DHS Funding: Dueling for Dollars

The target might be New York’s Indian Point Energy Center, a nuclear power plant located within 50 miles of 20 million people and with such a clouded safety record that the top Google hit for “Indian Point” is a well-funded organization trying to shut it down. It might be the symbolic Three Mile Island in Pennsylvania, which 25 years ago had a partial reactor meltdown that took more than a decade and a billion dollars to clean up. But really, it could be any of the nation’s 103 nuclear reactors that were described in al-Qaida training manuals found in Afghanistan, and were reportedly the planned targets of a second wave of airliner attacks.

In this case, though, the “where” matters much less than the “how.” How many terrorists will there be? How will they be armed? What type of vehicle will they be driving, and how many tons of explosives will it hold?

All these questions are, of course, crucial for scenario-planning in the nuclear power industry. But more than that, they have significant economic implications for any CSO whose company is grappling with how to pay for federally mandated security improvements. That’s because the answers form a threshold known in nuclear energy industry parlance as the design basis threat (DBT). Established by the U.S. Nuclear Regulatory Commission (NRC), the DBT defines the number of attackers, type of firepower and amount of explosives that guards at a nuclear power plant must be prepared for. Defending against any attack up to the level of the DBT is the responsibility of the company that operates the facility; anything above the DBT is the responsibility of the federal government.

More to the point: Anything above the DBT becomes an expense (and a liability) of the federal government. And not surprising, the DBT is a moving target. “Since 9/11, the X number of adversaries has increased, the X capabilities of those adversaries have increased, and the X number of explosives has increased,” says Roy Lane, director of nuclear security for Exelon in Chicago, the country’s largest operator of nuclear power plants. (The X’s of the revised DBT are so closely guarded that the NRC threatened to take legal action against a watchdog group, the Project on Government Oversight, or POGO, that planned to publish details.)

To comply with this new security threshold, Exelon Nuclear, a subsidiary of Exelon Corp., had to hire more security officers, who carry more firepower and go through more training. But the additional security isn’t just about guards and guns. Exelon also had to push out the perimeter of its protected area and add new checkpoints, the better to defend against explosives detonated outside buildings where reactors are housed and spent fuel rods are stored. The company also had to redesign barriers to make them bullet-resistant, increase screening of individuals with access to the plants, restrict visitors and, as Lane says with the secrecy typical of the industry, “a few other things I don’t want to go into.”

Across the nuclear power industry, companies like Exelon will spend a total of $1 billion on post-9/11 security enhancements (mainly in the form of capital improvements and headcount growth) by the end of 2004, according to the Nuclear Energy Institute, a trade group representing nuclear power plant operators. Which means that nuclear power continues to head farther away from its early promise of being too cheap to meter.

“So far, in capital modifications, we’ve spent about $17 million, and there’s significantly more to be spent,” says Lane, whose company operates 17 nuclear reactors. In fact, $17 million isn’t even the halfway mark. Recouping costs won’t be easy, either. “In the regulated markets, some utilities have the ability to go to their utility commission and be reimbursed,” he says. “We don’t have that ability because we have to compete dollar for dollar for customers. This $17 millionwe would have been $17 million richer if we hadn’t spent it.”

Comments like thatespecially coming from corporations like Exelon (net income of $905 million in 2003)make POGO’s Pete Stockton fume. “The industry simply doesn’t want to spend the money to adequately protect [nuclear facilities], because the money comes right out of their pockets, and they’d much rather increase their salaries, to be quite crude, or up their stock,” says Stockton, a senior investigator, who has a different take on the DBT than Lane does. POGO’s research indicates that the current DBT threshold requires nuclear power plants to prepare for fewer than half as many terrorists as al-Qaida would plausibly organize. And companies are unlikely to prepare for more than the minimum required by law. “Clearly there’s a disincentive to improve security,” Stockton says.

Meanwhile, the Bush administration insists that market forces will fix most of the weaknesses in the nation’s critical infrastructure and that private companiesnot the Department of Homeland Security and not taxpayersmust pay for these security costs out of pocket. Frank Libutti, DHS’s undersecretary of the Information Analysis and Infrastructure Protection Directorate, said as much at a recent Washington policy forum (produced by CXO Media, CSO’s parent company).

“I would say, point blank but in a kind way, when necessary [private companies] need to belly up in terms of putting money on the table,” Libutti told gathered policy-makers and executives from a variety of industries.

Welcome to ground zero of perhaps the most contentious of all the debates about homeland security: Who pays?The Mother of All Critical InfrastructuresTo a behemoth like the Department of Homeland Security, the nuclear industry’s DBT is but a small part of the story, one of many battle lines in the struggle to decide when the private sector’s responsibility to protect its own facilities becomes a matter of national defense. The nuclear power industry is just a piece of the energy industry, which is itself but a piece of the nation’s critical infrastructurethe public services, such as water, telecommunications and banking, that citizens rely on every day for their health and economic well-being. Most of the nation’s critical infrastructure is controlled by private industry. Nevertheless, citizens expect the government (in particular DHS) to make sure that these services operate reliably and safely.

Indeed, the government has powerful economic incentives to do so. Securing the infrastructure involves what economists call a negative externality: That is, the actions of one entity affect the well-being of other, seemingly unrelated, entities. If terrorists attack a nuclear plant, society as a whole ends up paying for indirect damageseverything from electrical outages to hospital bills to lost productivity. (This is the same kind of economic rationale for seat-belt laws.) Even in terms of direct damages, the targeted company can pay only up to the point at which it (or its insurance company) goes bankrupt. The marketplace is not great at dealing with catastrophes.

This problem is particularly acute in the energy sector. Not only do facilities like nuclear power plants, oil refineries and dams have the potential to cause calamity; the sector as a whole is essential to other components of the nation’s critical infrastructure. As the blackouts during the summer of 2003 illustrated, a disruption in one part of the power grid can have a cascading effect, influencing everything from drinking water to 9-1-1 calls to ATMs. Energy is the critical infrastructure of critical infrastructures.

But energy is also a vexing infrastructure to try to protect. Largely owned and controlled by private entities, it operates within a complicated web of regulation and deregulation that can make excess operating costs difficult to pass on to customers. A company like Exelon operates nuclear, fossil-fuel-powered and hydroelectric facilities that generate electricityan endeavor that generally is unregulated. It also distributes this electricity to local utility customersan endeavor that generally is regulated by a bevy of local public-utility commissions. On one end, the business looks regulated, and on the other deregulated. In the middle, where all this electricity is actually transmitted, is the nation’s vast, antiquated and incredibly complex power grid.

The result? An industry with an odd pricing system and complicated delivery mechanism, whose profits are centered on huge, long-term capital investments and whose market response time is nearly glacial in speed. In the economics of critical-infrastructure protection, it doesn’t get worse than this.

“I believe very much in open markets, and I think markets do correct themselves,” says Michael Assante, CSO of American Electric Power (AEP)one of the nation’s largest integrated energy companiesand an outspoken critic of any governmental attempts to regulate security. “But the questions come down to, is terrorism a problem that the market can deal with in the short term?”

Many experts are concluding that the answer to that question is no. They suspect that some of the work of hardening the nation’s energy infrastructure will have to be subsidized by the government. There’s precedent for this: The government took over responsibility for securing part of the nation’s transportation infrastructure when it put DHS’s Transportation Security Administration in charge of screening airline passengers. In light of the TSA example, the question now up for debate is, which parts of securing the energy infrastructure can be passed on to DHSand how? Because existing economic models just don’t work when it comes to an undertaking as massive as homeland security.

“The energy sector is probably most emblematic in terms of developing that economic model,” says John A. McCarthy, executive director of the Critical Infrastructure Protection Project, a joint project of George Mason University and James Madison University. It’s a problem so complex that GMU has Nobel laureate Vernon Smith working on it. But, McCarthy quips, “It doesn’t take a PhD to understand that if you don’t have power, certain things aren’t going to work.”Diver-sity TrainingAssante never thought he’d be worried about finding, hiring and paying for specialized security divers trained to search ships for explosive devices. But these days, he is. That’s because if the nation’s maritime threat profile reaches its highest level, American Electric Power will have to hire divers to check the hulls of barges that bring diesel fuel into its power plants. (Facilities that receive hazardous materials via waterways are considered a type of port.) This new requirement is part of the Maritime Transportation Security Act, passed in 2002.

If security measures like this added only 15 percent or 20 percent on top of the overall security budget, Assante says his company would simply absorb the costs. Even above that level, he’s confident that AEP’s stockholders would pay, assuming the investment ensured the reliable generation and distribution of electricity. But maritime security? “My customers aren’t expecting to pay for maritime security,” he insists.

This is where the dividing line between ratepayers and taxpayers begins to blur. There’s no DBT in this case to determine at which point AEP can start depending on the government to take over security. But, Assante muses, wouldn’t the Coast Guard be able to help AEP with security divers if it meant keeping the nation supplied with electricity during a time of crisis? (To understand the complexities behind this reasonable-sounding idea, see “Same Ship, Different Day,” Page 26.)

Beyond having the government actually step in and take over some of the security initiatives, there comes the problem of figuring out how to pass on the costs, once a company decides they can no longer be absorbed into the budget.

The obvious solution is simply to raise rates, but in the energy infrastructure, that’s not so easy. AEP is starting to go to public-utility commissions in states where electricity rates are due for negotiation and asking for increases to cover security costs, which Assante says have more than doubled in some areas over the past two years. (Staffing costs have skyrocketed, for instance: Two years ago, AEP didn’t even have a vice president-level executive devoted to security.) “Now we’re looking for the state to say, ‘Yeah, spending money on security post-9/11 made a lot of sense, and we’re going to help you recover the costs,'” Assante says.

At the same time, he and others want DHS to help them recoup the costs for measures (like security divers) that they feel are not really their responsibility, but the nation’s. DHS has offered grants for special security projects, but companies insist that these are not enough. (DHS’s Libutti declined to be interviewed or to answer e-mail questions for this story, but he did provide a statement, available at CSOonline.com.)

“We are spending millions of dollars of our own money to enhance our security, and this is part of protecting the U.S. economy,” says Bobby Gillham, retired manager of global security for ConocoPhillips, who has served as an official coordinator between the government and the oil and gas industry. “So a lot of us would like to encourage the U.S. government to at least provide some kind of tax relief for money spent to enhance the security of what has been identified as a critical component of the U.S. economy.”

The question is where to draw the line: Where should the DBT levels be set in hundreds of types of businesses, in thousands of types of situations?

Gillham has a rough idea. “If we’re doing something to benefit just the refinery itself, I think that’s a corporate issue,” he says. “But when we have large increases in security because of the terror threat to the United States, that’s when some tax relief should come into play. It’s not a clear line, and I don’t think anybody thinks of it as a clear line. We’re facing something we’ve never faced before.”Talking ‘Bout a RevolutionInaction, evolution or revolution. These are the options people face when dealing with upheaval, and homeland security is no exception. “You have the people who are vested in keeping the infrastructure running in the way they understood it and grew up in it,” says McCarthy, from the Critical Infrastructure Protection Project. “They were trained in a certain way, and this idea of cyberthreats or people blowing up towers wasn’t part of their cost modeling. Then you have a layer of people who are trying to protect the existing infrastructure using the existing [incentive] models. Then you have people talking about how to radically change the model and go to the new way of doing it. You have all those [forces] struggling with each other, and that’s just the nature of things.”

It’s this third groupthe revolutionariesthat holds the most hope and excitement for McCarthy. He isn’t really sure what this new economic model would look like. In terms of reliability, at least, it might mean that instead of just asking people not to turn on their air conditioners during an energy crisis, interactive technology built into air conditioners could render them inoperable during a crisis. Or you could at least charge more during those time periods to discourage unnecessary energy consumption. “It’s doing business in a different way that could account for security needs,” McCarthy says.

This all sounds familiar to Randall Yim, managing director for national preparedness on the Homeland Security and Justice team at the General Accounting Office. “The debate was really similar back in the 1970s,” he says, when the environmental movement was taking hold. “There was a whole package of incentives and disincentives that stimulated greater environmental compliance, and people now expect companies to adhere to certain environmental protocols. It’s become an accepted part of doing business that you can’t simply dump raw waste into streams. [The economic incentives and disincentives] fundamentally changed business so that environmental management was integrated into the business process. I think in homeland security there’ll be a similar evolution.”

Today’s energy infrastructure simply wasn’t built with security in mind. Companies weren’t accounting for terrorism when they made long-term investment decisionslike whether to build a nuclear reactor or a wind farm, or even whether to plan on having diesel fuel delivered by train or by barge. And now, that has to change.

“[The system] grew up the way it did to best serve our customers and achieve operational excellence,” Assante says. “The infrastructure grew up in a threatless environment. We did things like put up fences based on what we perceived the risks were at that timekeeping children and other passersby out so they wouldn’t get shocked. Now, security is a design element. That thought process and those requirements will seed themselves into the construction of new infrastructure.”

This kind of change doesn’t happen quickly or painlessly. Some current ways of generating, transmitting and distributing power might not be economically feasible anymore. There’s bound to be shifting and upheaval, some companies going out of business and others coming to life. But in the long run, this type of revolutionpainful as it may becould make the economics of homeland security much more agreeable.

“It’s much easier to design homeland security principles as an integral part, rather than as something you bolt on at the end,” Yim says. “Homeland security isn’t going to just be this fad issue. People are going to need to find ways to fundamentally incorporate homeland security measures into the business process, and I’m confident that the market will find a way to add value to the underlying business process. Right now, we’re putting up big jersey barriers and add-on programs instead of thinking fundamentally about how we make the business process more efficient as well as more secure.”

That question about who pays? You know the answer, of course. Right now, we’re all paying, either out of our customer and stockholder pockets, or out of our taxpayer pocket. The challenge for the energy industry is to find a way to build security into its processes. Then, at the end of the day, maybe no one has to pay.