When looking at the worldwide energy sector, several countries use different models. Some countries like China and India have established state-owned businesses while the U.S. decided almost from its inception to privatize. There are many pros and cons to each approach. However, in today’s cyberattack-prone world, does privatization of the energy sector still make sense? If so, should they be held more accountable? Is the U.S willing to trust for-profit private corporations to protect the nation’s critical infrastructure sector from cyberattacks? While many believe that privatizing the energy sector was in the best interest of the U.S., the for-profit interests of private companies have left it vulnerable to cyberattacks.
In the early 1900s, electricity became more popular in densely populated urban areas. Many smaller private companies placed power plants in neighborhoods to provide them with direct current electricity. As technology improved and alternating current eventually won out, these smaller private companies began consolidating to share costs and increase their market share. As electricity expanded, instead of having several companies to choose from, residents found the void of competition due to monopolies.
States began passing legislation and regulations on utility monopolies, but these companies quickly restructured as holding companies and continued to grow. The U.S. believed that these private companies could take on the risks associated with this new technology better than the federal and local governments could. As the U.S. became more dependent on electricity, oil, and coal, the federal government under President Franklin Delano Roosevelt instituted regulations on these holding companies. Congress passed the Public Utility Holding Company Act (PUHCA) in 1935, which determined that holding companies could be no more than twice removed from their operating subsidiaries. As the energy demand grew, these holding companies could not keep up with the strict federal and state government regulations, causing many to go out of business. This practiced continued until the deregulation of the 1980s and 1990s. The deregulations created a single vertically integrated system that served a defined geographic area regulated by the state or federal government.
Today, in the U.S., privatized energy companies include some of the largest companies in the world. For-profit companies dominate electricity in the U.S., and the private sector owns more than 80 percent of the U.S.’s energy sector infrastructure. The energy sector provides various sources of energy that are integral to growth and production across the nation. The remaining almost 20 percent of the energy sector is U.S. government-owned, to include federal and state transmission facilities.
There is currently no incentive to change the current practice. Many believe that private industries are more efficient than governments and argue that natural monopolies, such as electricity, should be privatized and run by for-profit companies.
Pros and Cons to Energy Privatization
In order to weigh the privatization question fairly, it is critical to view both the benefits of privatization along with some counterarguments. While there are several pros and cons, let us focus on three principal areas: efficiency, taxes, and political influence.
Pros to Privatization
Increased Efficiency — The main argument for privatization is that private firms have a profit incentive that reduces costs and makes them more efficient. Therefore, the lower the cost incurred by private firms, the more significant profit it makes. Proponents of privatization argue that government producers have no incentive to reduce costs. This tends to create bureaucratic, costly government services that are not responsive to citizens’ needs.
Lower Taxes — Governments finance public services through taxes and other revenues. As these services increase, so do the tax rates. One way of reducing taxes is to off-load responsibilities to private entities that can reduce costs by lowering wages, reducing services, and raise revenues without public scrutiny.
Lack of Political Influence — Many proponents of privatization argue that our government tends to be short-term focused, thinking only about the next election. This causes governments to be reluctant to invest for the long-term benefit in infrastructure improvements because they become more concerned about projects that benefit the public before the election. This makes public sector investments, like in the energy sector, easier to cut than front-line services such as healthcare.
Cons to Privatization
Increased Efficiency — Many critics point out that the increased efficiencies are solely costs-based and not overall service-based. This is because private firms are focused on profits. They often reduce the level of services because they do not act in the public’s interests. Generating profits mean that private firms will be more likely than not to cut areas such as ready supplies of parts and equipment. These “just in time delivery” decisions tend to cause outages to drag on longer than needed. A fitting example is the currently expected deficits going into the future. According to the American Society of Civil Engineers, “based on current investment trends, the national electricity infrastructure gap is estimated to be $208 billion by 2029, and $338 billion by 2039 in what is needed to ensure a reliable energy system.” Critics point out that generation will account for 60% of the total gap by 2039, with transmission and final distribution representing 10% and 29%, respectively. This point adds to the credibility of some critics who have mentioned how these private firms have decided to forgo the long game for quick profits.
Lower Taxes — Critics also point out that lower taxes seldom mean lower overall costs for the public. In many instances, the costs are transferred back to the public through service fees and other taxes. More often than not, taxpayers are unlikely to see return savings through privatization. Privatization increases the intensity of market competition and creates a more favorable economic climate, but it is more likely that prices will rise rather than fall after privatization. Moreover, privatization creates obstacles to the regulation and supervision of the private monopoly, while workers are faced with new employment conditions while owners struggle to increase their profits and revenues. Due to the criticality of the energy sector, any shortcuts, or costs that these private firms parlay will most certainly come back to haunt consumers in the future. As in the previous example used in the efficiency argument, those added costs will most likely be paid by passing the costs back to the consumers and asking the government for bailout funding, which of course means the taxpayer will be fronting the bill in the end.
Lack of Political Influence — Unfortunately, privatization also leads to special interests seeking political influence by providing campaign contributions, votes, and opportunities for personal wealth for many politicians. Many critics of privatization state that it opens the doors to unscrupulous behavior by politicians and businesspeople. A notable example is the case of Lockheed Martin and former New Mexico Congresswoman Heather Wilson, who was named one of the “Most Corrupt Members of Congress” by the Citizens for Responsibility and Ethics in Washington in 2007. Lockheed’s subsidiary, Sandia Corp, hired the defamed congresswoman to lobby Congress on their behalf. If this was not bad enough, Sandia Corp then billed the government for her lobbying services. In 2015, the Department of Energy’s Inspector-General concluded that the former congresswoman received $450,000 in payments for her lobbying services primarily based on Capitol Hill’s connections. In the end, the contractor reimbursed the Energy Department for the payments.
The Effects on Cybersecurity
The energy sector has become a focus of cybersecurity in recent years, and with good reason. As hackers develop more sophisticated cyber-attacks capabilities, the energy sector needs better technology to protect the grid. Investments in manpower and technology have helped protect the country’s electricity grid and other critical infrastructure. However, these efforts have proven inadequate given recent attacks on several critical infrastructure sectors, namely the energy and water and wastewater system. These attacks raise questions on whether the energy sector as a whole is serious about keeping the grid secure.
Cybersecurity Efforts Thus Far
The energy sector’s cybersecurity preparedness is part of the Office of Cybersecurity, Energy Sector, and Emergency Response (CESER) cybersecurity program, supporting these activities in three key areas. CESER has three strategic initiatives regarding cybersecurity. They include: strengthening energy sector cybersecurity preparedness; coordinating cyber incident response and recovery; and accelerating research, development, and demonstration (RD&D) of game-changing and resilient energy delivery systems. The first two strategic efforts build on efforts by the energy sectors to share information on cyber incidents, improve organization and process, enhance cybersecurity, and carry out cyber response and recovery. These objectives are outlined in the Energy Sector Cyber Emergency and Recovery Plan, a strategic plan to coordinate the response to cyber incidents, recovery, and response to cyber-attacks.
As a start, the U.S. Department of Energy (DOE) is developing advanced sensors and threat analysis methods to better inform the energy sector about high-level cyber risks. Through the Cybersecurity Risk Information Sharing Program (CRISP), energy sector owners and operators can share cyber threats in near-real-time and analyze data using classified DOE information. Additionally, DOE’s Cybersecurity Capability Maturity Model (C2M2) has published a multi-annual plan for cybersecurity in the energy sector to improve the cybersecurity and resilience of the country’s energy system. CESER is the first comprehensive cybersecurity review in the U.S. energy industry with specific sectors and specific energy authorities. Lastly, DOE has initiated a pilot project, Cybersecurity for Operational Technology Environment (CyOTE™), to address the challenges of collecting and sharing data on operational technology networks to standardize how the energy industry can address operational threat data sharing. 
Current Efforts Are Inadequate
While regulators have made some strides to increase the security of the energy sector, regulators should not be the first line of defense. Regulators should provide the leadership and vision they articulate in national strategies to protect the energy sector from cybersecurity threats. While the energy sector, as a whole, must continue to mitigate its vulnerabilities, private firms still need to invest heavily to protect this critical infrastructure from cyber threats. Private firms need to demonstrate a greater sense of urgency overall in protecting this critical infrastructure. Merely hiring cybersecurity firms after an attack is not enough. As a whole, accountability seems to be a crucial missing piece of the strategy.
In the past five years, the number of cyberattacks in the energy sector has increased significantly. There has been increasing evidence Russian and Chinese advanced persistent threats have been responsible. Based on this evidence and the dismay of private energy firms, the Trump administration issued Executive Order (E.O.) 13920 called Securing the U.S. Bulk-Power System. This EO 13920 prohibited the transaction of bulk-power electric equipment designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” Based on speculative reporting, the impetus behind this EO 13920 resulted from a 250-ton, $3 million Chinese high-voltage transformer destined for the Washington Area Power Administration’s (WAPA) Ault substation outside Denver in the summer of 2019. For reasons that have still not been made public, the transformer was seized by U.S. officials at the Port of Houston, Texas, and sent to the Sandia National Lab for testing. While this EO 13920 made complete sense from a national security perspective, it did not sit well with the energy industry. Private firms criticized EO 13920 by stating that it placed additional financial burdens on each project, as developers had to reconsider their supply chain suppliers. Again, the industry’s priority seemed to be on the bottom financial line versus ensuring national security. Today, while the Biden administration has not officially rescinded EO 13920, it has placed a temporary suspension to allow the new Department of Energy Secretary to review the policy and determine if a replacement order should be issued. Unfortunately, this suspension does permit private energy sector firms to purchase bulk-system power equipment from China in the interim.
The U.S. and the energy section will continue to fall victim to cyberattacks if things do not change. The March 2020 Cyberspace Solarium Commission provided several areas where the federal government can improve by clarifying responsibilities within the government sector and operationalizing the partnership with the private sector. However, the recent cyberattacks on SolarWinds in December 2020 and the Colonial Pipeline in May 2021 reflect the weaknesses in private companies’ cybersecurity practices. Cybersecurity requires cooperation from the energy industry as a whole, not just from regulators. Government entities have implemented security programs and have taken active, cross-cutting steps, including working with industry groups, to protect the country. However, it appears that private firms do not share the same level of scrutiny as other industries and government agencies. Allowing private energy firms to place profits ahead of national security has created a vulnerability that regulators must address. Government regulators must hold these private firms accountable and compel them to act in the best interest of the United States’ national security.
Disclaimer: The author is responsible for the content of this article. The views expressed do not reflect the official policy or position of the National Intelligence University, the Department of Defense, the U.S. Intelligence Community, or the U.S. Government.