little reserve within which to handle power or load fluctuations.
When load and capacity are out of balance, shutting down becomes the only way a system element has to protect itself from severe damage. However, the loss of a piece of the grid, let us say a transmission line, does not end the problem. A line down takes down with it the power that it was transmitting. The connected power plant that was producing that power, having no connected load, must also shut down. In these highly integrated grids, more lines have imbalance problems, and more plants sense the capacity limitations and they all shut down. The cascading effect spreads rapidly in many directions, and in seconds an entire sector of the North American grid can be down. And this is what we experienced a few weeks ago from an accident.
The exact same consequences could, however, too easily be produced by a terrorist attack from a small, trained team. This was the scenario assumed in the Making the Nation Safer report, where several critical nodes in the grid were taken out in a well planned and executed terrorist attack. The cascading system failures resulted in region-wide catastrophic consequences.
Recovery was estimated to take weeks or months, not hours or days.
Now, while the report does not speculate in any detail on the extended consequences of such an event. I have been asked to do so here, and so I offer the following as a personal opinion. Based on the critical infrastructure, and because that critical infrastructure is so extensively integrated, with power out beyond a day or two in our cities, both food and water supplies would soon fail.
Transportation systems would come to a standstill. Waste water could not be pumped. And so we would soon have public health problems. Natural gas pressure would decline, and some would lose gas altogether, very bad news in the winter. Nights would become very dark with no lighting, and communications would be spotty or nonexistent. Storage batteries would have been long gone from the stores, if any stores were still open. Work, jobs, employment, business and economic activity would be stopped. Our economy would take a major hit. All in all our cities would not be very nice places to be. Some local power generators such as at hospitals would get back up, and so there would be islands of light in the darkness. Haves and have-nots would get involved. It would not be a very safe place to be either. Martial law would likely follow, along with emergency food and water supply relief. At our core we would rally and find ways to get by while the systems are being repaired. In time the power would start to come back, tentatively at first, with rolling blackouts, and then in all its glory.
Several weeks to months would have passed, and the enormous recovery and clean-up would begin. This is simply one person’s view, but based upon a fairly in-depth understanding of the critical interdependency of our infrastructure.
Our basic infrastructure systems include our electric power, food, and water supplies, waste disposal, natural gas, communications, transportation, petroleum products, shelter, employment, medical support and emergency services, and facilities to meet all our basic needs. These are a highly integrated, mutually dependent, heavily utilized mix of components that provide us with vitally needed services and life support. While all these elements are essential to our economy and our well-being, only one has the unique impact, if lost, of causing all the others to either be seriously degraded or completely lost. And that, of course, is electric power. Our technically advanced society is literally hard wired to a firm, reliable electric supply.
KENNETH C. WATSON. President & Chairman of the Partnership for Critical Infrastructure Security (PCIS), currently the manager of Cisco Systems’ involvement in critical infrastructure
- We all depend on telecommunications—in fact, when recently asked to list their dependence on other sectors, the sector coordinators rated telecommunications as first or second on their list.
- Nearly equal to telecommunications was electric power. Without electricity, there is no ‘‘e’’ in e-commerce.
- However, without railroads to deliver coal, the nation loses 60% of the fuel used to generate electricity.
- Without diesel, the railroads will stop running.
- Without water, there is no firefighting, drinking water, or cracking towers to refine petroleum.
- Without financial services, transactions enabling all these commodity services cannot be cleared.
These are not just one-way dependencies. When the railroads stopped running after 9/11 to guard hazardous material, it only took the city of Los Angeles two days to demand chlorine or face the threat of no drinking water—the railroads began operating again on the third day. Throughout the Northeast, dependencies on electric power were obvious. Some areas had electric water pumps, and they had to boil their drinking water for days after the blackout.
All of our critical infrastructures are interlinked in complex, sometimes little-understood ways. Some dependencies are surprising, contributing to unusual key asset lists.
DENISE SWINK, ACTING DIRECTOR, OFFICE OF ENERGY ASSURANCE, DEPARTMENT OF ENERGY
As you know, our energy infrastructure is vast, complex and highly interconnected. It includes power plants, electric transmission and distribution lines, oil and gas production sites, pipelines, storage and port facilities, information and control systems and other assets. Many of these entities own, operate, supply, build or oversee their infrastructure. The private sector owns about 85% of these assets and a host of federal and state agencies regulate energy generation, transport, transmission and use.
We maintain collaborative relationships with [many entities]:
- We work closely with the Department of Homeland Security (DHS), which leads, integrates, and coordinates critical infrastructure protection activities across the federal government.
- To aid this effort, Department of Energy & DHS are working on a plan for collaboration and responsibilities (i.e. critical infrastructure protection of physical and cyber assets, science and technology, and emergency response).
- We are also beginning to work with the Coast Guard
- With Federal Emergency Management Agency (FEMA),
- Representatives of the Defense Intelligence Agency,
- The National Institute of Standards and Technology to consider options for developing a collaborative National SCADA Program.
- We work closely with the Department of Transportation’s Office of Pipeline Safety
- We coordinate with the Environmental Protection Agency (EPA) to avoid redundant efforts with petrochemical facilities.
- We partnered with the Federal Energy Regulatory Commission (FERC)),
- state regulators,
- and industry to assess the implications of a loss of natural gas supply in some regions of the country.
- DOE’s new Office of Electric Transmission and Distribution on issues related to the electric grid
- The Office of Security to improve the operations of DOE’s Emergency Operation Center.
- The Office of Energy Efficiency and Renewable Energy’s regional offices to support our meetings with state energy offices;
- The Office of Fossil Energy on new technologies to harden oil and gas pipelines;
- The Office of Science on visualization techniques through their Advanced Scientific Computing Research Program;
- The Office of Independent Oversight and Performance Assurance on cyber security protection.
Collaboration with the PRIVATE SECTOR is critical :
- American Petroleum Institute (API),
- American Gas Association (AGA),
- Interstate Natural Gas Association of America (INGAA),
- Gas Technology Institute (GTI),
- National Propane Gas Association (NPRA),
- Edison Electric Institute (EEl),
- Electric Power Research Institute (EPRI),
- National Rural Electric Cooperative Association (NRECA),
- American Public Power Association (APPA),
- North American Electric Reliability Council (NERC).
Collaboration with STATES
- National Association of State Energy Officials (NASEO),
- National Governors Association (NGA),
- National Association of Regulatory Utility Commissioners (NARUC),
- National Conference of State Legislatures (NCSL)
Colonel Michael C. McDaniel. Assistant Adjutant General for Homeland Security for the Michigan National Guard, Homeland Security Advisor to Michigan’s Governor, Jennifer M Granholm.
On Thursday, August 14, 2003, at 4:15 p.m., a massive power outage struck the Niagara-Mohawk power grid in the Northeast US and Ontario causing blackouts from New York to Michigan. Within minutes, much of southeast and mid-Michigan was without power, with 60% of Michigan’s population, over 2.2 million households, affected by the outage
The State of Michigan and local governments spent $20.4 million on emergency measures to save lives, protect public health, and prevent damage to public and private property.
The Emergency Management Division of the Michigan State Police began to immediately monitor conditions around the state, including the state’s nuclear power plants.
Within minutes, the state’s Emergency Operations Center (EOC) was formally activated, and state agencies began to monitor state and national conditions.
Some of the major complications from the blackout:
- Gas stations were unable to supply peoples’ needs for their cars and portable generators, as without electricity the pumps were inoperable
- The Detroit Board of Water and Sewers, oversight board of the nation’s second largest water system, reported that its system was not functioning correctly. It issued a boiled water advisory for its entire service area.
- There was no system to notify all of the customers of the boiled water advisory, as notification was dependent on the public media. It became clear, on the morning of August 15, that the largest problem was the lack of potable water. Public and private entities delivered hundreds of thousands of gallons of water to those affected sites, but a boiled water advisory was not lifted until Monday, August 18.
- Widespread traffic signals not functioning and limited telephone communications.
- Marathon Refinery, Michigan’s largest refining facility, lost power and had to shut down. One unit did not shut down properly and began venting partially processed hydrocarbons. Because of the tank’s location, the city of Melvindale (with the assistance of the Michigan State Police) decided to evacuate 30,000 residents and shut down Interstate 75 for several hours until the situation was controlled. The Marathon Refinery was inoperable as a result of the loss of electricity and water, and out of production for approximately 10 days.
- The auto industry shut down operations for three days.
- A lot of first responders were relying upon cell phones that did not have an adequate radio system, and a number of cell towers did not have backup systems that worked.
- Radio and television stations reported broadcasting difficulties, with several small stations not operating at all.
- Many facilities lacked sufficient alternative energy sources. Portable generators were needed at hospitals and other public facilities, including the state mental institution.
- The Fermi II nuclear plant in Monroe County was shut down as a precaution. It returned to full power production and was reconnected to the power grid late a week later on August 21
- The Ambassador Bridge in Detroit, the busiest commercial landport in the United States with 16,000 tractor-trailers crossing daily, was also affected.
- Canadian customs lost their computer datalink, and their ability to verify trucking manifests electronically. As a result they were forced to visually and manually inspect the manifests and, if warranted, the freight itself. This resulted in an approximately four-mile backup of traffic for almost 24 hours on the U.S. side.
- Many computer systems were not functioning, including the Law Enforcement Information Network (LEIN).
- The Michigan State Police positioned 50 state troopers on stand-by for mobilization, if needed to maintain order in blackout areas . The Michigan National Guard also had troopers ready on stand-by.
- Metropolitan Detroit Airport was closed and all flights canceled until midnight on August 14.
- A number of public water issues arose from the blackout. Generators need an automatic activation switches and shouldn’t rely on telephone lines
- Almost every type of critical infrastructure that should have a generator did have some sort of generator. But no one had not tested those generators under load, so we had a lot of generators that just didn’t work. They might have fired them up before, but they never tested them under a load and actually had them producing electricity. When they did work, they ran out of fuel. We were starting to get calls from both hospitals and some of the utilities wanting to know if we could help them find kerosene diesel for their generators.
- A lot of people did not have old-fashioned phones. Everybody’s phone is portable, a hand-held device which requires electricity these days, or a cell device, and not all of those towers worked. So there were a number of instances where the communication systems were more reliant on electricity than we believed that they would be. Again, even those radio and TV stations that had generators, the generators didn’t work because they had never been tested. So they weren’t ready to work under load. They weren’t the right capacity generator. And then the other problem, as I said, was 24 hours later they were staring to run out of power. Both TV and radio, as well as the telephone companies, were calling as well.
- This was a very hot day in the summer where the usage on the Detroit water system was almost a billion gallons a day. The system, even after it came back up on generators, could only handle about 400 million gallons per day. If we had had a method, if we had some sort of warning that this was going to happen, and could have gotten out to decrease your electricity, decrease your water use ahead of time, it probably would have made it easier for the system to come back on.
The NIAC Interdependency and Risk Assessment Working Group submitted its final report to NIAC members October 14, 2003. That report included results of a survey of Sector Coordinators and key infrastructure owners and operators regarding their top dependencies. Respondents were asked to list the top three sectors on which they depend, and the top three sectors that depend on them. In terms of short-term dependencies, the overall top three were 1) telecommunications and IT, 2) electricity, and 3) transportation. However, adding long-term impacts broadens the list of critical dependencies. Without financial services, business comes to a grinding halt in a matter of days. Without safe food, clean drinking water, and available health care, public health also reaches a crisis in days. Without emergency police, fire, and medical services, the ability to respond and contain emergencies is severely impacted. Long-term impacts of transportation failures are far more severe than the short term.
Without consideration for what vulnerability analysis is underway and what protective measures are in place, the following sectors present the highest potential risk to national security: Energy Information and Communications Banking and Finance Transportation Postal and Shipping This priority scheme is based on (a) the ease at which problems propagate within the sector, (b) the extent of other sectors’ dependencies on it, and (c) the potential impact of a sector’s loss of crucial functionality.
CHRISTOPHER COX, CALIFORNIA, AND CHAIRMAN, SELECT COMMITTEE ON HOMELAND SECURITY
As a group, the critical infrastructure sectors are backbone services for our nation’s economic engine and produced approximately 31% of the Gross Domestic Product (GDP) in the year 2000. The blackout rippled through the economy. The examples are endless, and experience shows us that the blackout is not alone in its capacity to disrupt the economy. The information super highway of the Internet has become a fast lane for computer viruses. A computer virus launched one morning can infect computers around the world in one day. The Slammer virus, launched in January of this year, reportedly infected 100,000 computers in its first ten minutes alone. Because of the SoBig computer virus, some rail routes of CSX were recently shut down on August 20, until a manual backup system started the trains running again.
We know that terrorists have assessed the possibility of attacking our nuclear power plants and our transportation system. Al-Qaida computers seized in Afghanistan in 2001 had logged on to sites offering that offer software and programming instructions for the distributed control systems (DCS) and Supervisory- control and Data-acquisition (SCADA) systems that run power, water, transport and communications grids. All critical infrastructure industries are becoming increasingly dependent on information management and internal telecommunications systems to control and maintain their operations. The U.S. Dept. of Commerce’s National Telecommunications & Information Administration (NTIA) published a study in January 2002 that detailed the myriad of uses the internal wireless communications systems to meet essential operational, management and control functions including two-way emergency restoration and field communications, monitoring power transmission lines and oil and natural gas pipeline functions to instantaneously respond to downed transmission lines or changes in pipeline pressure; sending commands to various remote control switches; inspecting 230,000 miles of rail track; managing wastewater, processing drinking water, and protective relaying. SCADA systems could be attacked simply by overloading a system that, upon failure, causes other systems operations to malfunction as well.
While there is some debate about the ability of a terrorist to successfully launch a cyber attack against a SCADA system, there are several examples of people or groups who have tried. In March 2000 a disgruntled former municipal employee used the Internet, a wireless radio and stolen control software to release up to 1 million liters of sewage into the river and coastal waters of Queensland, Australia. Similarly, NERC reports that over the past two years, there have been a number of ‘‘cyber incidents that have or could have directly impacted the reliable operation of the bulk electric system,’’ including: • In January 2003, When the SQL/Slammer worm caused an electric utility company to lose control of their SCADA system for several hours, forcing the company operations staff to resort to manual operation of their transmission and generation assets until control could be restored. • In September 2001, the Nimda worm compromised the SCADA system of an electric utility, and then propagated itself to the internal project network of a major SCADA vendor via the vendor’s support communications circuit, devastating the vendor’s internal network and launching further attacks against the SCADA networks of the vendor’s other customers. More telling, perhaps, is a report issued in May 2002 by the Defense Department’s Critical Infrastructure Assurance Program (CIAP) claiming that there was evidence of a coordinated cyber reconnaissance effort directed against the critical assets of at least two electric utilities participating in the Defense Department sponsored program. The report revealed that the probing appeared to come from the People’s Republic of China, Hong Kong, and South Korea, with each probe building upon information previously garnered. The blackout is yet another wake-up call to our nation. It demonstrated the fragility of our electric transmission system, and reminds us of the interdependent nature of our infrastructure. Clearly, we need to encourage private industry and government to raise the standards of cyber security, and to further enhance our infrastructure security against attack.
KENNETH C. WATSON.
Some rudimentary research has been done on interdependencies, but it has only been sufficient to illuminate how important this type of modeling and analysis could be. Sandia and other national labs have initiated interdependency studies, looking at intersections with the energy sector. The National Security Telecommunications Advisory Committee (NSTAC) has done similar work, addressing intersections between telecommunications and other sectors. The National Infrastructure Advisory Council (NIAC) has a current effort to develop policy recommendations on interdependency risk assessments. The sector coordinators are involved in that study, which will become available after delivery to the President in the October timeframe. The PCIS is coordinating with this NIAC working group to ensure that the handbook we develop is in harmony with NIAC policy recommendations.
Network owners already know their key assets and critical nodes—what they don’t know is whether their key assets and critical nodes are in the same geographic vicinity as their competitors’ nodes, or whether underlying or supporting infrastructure is in fact, truly diverse. In highly competitive sectors, such as telecommunications or finance, it would not be unusual to find that each of the major providers has intended to buy diversity and redundancy from numerous entities, only to find that all these entities use the same underground conduit for transport that goes through the same underground tunnel, and they are powered by the same power generation plant. The NSTAC has studied the implications of these types of cross-sector dependencies and has developed a number of programs that the telecommunications sector uses to mitigate these risks. It is time, however to take it to the next level, covering all cross-sector and multisector interdependencies.
One of the challenges will be that much of the data required may be proprietary. To date, the NISAC has centered its modeling efforts on the energy sector. To understand the complexity of this modeling problem, consider the NISAC model of the energy sector as a baseline, and apply it as a level of magnitude to the telecommunications sector. While we do not know the precise amounts, it is our understanding that the current electrical sector modeling cost about $30–40 million to develop and was done over the course of 3 to 8 years. If you assume that the level of detail developed within the electrical sector model is appropriate (and we do not know that to be the case) and simply multiply this $30–40 million times the number of facilities-based networks that comprise the telecommunications sector, then you would conservatively multiply this estimate by a factor of 9 networks (5 wireless + 1 wireline + 2 IXC + 1 paging), resulting in a baseline model for telecommunications in the $270–$360 million range. Even if all $200 million was dedicated to telecommunications modeling, it would take 1 to 2 years of currently allocated funding, and an even longer actual modeling effort, to model telecommunications alone. Multiply that by 12 sectors, and then you can start on the cross-sector interdependency modeling.
I am not sure you can point to a single weak link. Over the last 20 years, all of the infrastructures have become more and more dependent on networks, and they have become more and more interconnected. I think the key that we need to study in research and modeling and exercises is interdependency. Each of the sectors is dependent on each of the others and sometimes we don’t even know what these dependencies are without modeling and exercises.
PETER R. ORSZAG1, PH.D., JOSEPH A. PECHMAN SENIOR FELLOW IN ECONOMIC STUDIES, THE BROOKINGS INSTITUTION
The blackout of 2003 has underscored concerns about the vulnerability of our nation’s critical infrastructure to both accidents and deliberate attack, providing an immediate connection to the nation’s homeland security efforts. But the blackout may offer a deeper lesson beyond the vulnerability of the nation’s electricity grid to terrorist attack. In particular, a common explanation for the problems facing the electricity system is that private firms have had inadequate incentives to invest in distribution lines.
The important point is that market incentives are extremely powerful. For that very reason, however, it is essential that they be structured properly. As Patrick Wood, chairman of the Federal Energy Regulatory Commission, has put it: ‘‘We cannot simply let markets work. We must make markets work.’’
Let me give you an example that I think is particularly timely, involving chemical facilities. Let’s say that you have a chemical facility. It is worth a billion dollars. It houses chemicals. There are 123 chemical facilities in the United States that contain chemicals that could injure or kill more than a million people. The value of a million lives can easily exceed, well exceed a billion dollars. You may well have some incentive to make sure that there is some level of security to ensure that your plant is not intruded upon and those chemicals are not dispersed and harm people. But it is not adequate because your financial loss is much smaller than society’s loss that would occur if a successful attack did unfortunately take place. And that kind of example occurs, you know, in a wide array of settings. And I—in my written testimony I provide lots of other types of examples, but I think that might be a particularly timely and compelling one, where any time that private financial losses that you suffer are vastly smaller than the losses that we as a society would suffer, you don’t have enough incentive, bottom line.
In homeland security, private markets do not automatically produce the best result.
We must therefore alter the structure of incentives so that market forces are directed toward reducing the costs of providing a given level of security for the nation, instead of providing a lower level of security than is warranted. Given the significance of the private sector in homeland security settings, structuring incentives properly is critical. To be sure, private firms currently have some incentive to avoid the direct financial losses associated with a terrorist attack on their facilities or operations. In general, however, that incentive is not compelling enough to encourage the appropriate level of security—and should therefore be supplemented with stronger market-based incentives in several sectors. My testimony argues that: • Private markets, by themselves, do not provide adequate incentives to invest in homeland security, and • A mixed system of minimum regulatory standards, insurance, and third-party inspections would better harness the power of private markets to invest in homeland security in a cost-effective manner. Incentives for homeland security in private markets
Private markets by themselves do not generate sufficient incentives for homeland security for seven reasons: • Most broadly, a significant terrorist attack undermines the nation’s sovereignty, just as an invasion of the nation’s territory by enemy armed forces would. The costs associated with a reduction in the nation’s sovereignty or standing in the world may be difficult to quantify, but are nonetheless real. In other words, the costs of the terrorist attack extend well beyond the immediate areas and people affected; the attack imposes costs on the entire nation. In the terminology of economists, such an attack imposes a ‘‘negative externality.’’ The presence of this negative externality means that private markets will undertake less investment in security than would be socially desirable: Individuals or firms deciding how best to protect themselves against terrorism are unlikely to take the external costs of an attack fully into account, and therefore will generally provide an inefficiently low level of security against terrorism on their own.3 Without government involvement, private markets will thus typically under-invest in anti-terrorism measures.4 • Second, a more specific negative externality exists with regard to inputs into terrorist activity. For example, loose security at a chemical facility can provide terrorists with the materials they need for an attack. Similarly, poor security at a biological laboratory can provide terrorists with access to dangerous pathogens. The costs of allowing terrorists to obtain access to such materials are generally not borne by the facilities themselves:
the attacks that use the materials could occur elsewhere. Such a specific negative externality provides a compelling rationale for government intervention to protect highly explosive materials, chemicals, and biological pathogens even if they are stored in private facilities. In particular, preventing access to such materials is likely to reduce the overall risk of catastrophic terrorism, as opposed to merely displacing it from one venue to another. • Third, a related type of externality involves ‘‘contamination effects.’’ Contamination effects arise when a catastrophic risk faced by one firm is determined in part by the behavior of others, and the behavior of these others affects the incentives of the first firm to reduce its exposure to the risk. Such interdependent security problems can arise, for example, in network settings. The problem in these settings is that the risk to any member of a network depends not only on its own security precautions but also on those taken by others. Poor security at one establishment can affect security at others. The result can often be weakened incentives for security precautions.5 For example, once a hacker or virus reaches one computer on a network, the remaining computers can more easily be contaminated. This possibility reduces the incentive for any individual computer operator to protect against outside hackers. Even stringent cyber-security may not be particularly helpful if a hacker has already entered the network through a ‘‘weak link.’’ • A fourth potential motivation for government intervention involves information—in particular, the cost and difficulty of accurately evaluating security measures. For example, one reason that governments promulgate building codes is that it would be too difficult for each individual entering a building to evaluate its structural soundness. Since it would also be difficult for the individual to evaluate how well the building’s air intake system could filter out potential bio-terrorist attacks, the same logic would suggest that the government should set minimum anti-terrorism standards for buildings.
It is also possible, at least in theory, for private firms to invest too much in anti-terrorism security. In particular, visible security measures (such as more uniformed guards) undertaken by one firm may merely displace terrorist attacks onto other firms, without significantly affecting the overall probability of an attack. In such a scenario, the total security precautions undertaken can escalate beyond the socially desirable levels—and government intervention could theoretically improve matters by placing limits on how much security firms would undertake.
Unobservable security precautions (which are difficult for potential terrorists to detect), on the other hand, do not displace vulnerabilities from one firm to another and can at least theoretically reduce the overall level of terrorism activity. For an interesting application of these ideas to the Lojack automobile security system, see Ian Ayres and Steven Levitt, ‘‘Measuring Positive Externalities from Unobservable Victim Precaution: An Empirical Analysis of Lojack,’’ Quarterly Journal of Economics, Vol. 108, no. 1 (February 1998). For further analysis of evaluating public policy in the presence of externalities, see Peter Orszag and Joseph Stiglitz, ‘‘Optimal Fire Departments: Evaluating Public Policy in the Face of Externalities,’’ Brookings Institution Working Paper, January 2002.
It would be possible, but inefficient, for each individual to conduct extensive biological anti-terrorism safety tests on the food that he or she was about to consume. The information costs associated with that type of system, however, make it much less attractive than a system of government regulation of food safety. • The fifth justification for government intervention is that corporate and individual financial exposures to the losses from a major terrorist attack are inherently limited by the bankruptcy laws. For example, assume that there are two types of possible terrorist attacks on a specific firm: A very severe attack and a somewhat more modest one. Under either type of attack, the losses imposed would exceed the firm’s net assets, and the firm would declare bankruptcy—and therefore the extent of the losses beyond that which would bankrupt the firm would be irrelevant to the firm’s owners. Since the outcome for the firm’s owners would not depend on the severity of the attack, the firm would have little or no incentive to reduce the likelihood of the more severe version of the attack even if the required preventive steps were relatively inexpensive. From society’s perspective, however, such security measures may be beneficial—and government intervention can therefore be justified to address catastrophic possibilities in the presence of the bankruptcy laws. • The sixth justification for government intervention is that the private sector may expect the government to bail it out should a terrorist attack occur. The financial assistance to the airline industry provided by the government following the September 11th attacks provides just one example of such bailouts. Such expectations create a ‘‘moral hazard’’ problem: private firms, expecting the government to bail them out should an attack occur, do not undertake as much security as they otherwise would. If the government cannot credibly convince the private sector that no bailouts will occur after an attack, it may have to intervene before an attack to offset the adverse incentives created by the expectation of a bailout. • The final justification for government intervention involves incomplete markets. The most relevant examples involve imperfections in capital and insurance markets. For example, if insurance firms are unable to obtain reinsurance coverage for terrorism risks (that is, if primary insurers are not able to transfer some of the risk from terrorism costs to other insurance firms in the reinsurance market), some government involvement may be warranted. In addition, certain types of activities may require large-scale coordination, which may be possible but difficult to achieve without governmental intervention.
Both the need for government intervention and the potential costs associated with it thus vary from sector to sector, as should the policy response. Government intervention will generally only be warranted in situations in which a terrorist attack could have catastrophic consequences. Nonetheless, the general conclusion is that we can’t just ‘‘leave it up to the market’’ in protecting ourselves against terrorist attacks.
SHEILA JACKSON-LEE, TEXAS: An illustration of the disjunct in our infra and super-structure is the television broadcast of the tens of thousands of New Yorkers who had to walk across the Brooklyn Bridge to end their workday. This is vulnerability. Thousands of riders of underground mass transit systems trapped in cars, frugal in their consumption of oxygen and hopeful that their rescue team was near equates to vulnerability. Because we cannot cast blame for this occurrence on a terrorist group means that we are vulnerable to ourselves first and foremost. The Administration must increase our awareness of the status of the areas that are most open to corruption.