The Trump administration has yet to appoint several agency officials who will deal with cybersecurity for critical infrastructure, leaving power industry members in a holding pattern on some issues.
The U.S. Department of Homeland Security is the main federal agency overseeing cybersecurity, given its strong expertise, resources and response capabilities to protect critical infrastructure. The U.S. Department of Energy is the electricity sector-specific agency working with the DHS on defending power infrastructure against physical and cyber threats. Former President Barack Obama also signed legislation in December 2015 that gave the DOE emergency authority to coordinate the government's response to a major incident affecting the electric grid.
But despite the significant role played by the DOE and DHS in protecting the grid, the Trump administration has not named crucial contacts at those agencies for the power sector. The DHS positions of undersecretary for national protection and programs and assistant secretary for infrastructure protection both are vacant pending new appointments, according to the department's website.
The DOE, meanwhile, has yet to name a replacement for former Deputy Energy Secretary Liz Sherwood-Randall, who was second in command at the department from October 2014 through the end of the Obama administration. The utility sector also closely coordinates with the DOE assistant secretary for electricity delivery and energy reliability — a role that under Obama was held by Patricia Hoffman, who currently is serving as acting assistant secretary for that office until the U.S. Senate confirms a new assistant secretary.
Presidents can structure their cabinet and agency staff as they choose, meaning Donald Trump could shift some cyber duties to other existing or new positions. The Trump administration is in its early days, but power industry members are eager to have crucial contacts in place.
"I'm not sure [the hiring lag] is causing any great issues yet but it certainly will if the vacancies exist for too long," said Mark Weatherford, chief cybersecurity strategist at consulting firm vArmour and a former deputy undersecretary for cybersecurity at the DHS under Obama.
Bigger cyber focus mulled for DHS
The gaps in leadership, and a debate over where to consolidate government power over grid protections, may be part of the reason the Trump administration delayed the release of a cybersecurity executive order that had been scheduled to come out in late January.
An initial draft of the cyber order charged the Secretaries of Defense and Homeland Security with recommending critical infrastructure protections. But a later draft possibly signaled a bigger role for the DOE by directing the DHS to coordinate with the Secretary of Energy, along with state, local and tribal governments, to gauge response capabilities to electricity disruptions. The White House still has not released a cybersecurity order, and therefore, more changes could be coming.
While some are pushing for more DOE control over cybersecurity, momentum is increasing in Congress for making the DHS focus some of its cyber efforts more exclusively on critical infrastructure. There has been "significant discussion" on how the DHS's National Protection and Programs Directorate can be reorganized to focus solely on cybersecurity and critical infrastructure protection, said Brian Harrell, director of security and risk management for Navigant Consulting. The U.S. House Committee on Homeland Security Chairman Michael McCaul, R-Texas, is among those suggesting that change, Harrell added.
Trump proposed increasing to $1.5 billion funding for DHS's efforts to safeguard federal networks and critical infrastructure from attacks. As part of those safeguards, the president advocated more information-sharing among the DHS and other federal entities and the private sector to speed responses to cyberattacks. At the same time, the president called to limit funding for the DOE's Office of Electricity Delivery and Energy Reliability, a crucial segment of the DOE's cyber work.
The emphasis on beefier government cyber capabilities comes amid heightened worries over a large-scale grid attack from within or outside the U.S. Concerns over Russian interference in the 2016 U.S. presidential election and allegations that Russian hackers caused a temporary blackout for part of Ukraine's electric grid have stoked fears of a copycat attack on the U.S. power system.
The administration recently made some key cyber staffing decisions. The DHS appointed Chris Krebs as senior cybersecurity adviser to DHS Secretary John Kelly. Krebs previously served as vice chair of the National Cyber Security Alliance and directer of cybersecurity policy for Microsoft Corp. He was also a policy adviser for the DHS between 2007 and 2009.
In addition to Krebs, the DHS hired David Glawe as undersecretary for intelligence and analysis, Tom Bossert as homeland security adviser, and Kirstjen Nielsen as chief of staff. Before joining the DHS under Trump, Bossert was a nonresident fellow with the Atlantic Council's Cyber Statecraft Initiative and previously worked at the DHS as a deputy assistant to the president for homeland security under President George W. Bush.
At the cabinet level, electric security managers have relied upon contact with the White House cybersecurity coordinator. According to media reports, Bossert selected Rob Joyce, who previously headed up the national Security Agency's office of Tailored Access Operations, to the role of cybersecurity coordinator, but the White House has not officially announced that appointment.