State Commissions Need to Develop Cybersecurity Expertise, NARUC Panelists Say
PORTLAND, Ore. -- State commissions need to get involved in the growing cybersecurity problem, said panelists at a midyear meeting of state utilities regulators, although they also said sometimes the best way for regulators to get involved is to regulate at a minimum.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
"As regulators we need to educate ourselves and we need to have staff that is educated on cybersecurity,” said Missouri Commissioner Terry Jarrett Tuesday afternoon. “We need to engage our utilities. We need to ask good questions.” State regulators have to exercise “flexibility,” said AT&T Assistant Vice President-Public Policy Chris Boyer. Regulations should be kept minimal because “the threats are always moving,” he said, but “that doesn’t mean states can’t help with the problem.” Regulation always looks backward, cautioned Northwest Gas’s David Weber, the company’s president of gas storage. “Less is more,” he said. “Cybersecurity is moving so fast, you'll never be able to keep up a regulation or rule. ... Regulations need to be helping you actually get what you need."
A shortage of expertise currently plagues many of the states, panelists said. There aren’t enough people with “the right stuff,” George Mason University Professor Michael Ebert said. “We're not training them in the appropriate ways.” AT&T’s Boyer described a need for people who are “cyber-smart.” Commissions are often “walking into the punch” as they're learning the ins and outs of cybersecurity and will need to “try to foresee consequences,” with better-educated staff, said NARUC Director-Grants and Research Miles Keogh. He worries commissions may not be prepared to pay enough for high-quality cybersecurity staff. “We do really need to develop a cadre of expertise at the state commissions,” Keogh said, and emphasized this staff “can’t just be your IT guy or the guy who changes the toner.” Recruiting top talent will be important, panelists said, and Jarrett said “kids might look at utilities, and ‘awww, not so excited.'”
Ebert criticized U.S. immigration policy and pointed to doctoral students forced to return to China and Pakistan. Keogh again said “we've gotta pay these guys” and also mentioned veterans as a possible resource. “We'd be idiots not to plumb this pool extensively.” The wisdom will benefit the states in the long run, according to the panel. “A power tool in the hands of an untrained user is a danger to everybody,” Keogh said.
AT&T already sees itself as an industry leader in the cybersecurity fight, Boyer said. “The communications sector is part of the solution,” Boyer said. “We are trying to build robust security capabilities into our networks.” AT&T monitors its traffic 24/7 “every single day” and can try to identify “traffic anomalies,” he said, and ask the right questions: “What is the root cause of that increase in traffic?” AT&T spotlights the importance of public-private partnerships and has engaged in work with the federal government, Boyer said, but still imagines a role for states with what he called a “lot of opportunities.” State governments can “engage federal and state organizations in the existing public-private partnership framework” and begin “organizing state resources and coordinating response,” for instance, the vice president said.
Knowing where and where not to spend will matter. “You don’t want to spend $100 defending a $5 shoe” and don’t want a “million-dollar widget that can be taken down by a $5 attack,” Keogh said. He encouraged states to read NARUC’s primer on cybersecurity, released in June (http://xrl.us/bnh4wx), and asked the crowd to allow him into their different states to help establish cybersecurity teams and preparation. Missouri, Texas and California have already begun the process, and interested state authorities should look to them and seek out their guidance, the NARUC director advised. Utilities may need to “pick up the pace,” Jarrett said. The role of commissions may not be so different with cybersecurity, he and Keogh said. The goal is still to “ensure safe and reliable service at just and reasonable rates,” Jarrett said.
The threat is not going away, panelists warned. “Nefarious things” happen when botnets overtake a computer, said Boyer. “Cyberattacks originate all over the world,” he explained. “There’s victims everywhere and there’s attackers everywhere” and the threats are growing in “sophistication.” Ebert brought up the different security measures for email encryption such as SSL and TLS. “They've all been compromised -- all of them,” he said.