Snowden disclosures complicate new FERC security order

Source: Blake Sobczak, E&E reporter • Posted: Wednesday, March 12, 2014

The Federal Energy Regulatory Commission’s latest plan to boost utilities’ physical security has one strange hitch: the trove of top-secret documents released last year by former National Security Agency contractor Edward Snowden.

FERC’s order Friday for grid overseers to tackle physical threats to the U.S. bulk electric power system seems to share little in common with Snowden’s sweeping revelations about government eavesdropping.But utility executives and current and former White House officials claim Snowden’s leaks have poisoned efforts to streamline information sharing about threats and weaknesses in the North American electric grid — one goal of FERC’s order.At stake is whether the North American Electric Reliability Corp. (NERC), an industry group charged with looking after the grid, can craft standards that allow regulators to monitor security efforts while making sure sensitive data stays out of public reach through Freedom of Information Act requests.

Under Friday’s order, NERC now has 90 days to draft physical security standards for electric substations and other assets, while also meeting the constraints of this information “balancing act,” as Susan Mora, director of federal affairs at Pepco Holdings Inc., dubbed data sharing last month.

It’s a high-stakes game of give and take — the government wants to see private infrastructure operators stay in line with NERC standards, while utilities want timely and actionable threat intelligence.

Mora, as top lobbyist for the utility company that directs power to the nation’s capital, has pressured Congress to smooth how grid operators and U.S. agencies share sensitive information. But at a Feb. 9 meeting of regulatory utility commissioners, she speculated that “perhaps everything with the NSA is just too much of a deal-killer.” Mora pointed to the bleak outlook for the “Cyber Intelligence Sharing and Protection Act,” which passed the House last year but has languished in the Senate.

In a statement Friday, FERC Commissioner John Norris reiterated calls for Congress to pass a “clearly-defined exemption to the Freedom of Information Act” for records relating to grid security.

But Snowden’s lengthy revelations about NSA’s surveillance activities have made anything to do with data privacy a “tough road” for Congress, according to Curt Hébert, former FERC chairman and a partner at the Brunini law firm.

An especially thorny issue has been finding security clearances for enough executives at the more than 1,900 entities operating the bulk electric power system. Snowden was able to access broad swaths of classified data with his security credentials as a government contractor for Booz Allen Hamilton in Hawaii. Civil liberties groups and privacy advocates hailed him as a whistle-blower for shedding light on the extent of NSA’s global surveillance, but security officials were left fuming over why Snowden got a security clearance in the first place.

“In the post-Snowden era, do you have more concerns with privacy issues and more concerns with granting security clearances? I would say yes — but we can always properly vet who we give security clearances to,” Hébert said in an interview yesterday.

FOIA foibles

FERC’s latest order arrives amid renewed congressional scrutiny of an armed attack on a California power substation last year.

In April 2013, a group of unidentified assailants fired high-powered rifles at the Metcalf utility facility near San Jose. The unsolved attack didn’t knock out anyone’s power, but a Feb. 16 Wall Street Journal story highlighted lingering security concerns stemming from the incident.

The utility industry says it immediately increased investments in security measures such as opaque fencing and security cameras. NERC’s forthcoming rules should help utilities figure out which assets are most critical to protect, but experts say nothing short of congressional action can settle FOIA worries.

“Our companies are extremely concerned about the issue of sensitive information getting out; even some of the media that we’ve been seeing [following the Metcalf attack] has been troublesome to us,” noted James Fama, vice president of energy delivery at the Edison Electric Institute, an association of investor-owned utilities.

Fama welcomed FERC’s suggestion that a third party handle the sensitive data to keep it out of the public eye.

But in the “age of Snowden,” there are plenty of doubts about how far the government should go to protect even the most sensitive secrets.

Speaking remotely at the South by Southwest conference in Austin, Texas, yesterday, Snowden alleged current and former NSA directors have fomented a global cyber arms race with offensive data-collection programs such as PRISM.

Snowden is now hiding out somewhere in Russia, as he is wanted in the United States on charges of violating the Espionage Act. While his claims may not always sit well with those in the utilities sphere, they have offered plenty of food for thought.

“I understand the need for secrecy and security and so on,” New Jersey Board of Utilities Commissioner Joseph Fiordaliso told Pepco’s Mora last month. “But it’s also something I think that we have to really have a good national debate about — what we really want and what we really want to accept as American citizens.”

Twitter: @BlakeSobczak | Email: