Current Access Level “I” – ID Only: CUID holders, alumni, and approved guests only
Get the latest as our experts share their insights on global energy policy.
Many Latin American countries have had a long and close energy trade relationship with the United States. However, some of the Trump administration’s executive orders (EOs) have the...
Hear in-depth conversations with the world’s top energy and climate leaders from government, business, academia, and civil society.
Energy and climate change are becoming ever more central to America's national security. It used to be that foreign policy and national security discussions related to energy focused...
Find out more about our upcoming and past events.
Join the Center on Global Energy Policy at Columbia University SIPA's Women in Energy initiative (WIE), the New York University SPS Energy, Climate Justice, and Sustainability Lab, and NYU’s Center for Global...
Director of Studies, Carnegie Mellon Institute for Strategy & Technology
Harry Krejsa: If you do it right, you could develop a system that is more resilient, more future-proofed, more defensible against the kinds of cyber attacks we know that China’s trying to perpetrate. If you do it wrong, then a system tool like that increases the potential consequence of what folks like the People’s Liberation Army are trying to do on our grid.
Jason Bordoff: The energy transition is transforming how we power our world. Clean energy systems are becoming more interconnected, automated and reliant on digital infrastructure. But with this transformation comes a new vulnerability, cyber attacks. As our grid becomes smarter and our system more digitized, the potential for disruption grows. Earlier this year the FBI warned of a serious threat that Chinese hackers had infiltrated U.S. critical infrastructure systems, raising the possibility of a devastating blow to energy and other vital services. The stakes are clear. As we move forward with the energy transition and increasingly digitizing and electrifying our systems, we are increasingly vulnerable to cyber attacks. So, what is the scope of the risk we’re facing? And what steps can government’s utilities, and major energy buyers take to mitigate cybersecurity risks? And what role could AI play standardizing security in clean energy infrastructure?
This is Columbia Energy Exchange, a weekly podcast from the Center on Global Energy Policy at Columbia University. I’m Jason Bordoff. Today on the show, Harry Krejsa. Harry is the director of studies at the Carnegie Mellon Institute for Strategy and Technology. He was previously in the Biden White House’s office of the National Cyber Director. There he led the development of the Biden-Harris Administration’s National Cybersecurity Strategy, established national clean energy security priorities, and represented the U.S. Government in technology security consultations with foreign partners and the global private sector. Prior to that Harry worked at the intersection of technology, industrial strategy and U.S. China competition for the Department of Defense, the Cyberspace Solarium Commission, and the Center for New American Security. We talked about the cybersecurity risks at the intersection of operational technology and information technology in the clean energy transition, the destructive capabilities of China and Russia on American critical infrastructure, and of course, what we should all be doing about it. I hope you enjoy our conversation. Harry Krejsa, thank you so much for joining us on Columbia Energy Exchange. Really excited to have you here for the first time and have this conversation.
Harry Krejsa: I’m thrilled to be here, Jason, thanks for the opportunity.
Jason Bordoff: For those who may not have heard you before, just remind everyone. We obviously I will have just read your bio at the start of this podcast, but just give a little bit of a sense to elaborate on that. What you focus on, what your role at Carnegie Mellon is now, what you were doing in government before?
Harry Krejsa: Sure. I’m the director of studies at Carnegie Mellon University’s Institute for Strategy and Technology. But before that I was at the White House Office of the National Cyber Director in the Biden administration. I helped stand up the office and held the pen for a lot of the national cyber strategy efforts that followed from that. But also, clean energy security priorities that were a part of that national strategy effort. But before joining the Biden White House, I actually worked in the Pentagon during the Trump administration on the civil staff there. Where I oversaw Counter China cyber and technology policy, the adoption of new offensive cyber authorities for military operations, and the military strategy and doctrine for those new authorities and approach to the Indo-Pacific. And so, I am kind of a convert from the hard national security background into the more sunny affirmative vision clean energy space. And have been working at the intersection of those two areas, which I think is bigger and more consequential than either community necessarily understands.
Jason Bordoff: So, super interesting. And coming from the National Security and Defense world focused on cyber security, this is an energy podcast. Why are we talking about cyber security on an energy podcast, or maybe why should we be doing that more than sometimes is the case?
Harry Krejsa: It is a good question. And the reason why it’s of interest to me is it was one of the last things I was working on in government and one of the first things that I worked on upon joining Carnegie Mellon, and that is the novel ability of clean energy technologies to fortify our critical infrastructure against cyber attack. Especially of the variety that we know the People’s Republic of China is working on. Earlier this year a number of national security leaders in the United States testified before Congress and corroborated a report from Microsoft that the PRC, the People’s Republic of China is actively seeking to replace disruptive and destructive cyber capabilities on our critical infrastructure. Including our energy ecosystem, water, et cetera. And the motivation they believe there is that Xi Jinping, the president of China, has advised the Chinese military to be ready for a conflict with the United States by later this decade. And one of their tools in that preparation is this pre-placement of digital time bombs to sow chaos and panic in our critical infrastructure.
But their ability to do that is, it hinges on the aging technologies and inconsistent seams of security of our infrastructure as it is now. And the clean energy transition is actually a great golden opportunity to use the novel dynamics of clean energy technologies to clear out that vulnerability and fortify our electricity grid against those kinds of cyber threats.
Jason Bordoff: Help me understand that you said the clean energy transition is an opportunity to fortify the energy system against cyber attacks. We have a system globally now that depends a lot on oil, gas and coal, physical molecules. You put them in piles on a ship or in tanks or in a pipeline, there can be attacks there too. We saw a high-profile attack on a pipeline or an oil company like Saudi Aramco could get attacked as happened in the past. But we’re moving to a world where much, much more of that is going to be electrons. We talk a lot about the digital infrastructure that we need more of the energy system is going to be interconnected with two-way flows back and forth between devices and the grid demand, response. All of that seems like a much more vulnerable kind of system to cyber attack than the traditional fossil fuel sector. So, what am I missing?
Harry Krejsa: It’s basically the difference between a system that is inherently more digital and can be constructed with a firmer understanding of threats in mind and a system that is more haphazardly digitized. So, the example I like to give is that our infrastructure is made up primarily of operational technology, OT, that is distinct from information technology IT, right? IT is your software tools, it’s your laptops, your Wi-Fi, your Microsoft Excel-based billing system. And then you have OT, the switches and pumps and pipelines kinds of things that you were describing with our hydrocarbon-based system. And that operational technology, OT was originally never intended to be digitized or never intended to be connected to the internet more precisely. And because of that original design intent, a lot of the foundational pieces of that OT infrastructure don’t really have security in mind at all. Whereas in information technology the question about the best forms of encryption to secure data at rest and in transit, that is like a mature debate and we’re always having discussions about the best way to secure information technology, bits and that kind of that side of the ledger.
Whereas operational technology until recently never bothered with encryption at all, because it was assumed to be totally irrelevant. But we’ve seen even before the clean energy transition began and the premise of greater electrification began, we saw that clear distinction between IT and OT was starting to break down. There are lots of parts of our grid that are difficult to, or dangerous to get to. You want to be able to monitor it, you want to be able to control it without needing to send a physical person to go manipulate switches and knobs. And so, we got into a sort of half digitization. Where we’d be slapping a dial-up modem on the side of the Hoover Dam here and calling it good. I’m exaggerating for effect.
Jason Bordoff: Yeah, no, but to your point, I mean for those listeners who haven’t been in a big control room of a major oil company or a services company like SLB, it is pretty remarkable. I mean, someone sitting is operating very complex infrastructure halfway around the world in a digitized way.
Harry Krejsa: Absolutely. But the problem is that you have a very slick, modern looking layer of monitoring and control on top of a very old mixed systems kinds of traditional energy infrastructure that combines technologies that are modern and new with technologies that are decidedly not modern, decidedly not digitally connected. And we think in terms of tech that is digitally adapted versus digitally native. And the advantage with clean energy tech is, a lot of it is digitally native. It’s built with software at its core, with a humility about what can be known to be secure now and how to build it so it can be updated and patched against emerging threats in the future in a way that are existing energy infrastructure in too many places is simply not.
There were a couple of government accountability office reports in the late-2010s and early-2020s kind of ringing the alarm about the technical and regulatory complexity of our electrical grid, in particular its distribution system as a result of this proliferation of older traditional infrastructure with all these new internet-connected devises, tools, ecosystems, internet of things being blended together and not being blended with a kind of comprehensive approach to security and instead creating a proliferation of connections. And it’s those kinds of seams that create errors that is what folks like the PRC, Russia and others are seeking to exploit when they want to get into our infrastructure.
Jason Bordoff: And I want to move on, but just so I clarify, so I understand the point you’re making, is that distinction you’re drawing about OT versus IT, fossil-based versus clean, molecules versus electron? Or is it fundamentally just about old versus new?
Harry Krejsa: It’s more fundamentally about old versus new. And what we think of as digitally adapted, things that smacking a modem on the side of the Hoover Dam versus digitally native. Like virtual power plants, cloud-managed batteries. And so there isn’t anything that is inherently physics-wise different, but we find that in practice decarbonization is digitization.
Jason Bordoff: And the point of it being new is if you’re building it from scratch you have more opportunities to build it in ways that are resilient to potential cyber attacks than things that are retrofitted after the fact. That’s what I think I hear you saying. And are we building it that way, or should we be concerned that in fact what you’re describing is a theoretical possibility, but it is not how a new system with myriad players making independent business decisions, building projects here or there without a master coordinator of all of this, are we doing it the right way or not?
Harry Krejsa: It’s mixed is good news and bad news there. Good news is that there are the higher tech portions of the clean energy transition that depend on more software-defined tools. Components are almost easier to be able to know whether it is being built in a secure way or not. Things like virtual power plants or distributed energy, control mechanisms.
Jason Bordoff: Just for people listening who may not understand the phrase virtual power plant, explain what that is?
Harry Krejsa: A virtual power plant, it is a software tool that allows a utility or other electricity management entity to aggregate together a lot of connected devices. This is one of the novel and really cool aspects of a clean energy digitized energy ecosystem. Where say I’m a utility and I see, oh, it’s five p.m. people are starting to get home, use their appliances, plug in their electric cars, but the sun’s going down and the overnight wind hasn’t picked up yet, so I expect there might be a gap in supply and demand. Well, I’m just going to turn to my virtual power plant where I’m going to buy 1% of 10,000 people’s EVs. I’m going to compensate 5,000 people’s thermostat to go up one degree and aggregate that all together into what works like a dispatchable power plant and practice on my grid. And that’s all possible because of distributed energy flows, because of software-defined control.
Jason Bordoff: On the supply side it is, am I right? I mean, things like drawing on EVs on the demand side, we could be using demand response in a fossil fuel-based economy.
Harry Krejsa: Absolutely right. But because of those novel combinations of IT and OT and the digitally native nature of a lot of clean energy tech, we’re able to string those things together into a service that works like a traditional fossil power plant.
Jason Bordoff: And that helps with cyber security, or that is more vulnerable to cyber attack that system?
Harry Krejsa: Both. If you do it right, you could develop a system that is more resilient, more future-proofed, more defensible against the kinds of cyber attacks we know that China’s trying to perpetrate. If you do it wrong, then a tool like that increases the potential consequence of what folks like the People’s Liberation Army are trying to do on our grid.
Jason Bordoff: It would seem to me, and obviously you’re the expert, not me. Just the surface area gets so much bigger when you have connected devices in the home from a baby monitor to a thermostat to every other, your refrigerator. There are just so many more points of attack, which once you tell me how this works, once one of those devices falls victim to that, it can kind of spread system-wide. That seems like a big vulnerability.
Harry Krejsa: You’re absolutely correct, that intuition is correct that there’s a growing threat surface here as the economy digitizes and our infrastructure follows. But the analogy I like to draw on is like fire safety. Where through the 19th century and especially in the early era of electrification, you’d have huge fires break out across major cities. Where Chicago, London, San Francisco, there are historic-level fires that would sweep through these wooden literal tender boxes and take down entire neighborhoods. And that was exacerbated by fuel, oil, lighting and electricity and all of that. But when we got to an ecosystem where every part of a home of a building instead of becoming a source of risk became instead of a source of defense and resilience where we said, “Okay, paint all needs to have this level of flame retardant property and electrical wires need to be on this kind of insulation gauge.”
Then you got to a point where every building had tons and tons of overlapping components of resilience and protection against fire, rather than tons and tons of aggregating sources of risk. The hope with a digital-first ecosystem is that we can help, we can figure out what right looks like. We can promulgate standards and practices of cybersecurity to make it so that our energy household is full of contributions to its cyber defense and resilience. Rather than risk against it. And that’s what the clean energy, the promise of the clean energy transition is bringing to our energy ecosystem. Is starting that process of all these more digitally sophisticated components being able to define and add to that level of resilience rather than aggregating risk on top of it.
Jason Bordoff: And with that analogy you’re talking about, I think it is the case, although I’m not an expert in fire safety. A big part of that came from government regulation and standards and the way we build buildings. And here in the city where I am is famous disaster, the Triangle Shirtwaist Factory fire, which prompted a whole set of reforms for working conditions for workers, because the doors were locked, people couldn’t leave, et cetera. Not to mention things that would sprinklers or whatever you need for fires. Is that right here too? This is about individuals updating the software, malware updates, whatever those little prompts you are … You get on your devices at home. Is it up to all of us? Is it like Smokey the Bear, like only you can stop forest fires, or is it about companies doing the right thing? Is it about companies following standards, regulations and really is this a job for government, and what’s government doing today and what should government be doing?
Harry Krejsa: We are in a Smokey the Bear environment, but we’re trying to move toward a fire code environment, right? Our cybersecurity today is it’s as though fire code never happened. You need to pack an oxygen tank and a fire Axe every time you go into a building or else it’s your own fault if anything bad befalls you. Right? We are asking individuals, rural co-ops, small utilities, we’re saying, “If you don’t have complex passwords and multifactor authentication and the best security tech in the world, it’s your own fault if you get got by the PLA.” And that is not a sustainable way of doing things. That’s why the federal government issued a new cyber strategy in early ’23 saying, “This is not working. We need to rebalance responsibility away from end users, individuals, small businesses onto the larger stakeholders of this ecosystem who have this systemic influence to make it more defensible.”
And that includes your large tech companies that architect the fundamental foundations of our digital ecosystem. But also includes your big critical infrastructure owners and operators to implement all of that and make it so that your smaller clean energy vendors and co-ops can put new technologies onto the grid, but know what right looks like. They know what their expectations are. They know how to interface with the grid in a secure and resilient way. And take advantage of their digitally native defensibility against the kinds of threats that would otherwise try and get in between those seams.
Jason Bordoff: And by the way, we were talking, I was talking about the fossil fuel-based infrastructure, ships and pipelines and stuff, whether that’s more or less vulnerable. But you’ve done a lot of work too on critical infrastructure on our ports where all these tankers go in and there’s an increasing amount of concern. I hear people in this field, like you I’m sure have been focused on this for much longer. All this equipment is made by companies in China and remote operated with digital software. Talk about critical infrastructure broadly right now. Because a lot of it relates to energy even if it’s not what we think of directly as energy infrastructure.
Harry Krejsa: Yeah, it is a big challenge right now where both the kind of the problem and solution to that problem both run through Chinese supply chains. It is general electronic controllers and software and hardware is disproportionately dependent on Chinese-based supply chains. But also of course, clean energy technologies in particular are very dependent on China-based supply chains. And I think that there is a more nuanced and sophisticated way to approach this problem than some folks I’ve heard say, “We shouldn’t be connecting any China manufactured goods to our infrastructure, clean energy transition be damned.” And folks who say that, “We can’t delay the transition, we have no alternatives, we should just not worry about it.” I think it’s probably a, and what I propose in a coming report from the Carnegie Mellon Institute for Strategy and Technology, is a framework around digital exposure of the technology we’re concerned about, and how systemically impactful that technology is to our infrastructure, and in particular our power grid.
And I think that you can have a spectrum where there’s a lower risk side of things where yes, these are technologies that we import from China, but they are relatively low likelihood, systemically risky, even if they have some semiconductors or other kinds of computational machinery on it.
Jason Bordoff: What would be an example of that? Everyone talks about how all the solar panels are made in China. Is that the sort of thing where you’re like, “Yeah, that’s true, but that’s not a huge cyber.” There may be other reasons we’re concerned about it, forced labor, U.S. firms, fair competition. But from a cyber standpoint this is a manufactured product that’s got some digital stuff in it, but this is not really what we should be worried about. Am I reading it right what you’re saying?
Harry Krejsa: You’re reading it exactly right. And that is precisely the example I’d use is that your solar panels are sure they’ve got semiconductors usually like efficiency sensors and things like that in them. But when you’re thinking about the universe of digitally enabled infrastructure technologies out there, they’re relatively dumb. They’re relatively low price commodities and they aggregate up into inverters, into substations, things that are pretty effective fire breaks if one panel goes bad. Whereas I think on the other end of that spectrum are things that are much more software defined and more systemically impactful. And I think that that example is probably virtual power plants.
Jason Bordoff: So, just explain that. The things you would be more concerned about from a cybersecurity standpoint, like virtual power plants, just say more about … Because you’re giving a fairly optimistic outlook on how a clean energy transition actually helps mitigate cybersecurity risk. But as you just said, the concern people have for myriad reasons, jobs in the United States, national security seems to be everything now. And other reasons. We know that most, the fact that so much clean energy does come from China is often viewed as a source of concern today for a variety of reasons, economic security, otherwise. How do you square that circle that this is helpful for cybersecurity, but all these clean energy technologies, most of them China has a pretty dominant position in?
Harry Krejsa: Well, I think you need to take a look at that framework and figure out what level of risk you’re wanting to control and mitigate for. And then make your tradeoffs on things in the middle. For solar panels, we’re not going to worry too much about the cybersecurity risk of those. Yes, we’d want to probably retain some onshore manufacturing capacity for general manufacturing resilience purposes. But that cybersecurity risks should probably not be at the top of that pile of concern. Virtual power plants in contrast entirely software-defined could have systemic influence over megawatts or even gigawatts of electricity. We probably want to have more direct U.S. and allied ownership over the development of virtual power plants, and have 100% confidence in them. But that’s easier to do because it’s software and we don’t have to reconstruct global manufacturing supply chains. Where things get tough is stuff in the middle, stuff like smart inverters or batteries where they have substantial software components and dependencies, but also significant hardware supply chain dependencies through China. And we need to make case-by-case determinations there.
Jason Bordoff: So, Biden administration officials have said that there were several reasons why we should restrict access to the U.S. market for Chinese EVs. National security is one of them. Does the national security part of that correct in your view?
Harry Krejsa: Yes, especially when you look at the details of the Department of Commerce rulemaking and developments there. The emphasis is on the Chinese-made software of disproportionately connected cars, right? It’s about connected cars and the fact that Chinese software may have a scalable impact in cars that are running around with 5G modems in them are partially autonomous, and those are disproportionately EVs.
Jason Bordoff: Yeah, I was going to ask you that. I mean that could obviously be true for the internal combustion engine as well. But you’re saying it just is the case that EVs tend to be more digitally connected. And is the concern there, I’ve heard concerns that they can gather data on people. There are privacy issues, which is different than, I don’t know if everybody drove a BYD vehicle all of a sudden all at once, they’re hacked and they all drive off a bridge simultaneously. Is it hacking of vehicles? Is it data privacy, is it all of those things?
Harry Krejsa: It is all of those things. I think the data privacy is lower threshold. It would be very easy to port out a bunch of people’s personal information and then construct social engineering campaigns based off of that. But I think the bigger concern over the medium and long-term is like a supply chain attack of the variety that you saw with the Israeli Patriot attack on Hezbollah, right? That is a very-
Jason Bordoff: Which obviously wasn’t cyber.
Harry Krejsa: No.
Jason Bordoff: It was about getting into that physical supply chain.
Harry Krejsa: That’s correct. But if you have both access over the physical supply chain and the software that controls it, then what you can accomplish with a supply chain attack is much greater. And that’s part of the double-edged sword of clean energy technologies. ITOT convergences with EVs, the software part of it is much more inherently connected to controlling of the energy dispensing part of it, the battery and what it does.
Jason Bordoff: Am I right, this is not … I mean, we’re talking about clean energy technologies, but I’m thinking about the fact that, I mean, what percentage of the electronic equipment in our home is manufactured in China? And if every air conditioner in our homes are made in China and on the hottest day of the year when it’s 120 degrees somebody hacks them all and they all go to the lowest setting of 53 degrees and then the grid goes down. I’m just making up scenarios. I’m sure I’m not the first person to think of dire scenarios like that. But I guess my question is, is this just a vulnerability because China has a very dominant position in a lot of the interconnected digital age, or is this particularly about clean energy and the transition to clean energy?
Harry Krejsa: The unsatisfying answer is, again, it’s both, right? Obviously, the scenarios we’re talking about are sensational ones. Ones that would be only … We’d only come upon in a source of crisis or would require substantial planning and exquisite action by someone like the People’s Republic of China. But it’s a question of cumulative risk that if we decide, yes, we’re going to cede the vehicle market to Chinese EVs, everyone’s driving around a Chinese EV and the potential systemic impact of a supply chain attack is so great, then even if it is a low likelihood event, it’s something we should be concerned about. And I think we were … This was part of the debate a few years ago around Huawei 5G deployment, right? That okay, we don’t have for the public a smoking gun example of Chinese telecom companies using their Chinese telecom infrastructure to spy on you. But if the outcome here is that all information in the United States runs over Chinese telecom infrastructure and we are in a great power competition with China, the owner of our telecom infrastructure, that is an intolerable level of risk.
Jason Bordoff: So what are the solutions here? I mean, we’re talking a lot about China, but we’re also talking just about how integrated global supply chains are. And we’re talking about cyber risk, and as you gave the example of Israel and pagers, there are multiple vulnerabilities for actors that might be adverse to one’s interest in global supply chains. So, what do you do? I mean, you can require everything be made and manufactured domestically and cut yourself off from the global economy, but that obviously comes with its own costs. What is the government doing now to address all the risks you’re talking about, and what should it be doing that it’s not doing?
Harry Krejsa: Sure, I think that there’s basically two phases that we need to approach this from. Because the challenge is admittedly huge. And the first phase is a near term cyber security focused one. Simple software security kinds of things. And to that end, the government has made a down payment. Earlier this year following the direction of the national cyber strategy, the government issued a set of priorities for preparing the digital ecosystem to better support our energy transition. And in that it named specifically a few linchpin technologies that are critical to the near term success of the clean energy transition and are disproportionately digitally enabled. Things like batteries, smart inverters, and virtual power plants. And so, the government is signaling that they and their private sector partners should in the near term focus on how can we get the most confidence in the security and resilience of these technologies, regardless of their supply chain arrangement.
And that looks like standards development. It looks like public-private partnerships and information sharing. A lot of muscle movements that we are comfortable with from other sectors. What’s I think especially novel there is that the clean energy stakeholder ecosystem and the hard national security stakeholder ecosystem, both in and outside of government do not, have not historically been thoroughly integrated. Your traditional energy stakeholders, your big energy companies and utilities, they know their regulator, they know how to think in terms of geopolitical risk. And China world and cyber risk world, they are all talking to each other very thoroughly. But in the clean energy space, that ecosystem’s greatest asset, that’s number of new entrants and dynamic actors is also a liability. That there’s some naivete about the risk of software defined technologies and Chinese dependencies in them.
Jason Bordoff: And that requires standards from the government and just awareness, information sharing, working closely with them?
Harry Krejsa: Yeah, that’s right.
Jason Bordoff: And a lot of the utility sector is so local. I mean there’s a federal role for this, but so much of electricity regulation happens at the local level where I assume capabilities are mixed. And is that a challenge as well as we move to an electrified economy?
Harry Krejsa: Oh, absolutely. And this is a challenge on the, just even putting aside energy, the broader kind of cybersecurity policy ecosystem is really challenged by the fact that our federal legal authorities are very diffuse. And some sectors have all the authorities they need to implement cybersecurity standards and supply chain trust requirements. But other sectors have nothing. And the energy sector is one of those where, as you described, a lot of those decisions are made on the local level. We’ve got federal bodies making electricity cybersecurity standards, but I think it was an Atlantic council report a couple of years ago that crunched numbers and found that those federal standards only really applied like 10% of the entire electricity ecosystem. So, it is a, we have no choice but to engage in a tremendous amount of cross-sectoral partnerships, public-private collaboration.
But a lot of those structures that exist today to facilitate that were built for a fossil fuel-based ecosystem of a few consolidated large actors, rather than the more mixed ecosystem we have today with a lot more dynamic new entrants. And so, we need to update those institutions for those needs and reflect the energy ecosystem as it is now and the direction it’s going.
Jason Bordoff: How vulnerable is the electricity system today to cyber attack?
Harry Krejsa: I think too close, too recently close to having handled-
Jason Bordoff: I guess, let me ask it this way. Should this be more of a concern than is widely perceived today? Is that a question you can answer?
Harry Krejsa: Yes, it should be more of a concern than it’s widely perceived today. And I think that’s downstream of our competition with China. There’s a tech strategist, I enjoy reading Ben Thompson. He writes the Stratechery publication and he lives in Taiwan. And he writes a lot about how business-centrist global business executives, especially U.S. business executives, seem to just not listen to any of the speeches that Xi Jinping gives. Because if you did, you would be much more concerned about the state of U.S.-China relations and their intent to be ready to fight a conflict over Taiwan. And that is a major motivator to do things like hacking into our critical infrastructure and our electricity grid. And so, we know that they are trying to do that. And we know that the examples that we found are almost certainly not the only examples of them trying.
Jason Bordoff: And there have been publicly reported cases about Russia hacking into the U.S. electricity grid. I’m just curious, we’ve talked about China so far, but when you look at the actors to be concerned about in cyber world, Russia, Iran, North Korea, China, non-state actors, what are the biggest concerns for policymakers in the world of cyber threats right now?
Harry Krejsa: It is those four. We used to talk about the four in the same breath, I think more frequently now. That’s kind of like China, Russia, and then everyone else. And it is true that Russia is also absolutely poking around our critical infrastructure, and so are Iran and North Korea. But China is really what the Department of Defense calls the pacing threat in this arena. I put scare quotes around that. Pacing threat, because they’re really the frontier of cyber capabilities in this regard. But absolutely could come from a lot of directions between those four. And all four do have motivation to have the capability to cause this kind of disruption. Because they see cyber capabilities as a good way to circumvent traditional forms of American deterrence or conventional military overmatch to pursue their interests without triggering that deterrence.
Jason Bordoff: Yeah, just to that point, because I asked you what government should be doing about it to make ourselves less vulnerable to that threat. And you talked about a variety of ways to harden our infrastructure, and I presume, and presume there’s only so much you could say about this, but the idea that part of the deterrence is our capability to impose pain on others is probably part of what policymakers think about as well.
Harry Krejsa: That’s correct. And that is part of what I worked on when I was on the civilian staff at the Pentagon during the Trump administration was updating our cyber authorities to impose costs. During the Bush and Obama administrations there was a understandable default toward restraint. Cyber capabilities were so bleeding new and we thought that there’s a lot of uncertainty around how they would be perceived and how to manage escalation. And so we wanted to just have a default toward maximum restraint. But during that time China, Russia and North Korea, Iran, they started to see the advantages of cyber capabilities that we just discussed and experiment with them on us. And our fear of escalation and our restraint may have been inadvertently escalatory. As China and Russia in particular were able to get away with a lot of notable things in contrary to our interests, like Chinese expropriation of a trillion dollars of intellectual property. OPB, The Office of Personnel Management hack, where they made off with tens of millions of Americans’ personal information, and of course, Russia’s efforts to interfere in the 2016 election.
Which I think altogether prompted a rethink at the beginning of that Trump administration. That we should adopt more are abilities to impose costs, because by not doing that we are inviting more and more prodding. And I should note, this area of cyber policy is still a very bipartisan one. There’s generally a lot of bipartisan consensus. And when the Biden administration came in and reviewed what the Trump administration had adopted and how it was approaching these questions of cost imposition, they retained a lot of those same authorities and strategies. And so, the complement to deterrence by cost imposition is now deterrence by denial, right? We have some tools to start causing pain, but we are also still very vulnerable. We need to deny them the benefits of these kinds of cyber attacks. And that means fortifying our grid so it’s not as juicy a target.
Jason Bordoff: And leaving your own personal political views or preferences aside. But your comment about it tends to be nonpartisan and you’ve worked in administrations of both parties is, does the recent election in the U.S. meaningfully change how you think the government will approach this or this is actually not a really partisan issue and it should roughly move in the same direction?
Harry Krejsa: I think that there will be more iteration than a dramatic yo-yo. Some of the first steps toward more general cybersecurity regulation in the Biden administration pass Congress with significant bipartisan majorities. So, I think there will be a change in qualification rather than in type then huge changes. But I think what may be of more interest into the coming administration is we know that they are not likely going to prioritize decarbonization as much as the Biden administration did at home and abroad. But the fact that clean energy technologies provide this promise of a more defensible and fortified energy infrastructure, especially against the kinds of cyber attacks that we know the PRC is preparing for, I think will be of interest. I think the fact that you can have more distributed energy, more resilience, more failover options into micro grids, and a worst case scenario with clean energy distributed resources is, I think of interest to a lot of the folks coming into the new administration who have competition with China top of mind.
Jason Bordoff: It is quite a little remarkable to me. We’ve talked for nearly an hour about how new technology is going to change the energy system and what it means for cybersecurity, and we have not said artificial intelligence yet. So, can you talk about this massive disruptive new technology and how AI mitigates these threats as a solution to them, amplifies and exacerbates these threats? How should we think about it?
Harry Krejsa: Sure. I think that to the extent that artificial intelligence is generating the first kind of significant growth in electricity demand in the modern era is something that I think makes it a potential asset in this effort. A lot of the companies that are leading in AI development are also companies that in the 2010s were leading in clean energy deployment. Like in the 2010s the first rollout of data center-based cloud computing was accompanied by companies willing to pay a green premium to get that first wave of major clean energy investments out so they could say that Gmail, Office 365, and Amazon are based on clean energy technologies as we moved into the era of cloud computing. And I think there’s a great opportunity here for those similar companies to be willing to pay a security premium as they work on the same build out of new electricity generation for AI training requirements, that we’re going to be putting in all this new electricity.
There’s a lot of interest in small modular reactors for nuclear build out. But that’s going to be in complement to cloud managed batteries, dirt cheap and still extremely capable solar panels. There’s going to be a tremendous, I predict growth and demand for clean energy technologies and distributed resources. And your hyperscalers, your major tech companies, Microsoft, Google, Meta, Amazon, and the like, are companies at that point of tangency between folks who are driving our energy ecosystem in a certain direction, folks who understand cyber risk, and who have the expertise in both areas to contribute to solutions for both.
Jason Bordoff: What is that? I mean, I’ve written and made that point that people with huge … Companies with huge amounts of money to spend care about their green credentials driving an increase in electricity demand, could help to encourage more investment in, we’ve seen that already. We met reopening parts of Three Mile Island or signing long-term deals for nuclear. It is, by the way, going to more natural gas use, whether people like it or not for some period of time. And so, that could help accelerate some of these clean energy technologies. But specifically on cyber, what does that look like? Is it how they’re procuring this technology or the deals they’re doing with Oklo or whichever startup you’re talking about for SMRs or working with utilities? How does it help the cyber issue?
Harry Krejsa: Sure. I think it’s from both directions there. And I know one of the things we heard when I was working on this in government, we heard a lot from both the utility side and the clean energy vendor side that what right looks like from one utility to another varies. Different regional utilities will have different requirements for how secure and resilient they need to feel a new energy resources before they’ll let it connect. And I think that your hyperscalers who are putting together these major power purchase agreements with regional utilities can help drive standardization. In this ecosystem where federal standards only reach 10% of the electricity sector we’re going to need buyers like, sophisticated buyers like the major tech companies to help define what right looks like and then standardize it. And say, “Okay, I’m buying from this regional utility, this level of clean energy, and I also am going to attach a security rider that these practices are going to be observed by that new energy vendor.”
And then we can just get to a point where we’re comfortable copying and pasting that into other regional utilities around the country. And I think it’s probably your big electricity buyers that have the scope and scale to drive that level of standardization and make those kinds of requests.
Harry Krejsa: Well, I think on the subject of artificial intelligence, this is a space where you’ve seen a lot of government and industry action toward a relatively speculative future payoff, right? Don’t get me wrong, I’m not a total AI hype denier. But we’re still in the very early stages of the promise of artificial intelligence. I think we have similarly neglecting some of the more long-term benefits of clean energy to our national security and competitiveness. And one of those areas is and could go hand in hand with artificial intelligence build out. But basically clean, cheap, abundant energy, right? A world where zero marginal cost electricity generation is more appreciated and capitalized upon is a world where I think we have even greater opportunities for national competitiveness and research, and the more innovations and breakthroughs are possible. And it is a profound difference in how fossil energy works and how clean energy works that will also be digitally enabled. Where how we capture that surplus and that abundance and move it around in space and time is going to have a significant, I think, implication for our overall long-term competitiveness with partners like China, Russia and others.
Jason Bordoff: I was really excited to have this conversation, just because it’s incredibly important, really interesting, I was excited to learn, and I didn’t know whether I would leave more concerned or more optimistic. And somehow you’ve managed to do both. So, it just shows the complexity of the issue. But Harry Krejsa, thanks for making time to be with us and explain it to us. Really, really interesting.
Harry Krejsa: Thank you, Jason. I really appreciated the opportunity to come on, and it was a great conversation.
Jason Bordoff: Thank you again, Harry Krejsa, and thank you for listening to this week’s episode of Columbia Energy Exchange. The show’s brought to you by the Center on Global Energy Policy at Columbia University School of International and Public Affairs. The show is hosted by me, Jason Bordoff and by Bill Loveless. The show is produced by Tim Peterson from Latitude Studios. Additional support from Caroline Pitman, Lilly Lee, Martina Chow and Kyu Lee, Sean Marquand engineered the show. For more information about the podcast or the Center on Global Energy policy, please visit us online at energypolicy.columbia.edu, or follow us on social media, @ColumbiaUEnergy. And please, if you feel inclined, give us a rating on Apple Podcasts. It really helps us out. Thanks again for listening. We’ll see you next week.
The energy transition is transforming how we power our world – clean energy systems are becoming more interconnected, automated, and reliant on digital infrastructure. But with this transformation comes a new vulnerability: cyberattacks. As our grid becomes smarter and our system more digitized, the potential for disruption grows.
Earlier this year, the FBI warned of a serious threat that Chinese hackers had infiltrated U.S. critical infrastructure systems, raising the possibility of a “devastating blow” to energy and other vital services.
The stakes are clear. As we move forward with the energy transition – and increasingly digitizing and electrifying our systems – we are increasingly vulnerable to cyber attacks.
This week, host Jason Bordoff speaks with Harry Krejsa about the cybersecurity risks at the intersection of operational technology and information technology in the clean energy transition, the destructive capabilities of China and Russia on American critical infrastructure, and what we should be doing about it.
Harry is the director of studies at the Carnegie Mellon Institute for Strategy & Technology. He was previously in the Biden White House’s Office of the National Cyber Director. There, he led development of the Biden-Harris administration’s National Cybersecurity Strategy, established national clean energy security priorities, and represented the U.S. government in technology security consultations with foreign partners and the global private sector.
Prior to that, Harry worked at the intersection of technology, industrial strategy, and U.S.-China competition for the Department of Defense, the Cyberspace Solarium Commission, and the Center for a New American Security.
Energy and climate change are becoming ever more central to America's national security. It used to be that foreign policy and national security discussions related to energy focused...
The Biden administration took office with ambitious plans to accelerate America's clean energy transition. Over four years, it enacted major climate legislation, poured billions into new clean energy...
The race to power artificial intelligence is dramatically reshaping America's electricity landscape. Recent analysis from the power-consultancy firm Grid Strategies shows that between 2024 and 2029, US electricity...
Europe is facing a challenging year as natural gas prices surge. While the continent seemed to weather the initial shock of losing Russian gas supplies, it’s now clear...
On March 31, the US Treasury Department issued guidance on tax incentives for vehicle batteries and minerals under the Inflation Reduction Act (IRA). Among other features, the new...
