A cybersecurity activist is suing the electricity industry’s main regulator to uncover what he says is a system that lacks accountability and leaves the electric grid highly vulnerable to cyberattacks.
Michael Mabee is asking a federal court in Washington to reveal the identities of hundreds of electric companies that paid fines for violating cybersecurity rules during the past decade but whose names have never been publicly revealed.
The North American Electric Reliability Corporation, which imposed those fines, has argued that publishing the names could give Russia or another U.S. adversary a roadmap for how to hack into the electric grid and cause major damage. But Mabee and his supporters say withholding the names means there’s little public pressure on the companies to clean up their acts.
“Everybody in the United States is dependent on electricity, but we’re being told by the regulators we don't have a right to know whether our electricity provider is obeying the rules,” Mabee told me. “If there's unsafe food, we all hear don't eat spinach from ABC company … But, when it comes to the electric grid, any company that violates critical infrastructure protection regulations gets their name withheld.”
The suit, which Mabee filed last month, follows years of warnings that Russia is developing hacking tools that could shut down portions of the U.S. electric grid. In an ominous demonstration, Russia also appears to have launched a cyberattack that shut off electricity for tens of thousands of Ukrainians in 2015 — the first known such attack to actually turn the lights off.
A threat assessment from the Office of the Director of National Intelligence this year even warned that “Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”
But that sense of urgency hasn’t filtered down to local and regional electric companies, which often take a lax attitude to basic cybersecurity protections such as making sure former employees don't retain access to their systems.
“The Chinese and the Russians may very well have malware planted in the U.S. electric grid and they might be able to turn it off,” Mabee told me. “[But] right now we're very unsafe because there's no incentive for these companies to do more than the minimum.”
Secrecy about cybersecurity violations also makes it far harder for state-level regulators or investors to hold electric companies accountable.
“By disclosing the names, you're empowering more stakeholders to help the utility improve its systems,” Tyson Slocum, director of the Public Citizen advocacy group's energy program and a supporter of Mabee’s lawsuit, told me. “Cybersecurity has become an important tool of global warfare between states…so ensuring that utilities have the highest possible cybersecurity standards is important.”
Mabee is a blogger and researcher whose interest in grid security was sparked when he was in Manhattan during the 2003 Northeast blackout. He’s filed about 250 Freedom of Information Act requests seeking the names of utilities responsible for about 1,500 cybersecurity violations since 2010, but has received only a handful of responses. If it's sucessful, his lawsuit would force the government to answer those FOIAs and to be more transparent about future violations.
In some cases, companies have paid hefty fines for multiple serious violations. Duke Energy, for example, paid a still-not-officially-disclosed $10 million fine to settle 127 violations “of security standards meant to protect the electric grid from catastrophic outages,” E&E News reported earlier this year, citing industry sources.
Mabee’s FOIA requests also uncovered a $2.7 million penalty issued to San Francisco-based Pacific Gas & Electric in 2018 for exposing sensitive grid schematics on the Internet for several weeks.
In both cases, NERC revealed the value of the fines and a rough outline of the offenses, which had already been corrected, but not the name of the violator.
The Federal Energy Regulatory Commission, which oversees NERC, released a proposal in August to start revealing the names of violators along with other information that wouldn’t help attackers. However, the new system wouldn’t apply to past violations. NERC is essentially a nongovernment commission tasked with ensuring that electric utilities are following cyber and physical security rules.
Several groups are also urging more transparency beyond the new proposal, including state-level electricity regulators in New Hampshire and New Mexico and the Reporters Committee for Freedom of the Press.
A FERC spokesman declined to comment on the lawsuit. He also declined comment on the proposal to increase transparency, saying the commission is still reviewing comments from the public.
PINGED, PATCHED, PWNED
PINGED: The FBI is warning that Russia-based apps pose a serious threat and could open the door for foreign influence campaigns targeting the 2020 elections. The assessment comes in response to a letter from Senate Minority Leader Chuck Schumer (D-N.Y.) who called for a national security and privacy review into the risks posed by the Russia-based FaceApp — which uses artificial intelligence to alter photos.
While FaceApp has denied transferring data to Russia, the FBI emphasized that Russia’s intelligence agencies maintain “robust cyber exploitation services” and can remotely access data located on Russian networks.
FaceApp faced scrutiny this summer for requiring users to give up full and irrevocable access to their personal photos and data. The Democratic National Committee issued a warning to campaigns not to use it.
The FBI statement doesn’t mention any other apps by name, but Schumer's response hints at growing concerns with the social media apps developed by foreign adversaries, such as the Chinese-owned TikTok. Schumer and other members of Congress have also called for a threat assessment of TikTok.
“I strongly urge all Americans to consider deleting apps like FaceApp immediately and proceed with extreme caution when downloading apps developed in hostile foreign countries,” Schumer said.
PATCHED: GOP critics are accusing House Speaker Nancy Pelosi (D-Calif.) of “sidelining” election security in favor of impeachment, Maggie Miller at the Hill reports.
That’s despite the fact the House has passed numerous election security bills this year including House Democrats’ major proposal, which would deliver $600 million in election security money to states in exchange for security upgrades including paper ballots and post-election audits. Republicans have criticized those bills for being overly partisan.
“Only 337 days remain before the 2020 election and the committee has the important duty of ensuring that states have the resources they need to safeguard this upcoming election,” Reps. Rodney Davis (R-Ill.), the top Republican on the House Administration Committee, and Mark Walker (R-N.C.) and Barry Loudermilk (R-Ga.) wrote in a letter to Pelosi. “This duty should not be pushed to the corner as a result of the time constraints and competing priorities imposed by the impeachment proceedings.”
Davis and other Republicans introduced a competing bill to deliver an additional $380 million to states, but it has lingered along with Democratic bills in the Senate. Democrats have spent months slamming Senate Majority Leader Mitch McConnell (R-Ky.) for refusing to allow votes on the measures.
PWNED: Secretary of State Mike Pompeo is urging European nations to bar the Chinese firms ZTE and Huawei from their next-generation 5G telecommunication infrastructure ahead of discussions between European communications officials about the expansion of 5G in Brussels today.
“With so much on the line, it’s urgent that trustworthy companies build these 21st-century information arteries,” Pompeo wrote in an op-ed in Politico Europe.
The United States has warned that the Chinese government could compel both companies to serve as a backdoor for Chinese spying. Pompeo claimed that Huawei has also “allegedly stolen intellectual property from foreign competitors in Germany, Israel, the United Kingdom and the United States.”
— Cybersecurity news from the public sector:
A loophole in Google's Android operating system let hackers trick users into logging into fake banking apps so they could steal access, Mark Ward at BBC News reports. The hackers targeted more than 60 financial institutions. Google removed the 36 malicious apps flagged by the Norwegian mobile security firm Promon, but hundreds of other apps could still be vulnerable to the bug, Promon Chief Technology Officer Tom Hansen told Mark.
— More cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- The Senate Committee on Foreign Relations will examine the future of United State policy towards Russia at 9:45 a.m.
— Coming up:
- The Senate Commerce Committee will host a hearing titled “Examining Legislative Proposals to Protect Consumer Data Privacy,” on Wednesday at 10 a.m.
- The House Energy and Commerce Committee will host an Federal Communications Commission oversight hearing on Thursday at 10 a.m.
- The Senate Commerce subcommittee on communications, technology, innovation and the Internet will convene a hearing titled “The Evolution of Next-Generation Technologies: Implementing MOBILE NOW” on Thursday at 10 a.m.