Much of the US’s critical infrastructure, from water to energy supplies, is maintained by private companies and the federal government must encourage or compel these companies to take measures to prevent cyber-attacks. In new research in the wake of recent high-profile cyber-attacks against critical infrastructure providers in the US, Jeanne Sheehan examines how seriously some of these providers are taking cybersecurity. Through an analysis of company information filings, she finds that instead of cyber security, these companies are much more focused on operational and financial risks.

On April 4^th the US Cybersecurity & Infrastructure Security Agency (CISA) released a 447-page draft of rules – several years in the making – which detail how critical infrastructure companies should report cyber-attacks to the US government. The draft, which recently opened for public comment, marks the first time the federal government has proposed rules aimed at protecting this critical part of the nation’s infrastructure.

Under the rules, companies that own and operate critical infrastructure will need to report significant cyberattacks within 72 hours and ransom payments within 24 hours. Companies have pushed back arguing that they are already subject to reporting requirements from various federal agencies and state data-breach laws.

Despite these objections, my recent research details why regulation of this kind is necessary, particularly when it comes to the many private companies that own and operate critical infrastructure in the US.

The new rules are a response to recent high-profile cyber attacks

CISA developed the rules after President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) into law in 2022. Its passage followed a series of high-profile cyber-attacks. This includes the attack on the Colonial Pipeline in May 2021, which sparked fears of a gas shortage and led to a spike in prices; as well as the equally destabilizing ransomware attack the same year on JBS Foods, one of the nation’s largest meat suppliers.

In the two years since the law was passed, these types of threats have only intensified. As author Gordon Chang wrote late last year, “terrifying attacks on critical infrastructure have arrived [and] America is not ready.”

In late March, for instance, the White House and Environmental Protection Agency [EPA] released a letter warning of “disabling cyber-attacks” that could “disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.” The letter, co-signed by National Security Advisor [NSA] Jake Sullivan and EPA Administrator, Michael Regan, warned of “two recent and ongoing” threats associated with China and Iran and came just after attacks on water systems in Pennsylvania and Texas.

A few weeks earlier the heads of cybersecurity agencies from five nations released a joint advisory warning that actors supported by China “are seeking to preposition themselves on IT networks for disruptive or destructive cyberattacks against US critical infrastructure in the event of a major crisis or conflict with the United States.”

In the wake of the 2021 attacks, some industry insiders expressed hope that they would serve as a “wake up call” to the critical infrastructure industry and help ensure that they were “not just giving lip service to these issues.”

Have recent cyberattacks been a wake-up call for the critical infrastructure industry?

To determine if the attacks had the desired effect, I examined the Risk (1A) sections of the 10K filings from 2021(10K filings require public companies to disclose important information) of a sample of the nation’s largest electrical companies.

Photo by Philipp Katzenberger on Unsplash

The electrical segment was chosen because it is part of the “uniquely critical” energy sector. The US government defines 16 infrastructure sectors as “critical” because their “assets, systems, and networks” are “so vital to the United States that their incapacitation or destruction would have a debilitating effect” on the nation’s security, economy, health, and safety.

What differentiates ‘uniquely critical’ sectors – such as Energy – from the others, is that they enable most of the other critical sectors. For example, if power were disrupted for a long period of time, it could have a cascading impact because all the critical systems would be negatively impacted. This helps explain why the three segments that make up the Energy sector – electricity, oil, and natural gas – are targeted so often.

My study used qualitative data analysis and visualization to study the Risk (1A) sections of 10K filings of a sample of US electrical companies to determine where they rank the threat of cyber-attacks and how it compares to the other types of risks they face. I found that of nearly 5,400 terms used across these filings, the top ten terms were: operations, financial, costs, energy, results, including, utility, business, facilities, and gas.

Figure 1 – 10K filing terms

Notably absent were any terms associated with cyber threats, attacks, or ransomware. In fact, ‘cyber’ is the only term to crack the top 450, coming in at 178 with 98 mentions across the aggregated filings. This was followed much later by ‘cybersecurity’ (and its variant, ‘cyber-security’) which are used 44 times (ranking 472 and 3581 respectively).

Much further down the list are ‘Cyberattacks’ (and its variants ‘cyber-attacks’ and ‘cyberattack’) which are used 19 times. While ransomware attacks on utilities have become common place, as it pertains to risks faced by these electric companies, it was mentioned only four times across all filings making it 2351 on the list. Likewise, the word ‘cybercrime’ was used only twice.

Table 1 – Ranking and frequency of cyber attack related terms in 10K filings

If cyber threats and ransomware attacks are such a threat and if the electrical sector is both uniquely vulnerable and critical, one would hardly know it based on a reading of these risk filings. Instead of cyber and ransomware, these companies are much more focused on things like operational and financial risk.

When asked in 2015 what would happen if the electric grid went down for a sustained period, former CIA Director James Woolsey told the US Senate Committee on Homeland Security and Governmental Affairs that within a year between two thirds and 90 percent of the US population would die; “total devastation.”

Woolsey made these comments during public several a few years before the submission of the 10K filings I examined. How is it then, despite these types of dire warnings and the widely publicized attacks on firms like Colonial, JBS, and others, that the threat of cyber-crime doesn’t rank anywhere near the top of the risks faced by the companies which own and operate our nation’s electrical infrastructure?

There are several possible explanations. One is that 10-K filings are viewed as a place to focus on financial as opposed to other types of risk. Another is that the recent growth in cyber liability insurance has diminished the amount of risk organizations are likely to sustain as the result of an attack.

A third explanation pertains to how risk is assessed and mitigated within organizations generally; and how this process can result in differing prioritizations of risk, particularly when it comes to the public versus private sectors. And it is this explanation which underscores the need for robust governmental regulation in this area.

How to assess and prioritize cyber risk

One rule of risk mitigation is that no organization can protect itself against all potential risks. As a result, prioritization is key. In risk mitigation, it is often said, trade-offs are part of the ‘game.’ Companies must choose where and how to spend limited resources and one way to do that is to focus on the protection of what they value most, particularly if it is highly vulnerable.

Former US Secretary of State Condoleezza Rice and the Hoover Institution’s Amy B. Zegart provide a basic framework (Table 2) which helps depict how this type of assessment might look in practice. Once an organization has identified the assets (tangible, intangible, etc.) that they value most and which are most vulnerable, they are advised to target their limited resources towards the protection of those that fall into the those ‘assets’ in the lower right-hand quadrant (i.e. ‘top priority’).

Table 2 – Vulnerability and value framework

If we completed the asset and vulnerability quadrant for the types of private electrical companies I studied (i.e., Connecticut Light & Power, Dominion Energy, Edison Intl/Southern Cal Edison, PG&E, Tennessee Valley Authority, etc.) we would find that what ends up in their ‘top priority’ quadrant is very different than if they were owned and operated by the government.

In a system where so much of the infrastructure is owned and/or operated by private companies, the onus is on the government – for whom cyber-risk is in the ‘top priority’ quadrant – to ensure that this assessment of this risk is ‘shared’ by the organizations they allow to operate our infrastructure. The primary way to do this is via a stick, such as a vigorous regulatory scheme.

Whether the rules CISA recently proposed will meet its desired goals is debatable. What is not, is that when private companies operate critical infrastructure and that infrastructure is under threat, the government cannot assume its assessment of risk is shared. It must instead use its power to regulate to ensure that protection of critical infrastructure becomes a top priority of those who operate it. 

• This article is based on the chapter, ‘Beyond lip-service: Content clouds, 10-K filings, cyber risk and the electric grid’ in Socio-Political Risk Management Volume IV.
• Please read our comments policy before commenting.
• Note: This article gives the views of the author, and not the position of USAPP – American Politics and Policy, nor of the London School of Economics. 
• Shortened URL for this post: https://wp.me/p3I2YF-dKN