DHS Funding: Dueling for Dollars

The big-money question in securing critical infrastructures is: Who pays how much, and for what? Or, in the case of the electric power industry: Where do you draw the line between ratepayers and taxpayers?

The target might be New York's Indian Point Energy Center, a nuclear power plant located within 50 miles of 20 million people and with such a clouded safety record that the top Google hit for "Indian Point" is a well-funded organization trying to shut it down. It might be the symbolic Three Mile Island in Pennsylvania, which 25 years ago had a partial reactor meltdown that took more than a decade and a billion dollars to clean up. But really, it could be any of the nation's 103 nuclear reactors that were described in al-Qaida training manuals found in Afghanistan, and were reportedly the planned targets of a second wave of airliner attacks.

In this case, though, the "where" matters much less than the "how." How many terrorists will there be? How will they be armed? What type of vehicle will they be driving, and how many tons of explosives will it hold?

All these questions are, of course, crucial for scenario-planning in the nuclear power industry. But more than that, they have significant economic implications for any CSO whose company is grappling with how to pay for federally mandated security improvements. That's because the answers form a threshold known in nuclear energy industry parlance as the design basis threat (DBT). Established by the U.S. Nuclear Regulatory Commission (NRC), the DBT defines the number of attackers, type of firepower and amount of explosives that guards at a nuclear power plant must be prepared for. Defending against any attack up to the level of the DBT is the responsibility of the company that operates the facility; anything above the DBT is the responsibility of the federal government.

More to the point: Anything above the DBT becomes an expense (and a liability) of the federal government. And not surprising, the DBT is a moving target. "Since 9/11, the X number of adversaries has increased, the X capabilities of those adversaries have increased, and the X number of explosives has increased," says Roy Lane, director of nuclear security for Exelon in Chicago, the country's largest operator of nuclear power plants. (The X's of the revised DBT are so closely guarded that the NRC threatened to take legal action against a watchdog group, the Project on Government Oversight, or POGO, that planned to publish details.)

To comply with this new security threshold, Exelon Nuclear, a subsidiary of Exelon Corp., had to hire more security officers, who carry more firepower and go through more training. But the additional security isn't just about guards and guns. Exelon also had to push out the perimeter of its protected area and add new checkpoints, the better to defend against explosives detonated outside buildings where reactors are housed and spent fuel rods are stored. The company also had to redesign barriers to make them bullet-resistant, increase screening of individuals with access to the plants, restrict visitors and, as Lane says with the secrecy typical of the industry, "a few other things I don't want to go into."

Across the nuclear power industry, companies like Exelon will spend a total of $1 billion on post-9/11 security enhancements (mainly in the form of capital improvements and headcount growth) by the end of 2004, according to the Nuclear Energy Institute, a trade group representing nuclear power plant operators. Which means that nuclear power continues to head farther away from its early promise of being too cheap to meter.

"So far, in capital modifications, we've spent about $17 million, and there's significantly more to be spent," says Lane, whose company operates 17 nuclear reactors. In fact, $17 million isn't even the halfway mark. Recouping costs won't be easy, either. "In the regulated markets, some utilities have the ability to go to their utility commission and be reimbursed," he says. "We don't have that ability because we have to compete dollar for dollar for customers. This $17 millionwe would have been $17 million richer if we hadn't spent it."

Comments like thatespecially coming from corporations like Exelon (net income of $905 million in 2003)make POGO's Pete Stockton fume. "The industry simply doesn't want to spend the money to adequately protect [nuclear facilities], because the money comes right out of their pockets, and they'd much rather increase their salaries, to be quite crude, or up their stock," says Stockton, a senior investigator, who has a different take on the DBT than Lane does. POGO's research indicates that the current DBT threshold requires nuclear power plants to prepare for fewer than half as many terrorists as al-Qaida would plausibly organize. And companies are unlikely to prepare for more than the minimum required by law. "Clearly there's a disincentive to improve security," Stockton says.

Meanwhile, the Bush administration insists that market forces will fix most of the weaknesses in the nation's critical infrastructure and that private companiesnot the Department of Homeland Security and not taxpayersmust pay for these security costs out of pocket. Frank Libutti, DHS's undersecretary of the Information Analysis and Infrastructure Protection Directorate, said as much at a recent Washington policy forum (produced by CXO Media, CSO's parent company).

"I would say, point blank but in a kind way, when necessary [private companies] need to belly up in terms of putting money on the table," Libutti told gathered policy-makers and executives from a variety of industries.

Welcome to ground zero of perhaps the most contentious of all the debates about homeland security: Who pays?The Mother of All Critical InfrastructuresTo a behemoth like the Department of Homeland Security, the nuclear industry's DBT is but a small part of the story, one of many battle lines in the struggle to decide when the private sector's responsibility to protect its own facilities becomes a matter of national defense. The nuclear power industry is just a piece of the energy industry, which is itself but a piece of the nation's critical infrastructurethe public services, such as water, telecommunications and banking, that citizens rely on every day for their health and economic well-being. Most of the nation's critical infrastructure is controlled by private industry. Nevertheless, citizens expect the government (in particular DHS) to make sure that these services operate reliably and safely.

Indeed, the government has powerful economic incentives to do so. Securing the infrastructure involves what economists call a negative externality: That is, the actions of one entity affect the well-being of other, seemingly unrelated, entities. If terrorists attack a nuclear plant, society as a whole ends up paying for indirect damageseverything from electrical outages to hospital bills to lost productivity. (This is the same kind of economic rationale for seat-belt laws.) Even in terms of direct damages, the targeted company can pay only up to the point at which it (or its insurance company) goes bankrupt. The marketplace is not great at dealing with catastrophes.

This problem is particularly acute in the energy sector. Not only do facilities like nuclear power plants, oil refineries and dams have the potential to cause calamity; the sector as a whole is essential to other components of the nation's critical infrastructure. As the blackouts during the summer of 2003 illustrated, a disruption in one part of the power grid can have a cascading effect, influencing everything from drinking water to 9-1-1 calls to ATMs. Energy is the critical infrastructure of critical infrastructures.

But energy is also a vexing infrastructure to try to protect. Largely owned and controlled by private entities, it operates within a complicated web of regulation and deregulation that can make excess operating costs difficult to pass on to customers. A company like Exelon operates nuclear, fossil-fuel-powered and hydroelectric facilities that generate electricityan endeavor that generally is unregulated. It also distributes this electricity to local utility customersan endeavor that generally is regulated by a bevy of local public-utility commissions. On one end, the business looks regulated, and on the other deregulated. In the middle, where all this electricity is actually transmitted, is the nation's vast, antiquated and incredibly complex power grid.

The result? An industry with an odd pricing system and complicated delivery mechanism, whose profits are centered on huge, long-term capital investments and whose market response time is nearly glacial in speed. In the economics of critical-infrastructure protection, it doesn't get worse than this.

"I believe very much in open markets, and I think markets do correct themselves," says Michael Assante, CSO of American Electric Power (AEP)one of the nation's largest integrated energy companiesand an outspoken critic of any governmental attempts to regulate security. "But the questions come down to, is terrorism a problem that the market can deal with in the short term?"

Many experts are concluding that the answer to that question is no. They suspect that some of the work of hardening the nation's energy infrastructure will have to be subsidized by the government. There's precedent for this: The government took over responsibility for securing part of the nation's transportation infrastructure when it put DHS's Transportation Security Administration in charge of screening airline passengers. In light of the TSA example, the question now up for debate is, which parts of securing the energy infrastructure can be passed on to DHSand how? Because existing economic models just don't work when it comes to an undertaking as massive as homeland security.

"The energy sector is probably most emblematic in terms of developing that economic model," says John A. McCarthy, executive director of the Critical Infrastructure Protection Project, a joint project of George Mason University and James Madison University. It's a problem so complex that GMU has Nobel laureate Vernon Smith working on it. But, McCarthy quips, "It doesn't take a PhD to understand that if you don't have power, certain things aren't going to work."Diver-sity TrainingAssante never thought he'd be worried about finding, hiring and paying for specialized security divers trained to search ships for explosive devices. But these days, he is. That's because if the nation's maritime threat profile reaches its highest level, American Electric Power will have to hire divers to check the hulls of barges that bring diesel fuel into its power plants. (Facilities that receive hazardous materials via waterways are considered a type of port.) This new requirement is part of the Maritime Transportation Security Act, passed in 2002.

If security measures like this added only 15 percent or 20 percent on top of the overall security budget, Assante says his company would simply absorb the costs. Even above that level, he's confident that AEP's stockholders would pay, assuming the investment ensured the reliable generation and distribution of electricity. But maritime security? "My customers aren't expecting to pay for maritime security," he insists.

This is where the dividing line between ratepayers and taxpayers begins to blur. There's no DBT in this case to determine at which point AEP can start depending on the government to take over security. But, Assante muses, wouldn't the Coast Guard be able to help AEP with security divers if it meant keeping the nation supplied with electricity during a time of crisis? (To understand the complexities behind this reasonable-sounding idea, see "Same Ship, Different Day," Page 26.)

Beyond having the government actually step in and take over some of the security initiatives, there comes the problem of figuring out how to pass on the costs, once a company decides they can no longer be absorbed into the budget.

The obvious solution is simply to raise rates, but in the energy infrastructure, that's not so easy. AEP is starting to go to public-utility commissions in states where electricity rates are due for negotiation and asking for increases to cover security costs, which Assante says have more than doubled in some areas over the past two years. (Staffing costs have skyrocketed, for instance: Two years ago, AEP didn't even have a vice president-level executive devoted to security.) "Now we're looking for the state to say, 'Yeah, spending money on security post-9/11 made a lot of sense, and we're going to help you recover the costs,'" Assante says.

At the same time, he and others want DHS to help them recoup the costs for measures (like security divers) that they feel are not really their responsibility, but the nation's. DHS has offered grants for special security projects, but companies insist that these are not enough. (DHS's Libutti declined to be interviewed or to answer e-mail questions for this story, but he did provide a statement, available at CSOonline.com.)

"We are spending millions of dollars of our own money to enhance our security, and this is part of protecting the U.S. economy," says Bobby Gillham, retired manager of global security for ConocoPhillips, who has served as an official coordinator between the government and the oil and gas industry. "So a lot of us would like to encourage the U.S. government to at least provide some kind of tax relief for money spent to enhance the security of what has been identified as a critical component of the U.S. economy."

1 2 Page 1
Page 1 of 2
22 cybersecurity myths organizations need to stop believing in 2022