Congress must quickly reauthorize key federal cybersecurity programs and boost funding for collaborative public–private initiatives if the United States’ electric grid and pipeline networks are to withstand diverse, increasingly sophisticated, high-tech attacks, utility and energy industry leaders warn.
“America’s adversaries are not waiting,” Zach Tudor, associate laboratory director of Idaho National Laboratory’s National and Homeland Security Science and Technology directorate, said during a three-hour Dec. 2 hearing before the House Committee on Energy and Commerce.
“Cyberattacks on energy infrastructure are a daily reality and a growing weapon. Congress has a vital role to play in ensuring that policy, funding, and oversight match the scale of the challenge.”
“The threat is real, it is advanced, and it is persistent,” she said, speaking on behalf of the Edison Electric Institute, a Washington-based association that represents investor-owned utilities that provide electricity for nearly 250 million Americans nationwide.
Artz said that one of the institute’s priorities is convincing Congress to preempt “state-level initiatives that seek to increase public access to grid information” because “the release of such sensitive information could inadvertently aid malicious actors” and expose infrastructure vulnerabilities.
“We continue to urge policymakers and regulators to carefully balance transparency with the imperative to safeguard details that, if disclosed, could pose risks to national security and public safety,” she said.
Program Priorities
Artz and North American Electric Reliability Corporation Senior Vice President Michael Ball were among witnesses who called for permanent funding for the Department of Energy’s Energy Threat Analysis Center, a public–private pilot collaboration that convenes government and industry experts to analyze and advise on emerging threats.Ball, who also serves as CEO of the corporation’s Electricity Information Sharing and Analysis Center, said October’s temporary reauthorization of the Cybersecurity Information Sharing Act through January was a reprieve but not the resolution the nation seeks from Congress.
Ball said Congress must increase the $3 million it annually allocates for the Cybersecurity Risk Information Sharing Program, a public–private partnership jointly funded by the Department of Energy (DOE) and industry that his center manages “to facilitate participation of smaller companies that otherwise lack sufficient resources.”
“Any increase would benefit the program,” he said, and would help “the sector undertake proactive mitigations to better defend against new malicious cyber tactics, techniques, and procedures.”
Tim Lindahl, president and CEO of Kenergy Corp., agreed, stating that his Kentucky co-op is among the nation’s 900 nonprofit local electric cooperatives that need federal and state assistance in overcoming a “rural resource gap” to ensure they aren’t easily exploitable targets.
Speaking on behalf of the National Rural Electric Cooperative Association, whose members provide power to 42 million customers across “56 percent of the American landscape,” he said Congress must fully fund and reauthorize the Rural and Municipal Utility Cybersecurity Program.
“There is an estimated $160 million left in [the program] with less than a year left in its authorization,” he said, urging Congress to also reauthorize the program beyond its 2026 expiration.
Rethinking Strategies
Girding the grid will require “modernization from top to bottom,” according to Harry Krejsa, director of studies for the Carnegie Mellon Institute for Strategy & Technology, who served as White House National Cyber Office director in the Biden administration.The panel should ensure the White House National Cyber Office, the DOE, the Cybersecurity and Infrastructure Security Agency, and the National Security Agency “develop a joint risk and remediation framework ... that can inform legislative priorities for onshoring initiatives and sourcing from Foreign Entities of Concern,” he said.
The White House’s Office of Science and Technology Policy, the Department of Commerce, and the DOE should “establish an R&D strategy for modern energy technologies that not only are game-changing generation and storage tools,” Krejsa said, “but also provide ‘leap-ahead’ substitution opportunities for U.S. and allied manufacturers currently dependent on [China-based] supply chains.” Technologies would include next-generation batteries and geothermal, advanced nuclear, and fusion energies.
Governments at all levels should enlist artificial intelligence-driven hyperscalers—from among the small number of U.S. actors that understand energy economics and how the CCP exploits “flawed software”—to devise security practices for the energy sector, he said.
Success will require “rethinking existing industry convening and coordination structures,” Krejsa said, and “adopting more dynamic risk-and-reward assessments to identify critical ‘linchpin technologies,’ combining public-sector threat intelligence with private-sector purchasing power to drive secure-by-design practices.”
“Taking these steps will ensure the public and private sectors are prepared to collaboratively secure the energy foundation for America’s future while denying our adversaries the leverage to disrupt it,” Krejsa said.
