[Senate Hearing 115-284] [From the U.S. Government Publishing Office] S. Hrg. 115-284 THE THREAT POSED BY ELECTROMAGNETIC PULSE AND POLICY OPTIONS TO PROTECT ENERGY INFRASTRUCTURE AND TO IMPROVE CAPABILITIES FOR ADEQUATE SYSTEM RESTORATION ======================================================================= HEARING BEFORE THE COMMITTEE ON ENERGY AND NATURAL RESOURCES UNITED STATES SENATE ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ MAY 4, 2017 __________ [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Printed for the use of the Committee on Energy and Natural Resources Available via the World Wide Web: http://www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 26-072 WASHINGTON : 2018 ---------------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON ENERGY AND NATURAL RESOURCES LISA MURKOWSKI, Alaska, Chairman JOHN BARRASSO, Wyoming MARIA CANTWELL, Washington JAMES E. RISCH, Idaho RON WYDEN, Oregon MIKE LEE, Utah BERNARD SANDERS, Vermont JEFF FLAKE, Arizona DEBBIE STABENOW, Michigan STEVE DAINES, Montana AL FRANKEN, Minnesota CORY GARDNER, Colorado JOE MANCHIN III, West Virginia LAMAR ALEXANDER, Tennessee MARTIN HEINRICH, New Mexico JOHN HOEVEN, North Dakota MAZIE K. HIRONO, Hawaii BILL CASSIDY, Louisiana ANGUS S. KING, JR., Maine ROB PORTMAN, Ohio TAMMY DUCKWORTH, Illinois LUTHER STRANGE, Alabama CATHERINE CORTEZ MASTO, Nevada Colin Hayes, Staff Director Patrick J. McCormick III, Chief Counsel Isaac Edwards, Senior Counsel Angela Becker-Dippmann, Democratic Staff Director Sam E. Fowler, Democratic Chief Counsel David Gillers, Democratic Senior Council Rich Glick, Democratic General Counsel C O N T E N T S ---------- OPENING STATEMENTS Page Murkowski, Hon. Lisa, Chairman and a U.S. Senator from Alaska.... 1 Cantwell, Hon. Maria, Ranking Member and a U.S. Senator from Washington..................................................... 3 WITNESSES LaFleur, Hon. Cheryl, Acting Chairman, Federal Energy Regulatory Commission..................................................... 5 Gingrich, Hon. Newt, Chairman of the Board, Gingrich Productions. 15 Cooper, Ambassador Henry F., Former Director, Strategic Defense Initiative Organization........................................ 19 Durkovich, Caitlin, Director, Toffler Associates................. 32 Manning, Robin E., Vice President, Transmission and Distribution, Electric Power Research Institute.............................. 39 Wailes, Kevin, Chief Executive Officer, Lincoln Electric System, and Member of the Board of Directors, American Public Power Association.................................................... 49 ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED Brumley, Dr. David: Response to Questions for the Record......................... 114 Cantwell, Hon. Maria: Opening Statement............................................ 3 Cooper, Ambassador Henry F.: Opening Statement............................................ 19 Written Testimony............................................ 21 Responses to Questions for the Record........................ 93 Durkovich, Caitlin: Opening Statement............................................ 32 Written Testimony............................................ 34 Responses to Questions for the Record........................ 102 Gingrich, Hon. Newt: Opening Statement............................................ 15 Written Testimony............................................ 17 Responses to Questions for the Record........................ 92 LaFleur, Hon. Cheryl: Opening Statement............................................ 5 Written Testimony............................................ 8 Responses to Questions for the Record........................ 80 Manning, Robin E.: Opening Statement............................................ 39 Written Testimony............................................ 41 Responses to Questions for the Record........................ 105 Murkowski, Hon. Lisa: Opening Statement............................................ 1 Wailes, Kevin: Opening Statement............................................ 49 Written Testimony............................................ 51 Responses to Questions for the Record........................ 109 THE THREAT POSED BY ELECTROMAGNETIC PULSE AND POLICY OPTIONS TO PROTECT ENERGY INFRASTRUCTURE AND TO IMPROVE CAPABILITIES FOR ADEQUATE SYSTEM RESTORATION ---------- THURSDAY, MAY 4, 2017 U.S. Senate, Committee on Energy and Natural Resources, Washington, DC. The Committee met, pursuant to notice, at 10:09 a.m. in Room SD-366, Dirksen Senate Office Building, Hon. Lisa Murkowski, Chairman of the Committee, presiding. OPENING STATEMENT OF HON. LISA MURKOWSKI, U.S. SENATOR FROM ALASKA The Chairman. Good morning. The Committee will come to order. I would like to welcome everyone to the Energy hearing this morning. We are here to examine the threat that is posed by electromagnetic pulse, that is known as EMP, as well as policy options to protect energy infrastructure and provide for system restoration in the event of an EMP attack. The United States has recognized a potential EMP attack as a national security threat for decades and our efforts to understand a potential EMP burst are certainly not new. The Department of Defense (DoD) and our national labs have been grappling with these issues to one degree or another since we first started testing nuclear weapons. Extensive tests in the 1950s and 60s examined the potential impact of an EMP burst on both military and civilian infrastructure. Today, however, there is a renewed focus on understanding the effects of such an attack and an increase of efforts directed at mitigating and recovering from such an event should it occur. This issue is, perhaps, more salient now than ever for several compelling reasons. First is the proliferation of nuclear technology which is no longer limited to the U.S., Russia, China, the U.K. and France. Other nations have tested nuclear weapons and missiles to deliver them. Rogue nations, such as North Korea, may already have or be close to obtaining these capabilities. We must also be mindful of the potential for a non-state actor to obtain a nuclear device. While their ability to use a missile as a delivery vehicle for a high altitude EMP attack would likely be more limited, we know that it cannot be ruled out. Second is the proliferation of electronics in today's society. Just about everyone in this room, I would venture to say, has a smartphone. That is just the start of the devices that we rely on, and that, in turn, rely on electricity and electronics to function. This has magnified the impact as compared to the potential impact in the 1960s that an EMP burst could now have on the electric grid, the technologies that rely on electronics and on our daily lives. We must recognize from the start of today's discussion that the threat posed by an EMP attack is a matter of national defense. Defending our nation from a missile carrying a nuclear warhead is clearly beyond the scope of the owners and operators of energy infrastructure and their regulators. Nevertheless, these institutions do have a role in protecting critical energy infrastructure and providing for its restoration. As the owners and operators of critical energy assets, our utilities must assist government EMP experts in understanding how the electric grid works. For its part, government must prudently share its knowledge and expertise with industry on a timely basis and approve or direct prudent, reliability standards as warranted. There really is no way around this. On the one hand, we have defense and national security personnel who are very familiar with the effects of a nuclear detonation but who are not responsible for the complexities of keeping the lights on. And on the other hand, you have professionals in the power sector who know the grid but are not familiar with the characteristics of a nuclear detonation. It is critical that the electric industry and government improve upon their mutual understanding and trust because it is essential to the productive relationships that are necessary to improve our ability to respond to EMP and other potential, high impact, but low frequency events. Both camps must work together to share information and expertise. Our engineering schools and other conduits for professional expertise must embrace a new paradigm for considering and addressing security threats in the design and operation of electric systems. Improving our ability to respond to an EMP threat is also an area where, like cybersecurity, the subject of another recent hearing that we just had, stronger public/private partnerships are needed and today's capabilities must be improved. This hearing will consider as a policy matter whether the appropriate federal agencies have the authority they need to address this potential threat and whether additional authority or direction is needed. Back in 2005, we established authority for the North American Electric Reliability Corporation, now NERC, through an informed stakeholder process to establish, subject to the Federal Energy Regulatory Commission's (FERC) approval, mandatory, physical and cybersecurity standards for the industry. More recently, in 2015, Congress codified the Department of Energy (DOE) as the sector-specific agency for energy critical infrastructure and provided the Secretary with emergency authority to address a host of threats: cyber, physical, geomagnetic disturbances and EMP. So we have taken some steps, but many argue and believe that those steps are not sufficient and that we still have a great deal of work in this area. Our task today is to consider the distinct points of view about EMP brought to us this morning by our very distinguished panel. I am looking forward to the testimony we will receive from each of you. I now turn to my Ranking Member, Senator Cantwell. STATEMENT OF HON. MARIA CANTWELL, U.S. SENATOR FROM WASHINGTON Senator Cantwell. Thank you, Madam Chair. I welcome the witnesses here today and thank you for scheduling this hearing. The electric grid is essential to our lives and also the lifeblood of our economy. With the fate of our economy dependent on access to reliable electricity, it is our responsibility to ensure that the grid is prepared to withstand many threats including natural disasters, including those caused by changes in climate, extreme weather, physical attacks of terrorism, cyberattacks, geomagnetic disturbances, electromagnetic pulse, or EMP. We must continue to identify and evaluate the threats to the system as well as appropriate investments in technology to reduce these threats. Threats to the grid are measured both by probability and severity of impact. We must prepare and protect against all these hazards, but we must prioritize based on the likelihood of occurrence and severity of impact. Electromagnetic pulse attacks are considered a high-impact, low-probability threat, as I think, Mr. Manning, in his testimony, indicates. We do not yet have the concrete science- based analysis necessary to understand the threat and identify effective solutions. As a result, in 2001 Congress established a commission to assess the threat from high-altitude electromagnetic pulse, known as HEMP. In 2014, the Department of Homeland Security (DHS) developed guidelines to help federal agencies identify those options to protect critical equipment and facilities and communication and data centers from these attacks. The Department of Energy and the Electric Power Research Institute (EPRI) are both engaged in studying the EMP threat and releasing action plans for both government and private industry. The Departments of Homeland Security, Defense and Energy, including our national labs, are actively engaged in studying the effects of EMP and identifying proactive measures that can help mitigate against these threats. As Mr. Manning has noted, solutions to EMP threats to the grid are not well understood. Much of the available information is not specifically applied to utilities, making it difficult for utilities and regulators to identify the options for protecting that infrastructure. So I am pleased the work is currently underway by both industry and the government to identify our options. I also want to say that threats to our grid are measured by the likelihood of occurrence and severity and warming climate has increased physical threats to our infrastructure with rising sea levels, storm surge and extreme weather events. According to NOAA, high sea surface temperatures have contributed to a substantial increase in hurricane activity in the Atlantic and the severity of those strong threats on our grid. In 2012, Hurricane Sandy tore through the East Coast leaving a path of wreckage, rainfall, and knocked down power lines, leaving 88.5 million homes and businesses in 16 states without power. In the State of Washington, we have seen extreme weather changes. We have had landslides, flooding and sea level rise, as well as drought, that has induced forest fires threatening our grid. In 2014, large fires in Central Washington substantially impacted the electric infrastructure with over 3,000 customers without power. I should say that the cost is how much was actually burnt up in the fire, substantive investments that had just been made by utilities in that region. Finally, I would like to talk about the issue of cybersecurity that the Chair mentioned. While we have never experienced a high-altitude EMP attack, the severity of successful cyberattacks on our grid is growing and it is significantly more likely that our grid is being tested for cyber vulnerabilities every day by our adversaries. In fact, Russia is believed to have deployed a cyber weapon to shut down Ukraine's grid in both 2015 and 2016. On March 14th of this year I asked the Trump Administration to protect the growing grid vulnerabilities from cyberattacks and make sure that we zero in on the appropriate assets. I sent a letter to the Administration and to the Department of Energy asking that they assess the capabilities of some of these nations, of Russians, particularly, to hack into our energy infrastructure, and I am looking forward to getting a response since it has been several weeks since we sent that letter. It is widely known the United States is under constant threat from cyberattacks, and many cyber experts have come to the same conclusion. It is not an if, but a when, a massive attack on our grid will occur. In fact, the former Director of National Intelligence, General Clapper, stated in 2015 that cybersecurity is now more a significant threat to our national security than terrorism. So I am glad we are holding this hearing on the risks to our grid, and EMP being one of them, but I hope that we will also make sure that we continue to focus on cybersecurity. I know we have had a hearing, and three other committees that I serve on have also had cybersecurity hearings. I think everybody is waking up to the fact that cyber is a big issue. Obviously, Madam Chair, we passed the Energy Policy Modernization Act out of the Senate, that the House failed to act on, which had a major cybersecurity provision. So I hope our colleagues over there will wake up to the importance of that. I look forward to hearing from our witnesses. And thank you, Madam Chair, for the hearing. The Chairman. Thank you, Senator Cantwell. We are joined this morning by a very distinguished panel. I welcome you all. The panel will be led off this morning by the Honorable Cheryl LaFleur, who is the Chairman of the Federal Energy Regulatory Commission. She has been a member of the FERC since 2010. We appreciate all that you do on that very important commission. We would like to get you a quorum so that you can be working every day, but we are pleased that you are here this morning. Chairman LaFleur will be followed by a man who is well known up here on Capitol Hill. It is a pleasure to welcome you to the Committee. Chairman of the Board of Gingrich Productions and former Speaker of the House, Speaker Gingrich has been a leading voice on the issues and the dangers of an EMP attack. We are very pleased to have you provide your insight this morning. Following Speaker Gingrich is Ambassador Henry Cooper. He is the former Director of the Strategic Defense Initiative Organization, and he was President Reagan's Chief Negotiator at the Geneva Defense and Space talks. It is nice to have you at the Committee this morning. Welcome. Caitlin Durkovich is the Director at Toffler Associates. Prior to joining Toffler, she served as the Assistant Secretary for Infrastructure Protection with the Department of Homeland Security under President Obama. It is nice to have you here. Mr. Robin Manning currently serves as the Vice President of Transmission and Distribution at the Electric Power Research Institute, EPRI, where he oversees research and development activities. We thank you for your leadership there. The panel will be rounded out by Mr. Kevin Wailes, who serves as the CEO and Administrator of Lincoln Electric System. Mr. Wailes is also the Vice Chair of the Electricity Subsector Coordinating Council. We are pleased to have you all here. We would ask that you try to limit your comments to five minutes. Your full statements will be included as part of the record. Commissioner LaFleur, if you would like to lead off, please. STATEMENT OF HON. CHERYL LAFLEUR, ACTING CHAIRMAN, FEDERAL ENERGY REGULATORY COMMISSION Ms. LaFleur. Good morning and thank you, Chairman Murkowski, Ranking Member Cantwell and members of the Committee. I appreciate the opportunity to appear before you today to discuss electromagnetic pulse, EMP, threats to the electric grid in the United States. I very much appreciate your attention to this important issue. The Federal Energy Regulatory Commission, FERC, plays a key role in the oversight of grid reliability. In 2005, Congress entrusted FERC with the responsibility to approve and enforce mandatory reliability standards for the nation's bulk power system. Under the statute, FERC oversees the North American Electric Reliability Corporation, NERC, in developing standards to protect the reliability and security of the grid. In addition to our work on mandatory standards, FERC has also supported grid security through collaborative efforts with federal agencies, states, industry and stakeholders. This work is particularly well suited to revolving threats that require action more quickly than a standard can be written. And as Senator Murkowski noted, public/private communication on those threats is critical. FERC, NERC and industry have, over the last decade, put in place a robust set of baseline standards to address a wide range of reliability issues. In recent years, we've been particularly focused on emerging threats to grid security, including cybersecurity, physical security and the risk associated with geomagnetic disturbances. Geomagnetic disturbances to the bulk power system can be caused in two different ways: naturally occurring geomagnetic disturbances (GMDs) from solar activity and man-made EMP events. EMPs can be generated by devices that range from small, portable suitcase units all the way through detonation of nuclear weapons in the upper atmosphere. EMP devices can generate three distinct effects: a short, high energy burst, called E1, that can destroy electronics; a slightly longer burst that is similar to lightning termed E2; and a third effect, E3, that generates electric currents in power lines and equipment which can then damage equipment such as transformers. In the case of GMDs, naturally occurring solar magnetic disturbances periodically disrupt the Earth's magnetic field which in turn can induce currents on the electric grid that may cause voltage instability or destroy key transformers over a large geographic area. GMD events are similar in character and effect to the final phase of EMP, E3. I'll briefly touch this morning on some of the work FERC has done that can help address EMP. First, FERC developed the directed, excuse me, FERC directed the development of standards on GMD that can help to mitigate the E3 effective EMP based on a 1 in 100 years' solar storm benchmark event. Second, FERC directed the development of a physical security standard, like the GMD standard now effective and in place, that can help protect against attack from small, portable EMP devices which require proximity to their intended targets. Third, FERC has supported efforts to protect the grid, the resilience of the grid, against all risks which improves its ability to respond and recover from major outage events whatever the cause. For example, mandatory reliability standards require backup capabilities for the loss of critical assets which reduces the potential for cascading outages. FERC has also issued orders concerning grid assurance and EEIs, spare transformer equipment program, which are efforts to protect customers from prolonged outages by providing electric utilities timely access to emergency transmission equipment that otherwise would take months or longer to acquire. As I expect we will discuss today, FERC has not to date directed NERC to develop a specific standard specifically targeting EMP. To be clear, I believe this is the result of recent consideration of the issue, not a lack of attention or willingness by FERC to address EMP threats. Although much work has been done, there remains a significant amount of scientific research and debate underway about how EMP, particularly the E1 component, affects the electric grid. I particularly want to highlight the work being done by DOE, Los Alamos National Lab, Idaho National Lab, an amazing place I visited a couple years ago, DHS and the Electric Power Research Institute, which I believe will help improve our understanding of EMP impacts on the electric grid and more importantly, how best to target our actions to mitigate them. FERC is closely engaged in all these efforts to understand and address the EMP threat as more fully detailed in my written testimony. Those efforts will and must continue, and I'm confident that should FERC determine that a reliability standard is warranted, it will exercise its authority to require one as it has with other threats, like GMD and physical security. Thank you for the opportunity to testify, and I look forward to your questions. [The prepared statement of Ms. LaFleur follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] The Chairman. Thank you, Chairman LaFleur. Speaker Gingrich, welcome. STATEMENT OF HON. NEWT GINGRICH, CHAIRMAN OF THE BOARD, GINGRICH PRODUCTIONS Mr. Gingrich. Thank you very much for holding this hearing. I think it's very important and I commend the Chair and the members for putting time in on this. I just want to focus backward from consequence. A good friend of mine and co-author of several novels, Bill Forstchen, wrote a novel called, ``One Second After,'' which is the study of a small town in North Carolina during the year after electricity was knocked out by an EMP attack. And it's really worth looking at because we take electricity for granted. Even in relatively short outages as we had in April in New York, San Francisco and Los Angeles, people are remarkably inconvenienced. But it turns out, for example, all the drugs we rely on for a wide range of things require refrigeration. And the minute you start knocking out the system, there's a cascade of consequences. We've known indirectly since 1859 with the Carrington event that something can happen that has an effect back then and knocked out telegraph lines but we weren't relying on everything that's electronic that we do today. We've known since 1962 that there can be a manmade event at a high altitude which knocks out electricity because it knocked from Johnston Island, it knocked out lights in Honolulu. The challenge we have with the electric grid is it's actually designed for efficiency and it's a remarkable achievement. The problem is efficiency, it leads to fragility. And so, from your perspective, you both have to look at notable points which could be knocked out physically or by a local EMP. You have to then look at cyberattacks, and then you have to look at EMP attacks. The grid is vulnerable at all three layers. And if somebody were to methodically come in here, they would find, I think, there are as few as nine notable points you could knock out that would have a catastrophic effect because it would lead to a cascade of systems to shutting down. If you then looked at the effect, potentially, of either the series of local EMP attacks or a high-altitude EMP attack, you're talking about a catastrophic event from which, conceivably, you couldn't recover for years. So, I would--a couple of quick things. One, the Congress should look at EMP attacks as one of the three great threats to our survival. The other two being cyber warfare and nuclear weapons, and they should regard all three as catastrophic. For us to survive as a civilization we have to be able to defeat all three of those threats. Two, I think that the Congress should communicate a sense of urgency. There are a lot of people doing a lot of good things at a relatively leisurely pace and trying to be reasonable. If you work back from consequence, you rapidly become unreasonable because the consequences are so horrible. This is like 9/11 where we said, gee, we hadn't thought about an airplane hitting a building which is nonsense. Tom Clancy had written about it a decade earlier, but nobody wanted to cut through and say so, what would you have to do to stop that from happening? After the event, we did all sorts of things to make it harder to take over an airplane. We're in the same boat right now except here we're gambling on our civilization. This is vastly bigger than 9/11. I would suggest a couple things. One, that Homeland Security and Department of Energy should have some very rigorous war games thinking through all the permutations of what could happen and they should look for the key notable points where you could, in fact, begin to fix the system because there are a number of steps that are going to be taken to make the system more resilient and to make it more difficult to take out. Two, I would look at the new infrastructure bill to consider having a substantial part of the national security infrastructure component. Three, if you were to go through and cut out a lot of the red tape that the electric industry has to deal with, the time value of money you would save would probably more than pay for everything you're going to ask them to do on EMP. And so, there are very practical things that can be done here but you need to somehow communicate to the Executive Branch, you need a sense of urgency. We need to understand that every morning we get up, we're a step away from catastrophe. And let me just note that the NASA has estimated that the potential for the sun to hit us with a, it's different than a man-made, but nonetheless equally dangerous, the potential for the sun to hit us with the, effective of the Carrington effect is about 12 percent per decade. That we're now overdue for that happening. We apparently came within one week of it happening and happened to be out of position for the sun so the solar flare missed us. But that should give us a reminder. I'll just close by saying there's a historium. Work back from the consequences. When you have a high likelihood that over the next 20 to 30 years something this consequential is going to happen, there has to be a sense of urgency by blocking it from occurring because if it does occur, it could literally end civilization as we know it. [The prepared statement of Mr. Gingrich follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] The Chairman. Speaker, thank you very much for your comments and reminding us of the imperative here. Ambassador Cooper, welcome. STATEMENT OF AMBASSADOR HENRY F. COOPER, FORMER DIRECTOR, STRATEGIC DEFENSE INITIATIVE ORGANIZATION Ambassador Cooper. Madam Chairman, Ranking Member and members, I very much appreciate the opportunity to testify before you today on my views of this important issue. Actually, Speaker Gingrich has covered a lot of my material which is a good thing because I wasn't sure I could get through even my abbreviated comments here. I guess I would like to say that I add that we're living through the most dangerous period of my lifetime for a number of reasons, but the vulnerability of our national electric power grid is among the most important and we are collectively continuing to endure or to take ineffective countermeasures to deal with it. Frankly, I've become so concerned about the dysfunctionality of the Federal Government, both the Executive and the Legislative branches, that I am now spending most of my time working with private citizens, local and state authorities and happily, some key people in the electric power industry to begin working this problem from the bottom up believing that if enough of our citizens gain a real understanding of the issues and how they can actually turn--must be addressed at the local level then Washington eventually will begin to do the right thing in addressing this urgent problem. I went through another set of issues in my summary comments here that have largely been covered already that I want to skip over and turn to the comments written by the Chairman of the EMP Commission which was chartered, as you know, by the Congress to deal with these issues, in a letter April 20th, to Secretary of Energy Perry. The EMP Commission, and these are their comments, I want to make clear. I share their views for a lot of reasons, but these are their comments. They view the current efforts to address natural EMP threat are ``producing grossly inadequate standards for protecting the grid,'' to quote its Chairman, Bill Graham, who is a colleague of mine for many years. He further noted the Commission's concern over misleading and erroneous studies by NERC and others that grossly underestimate the natural EMP threat from solar storms and dangerously have become the basis for grossly inadequate standards approved by FERC. Perhaps more importantly he noted the Commission's concern that the 2014 Obama Administration Intelligence Community Assessment of the nuclear EMP threat is profoundly erroneous and perhaps the worst ever produced on EMP, and that has been used to thwart efforts to protect the nation against nuclear EMP by dismissing the threat, despite overwhelming evidence to the contrary. He also noted that the nuclear EMP is the ultimate cyber weapon threat and its military--in the military plans of Russia, China, North Korea and Iran for combined arms cyber warfare that they will see decisive new revolution in military affairs as a consequence. He indicated to Secretary Perez and Perry that the Commission is also very concerned over misleading and erroneous studies recently completed by industries, Electric Power Research Institute and grossly underestimate the nuclear EMP threat. These and other bureaucratic issues led me, a couple of years ago, to lose confidence that we were ever going to deal with this problem from the top down, and I decided to try to work it from the bottom up. My written testimony goes into some detail discussing the work I am doing, along with Duke Energy engineers. Duke Energy, as you probably know, is among the largest, if not the largest, energy company in the nation. And we were working on a pilot study in York County and Gaston in South Carolina and Gaston County in North Carolina. And of course, Duke's corporate headquarters are in Mecklenburg County which is a neighbor to those two counties. We are engaging with local authorities, particularly the folks in Rock Hill which is a bedroom community for Charlotte as well as an important area of its own. This is important because the nature of the grid is, I'm sure this Committee knows, a crazy quilt patchwork of co-ops and electric utility companies across the nation, some, I don't know, 2,000 or 3,000, I understand. Unless those folks are actively involved in working the problem and providing the loading conditions that they can and will need at Duke Energy to produce the power and get it to the local subscribers, then we're going to have the consequence that the Speaker referred to earlier. Water and waste water is a key matter, for example. Duke Energy doesn't provide the electricity to the water and waste water operations in Rock Hill. That's provided by a different utility. And unless that utility is working hand-in-hand with Duke, then you're going to have hospitals running out of electricity very shortly and, as I understand it, without water those hospitals will be experiencing deaths within hours. So this is an important issue. I urge you to have the EMP Commission which, in my view, is the nation's top authorities. Many of the engineers were involved in the DoD from the earliest of days dealing with this issue, and that is where the expertise originally has been. The DoD is not particularly helpful in working this problem today. The Department of Energy, while I have great respect for the engineers at our laboratories, is reinventing lessons that were learned the better part of a half century ago. And it's absurd, in my judgment, that we find ourselves in this situation. I hope the Committee can help deal with the communication problems within the Executive Branch as well as help us work this problem from the bottom up. Thank you, Madam Chairman. [The prepared statement of Ambassador Cooper follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] The Chairman. Thank you, Ambassador. Ms. Durkovich, welcome. STATEMENT OF CAITLIN DURKOVICH, DIRECTOR, TOFFLER ASSOCIATES Ms. Durkovich. Thank you. Good morning, Madam Chair and members of the Committee. Thank you for inviting me to testify today on protecting our energy infrastructure from the threat posed by electromagnetic pulse. My name is Caitlin Durkovich. I had the honor of serving eight years in the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, first as the Chief of Staff and from May of 2012 to January of 2017 as the Assistant Secretary of Infrastructure Protection. NPPD leads the national effort to protect and enhance the resilience of our nation's physical and cyber infrastructure. I transitioned from government to Toffler Associates, a future-focused strategic advisory firm that architects better futures for public and private sector clients. Over my nearly 20-year career in homeland security, I have seen critical infrastructure public-private risk management redefined to address emerging, complex issues from violent extremism to complex mass attacks, cybersecurity grid and GPS resilience, extreme weather and electro and geomagnetic disturbances. I have co-chaired interagency task forces that have integrated the private sector into government strategies, including those that are most relevant here today--the Joint U.S.-Canada Electric Grid Security and Resilience Strategy and the National Space Weather Strategy. There is no doubt that we live in a dangerous world. State and non-state actors, insiders and promulgators of disinformation are growing in kind and consequence. Borders no longer protect us whether our shores or the fences and walls of our organizations. We have built a complex ecosystem where disruption in one node can ripple across the system and where threats are not bounded to one sector or one industry nor can we protect against every threat and secure every building system and network. Our country is too big; our infrastructure too interdependent; the cost too expensive; and, the outcome would alter our way of life. This is why we are in the business of risk management. Think of a matrix where the x and y axes are increasing likelihood in consequence, respectively. A denial of service attack is highly probable, but the impact to a company and its operations is minimal. Most natural disasters are high likelihood and low consequence. Superstorm Sandy or a 9.0 Cascadia Subduction Zone event are exceptions and flip, low likelihood, high consequence. A cyberattack against industrial control systems like the December 2015 attack on the Ukrainian power grid, lower probability than denial of service, but certainly more consequential. In 1859 Carrington Light GMD event. As Speaker Gingrich said, we are long overdue. And so, I would say it is more likely and certainly high consequence. There are half a dozen more risks on that matrix, including a high-altitude electromagnetic pulse, and we place it at a very low probability but high consequence. All of the risks on this matrix must be managed. Since critical infrastructure is largely owned and operated by the private sector there are finite resources in a world where you have a business to operate, shareholder obligations, regulatory costs and rate recovery, just to name a few. I want to be clear. We have not ignored the threat of an EMP. Industry and government are working hand-in-hand to better understand the impacts of EMP. The work that EPRI is doing is critical to understanding how the systems and its parts would be affected. This critical modeling can help inform where investments and shielding will have the maximum value and what operational procedures can mitigate voltage collapse. And much of this effort can be applied to mitigating the consequences of a GMD where we will have time to put measures in place and manage flow thanks to improved space weather forecasting and alerting. Equally important is the fact that we understand an EMP, like many threats and hazards, is sector agnostic. Disruption to communications during incidents hampers response and restoration efforts. Malicious actors understand this, and Mother Nature is undiscerning. There is debate about the sophistication of the attack on the Metcalf Substation that supplies power to Silicon Valley, but the perpetrators knew enough to cut the fiber lines that controlled 911 and downstream communications. A telephone denial of service attack hampered the ability of customers to call and utility operators to talk to each other in the Ukrainian incident. An EMP or GMD will impact communication systems and data centers and, therefore, command and control. To industry's credit, they are looking beyond prioritized calling services as a contingency plan but it illustrates why we cannot take a silent approach and must understand the vulnerabilities caused by the intersections of these sectors. This complex risk environment is what has given way to the public/private partnership. While government brings important capabilities to the table, information sharing, private sector clearances, research and modeling, war gaming, industry is heavily invested in ensuring its reliability and resilience. Disruptions impact their bottom line, their brand and their industry. It is why the Joint U.S.-Canada Electric Grid Security and Resilience Strategy, the National Space Weather Strategy and the Joint Electromagnetic Pulse Resilience Strategy and corresponding action plans are critical. They lay out high- level goals for government and industry to guide action and investment, to enhance resilience and accelerate recovery from these types of events. In conclusion, we are managing a complex risk environment and cannot protect against every threat and secure every asset. There is no one-size-fits-all approach. The solution requires a whole of community risk-based approach focused on mitigation planning and investment in a modern and secure infrastructure that is resilient to the threats of today and tomorrow. Thank you, and I look forward to your questions. [The prepared statement of Ms. Durkovich follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] The Chairman. Thank you, Ms. Durkovich. Mr. Manning, welcome. STATEMENT OF ROBIN E. MANNING, VICE PRESIDENT, TRANSMISSION AND DISTRIBUTION, ELECTRIC POWER RESEARCH INSTITUTE Mr. Manning. Thank you, Madam Chairman, members of the Committee. Good morning. I want to share with you a bit of history, if I can. I am a Vice President of Transmission and Distribution for the Electric Power Research Institute, but also spent 30 years at Duke Energy and another six at the Tennessee Valley Authority (TVA). And through this time my responsibility was leading construction, operation and maintenance of energy infrastructure. So, as the Chairman put it so well earlier, I kept the lights on across the United States. As the leader of TVA's transmission organization in the 2008-2009 timeframe as I read the EMP Commission report, I struggled to understand how I could take the plethora of information that was available on EMP and practically apply it to create some sort of a plausible approach for risk management associated with TVA's system. And that's exactly what EPRI is attempting to do as we are now one year into a three-year research project, began in April of 2016. Our project objective is to develop cost-effective mitigation tools, to develop recovery options for utilities and to form a basis for decision-making that provides utilities, like the TVA, the information that is necessary to effectively protect their customers from the EMP threat. This project now has financial support from 57 U.S. utilities, making this project one of the most widely-supported collaboratives ever at EPRI. We're also collaborating very closely with the U.S. Department of Energy with national labs and the U.S. Department of Defense. We have seven tasks on this project. Many of these tasks are being completed in parallel with various expected completion dates over the remaining two years of the project. We are seeking greater characterization of the HEMP threat as it relates to electric infrastructure; we're investigating specifically how EMP propagates and how it couples to power systems; we're testing that equipment to understand at what level do we begin to see damage from EMP events; and then we're combining the threats and the vulnerabilities to understand a more complete picture, a holistic picture of EMP impacts to infrastructure. But together this information provides methodologies and tools to support risk-informed decision, and of course, it's our intention to communicate our research findings to public policymakers and other stakeholders throughout the process. For example, in February we released publicly a report assessing the impacts of a HEMP-generated, E3 energy wave on bulk power transformers. We advanced a series of a test nuclear blast across the United States, 11 different locations and assessed the value of each of those. We used advanced modeling assessment techniques as well as conservative assessment criteria and conservative engineering judgments throughout. The results of this study indicated that damage to a large number of bulk power transformers from E3 is unlikely. Even so, the results of the assessment should not be interpreted to mean that HEMP or even the E3 would not adversely affect bulk power system reliability. The potential for widespread outages due to voltage collapse or the combined effects of E1, E2 and E3 are still being investigated. Certainly impacts from HEMP are real; however, evaluating the effects of such events on complex systems like our electric power grid requires concrete, scientifically-based analysis from people who understand the power system. With greater understanding, cost- effective mitigation and/or recovery options can be developed and deployed. The utility industry is poised to take further action, and more scientific research enables these actions to be both appropriate and cost effective for consumers. At EPRI we are committed to providing sound science-based solutions to these complex problems and will continue to offer technical leadership and support to the electricity sector to public policymakers and other stakeholders to enable safe, affordable, reliable and environmentally responsible electricity to the people of the United States. Thank you for your time. That concludes my testimony. I look forward to your questions. [The prepared statement of Mr. Manning follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] The Chairman. Thank you, Mr. Manning. Mr. Wailes, welcome. STATEMENT OF KEVIN WAILES, CHIEF EXECUTIVE OFFICER, LINCOLN ELECTRIC SYSTEM, AND MEMBER OF THE BOARD OF DIRECTORS, AMERICAN PUBLIC POWER ASSOCIATION Mr. Wailes. Chairman Murkowski, Ranking Member Cantwell, members of the Committee, thank you for giving me the opportunity to testify today. My name is Kevin Wailes. I'm the CEO of the Lincoln Electric System (LES) in Lincoln, Nebraska. I'm testifying on behalf of the American Public Power Association (APPA) on whose Board of Directors I serve. APPA is the voice for not-for- profit, community-owned utilities that serve 49 million people nationwide. I also serve as the Co-Chair of the Electric Subsector Coordinating Council which is made up of 30 utility and trade association CEOs and serves as the electric sector's principle liaison with the Federal Government on policy level security issues. The electric sector takes very seriously the threat of electromagnetic pulse, or EMP, events and certainly, if you consider reliability, it's what we do. That's the primary objective for electric utilities in the first place. Chairman LaFleur provided a good description of the various types of EMP events. I want to emphasize, consistent with Senator Murkowski's, Chair Murkowski's, opening comments, that in effect a HEMP attack is an event that would be an act of war or terrorism, and in fact, is the responsibility of the Federal Government to prevent, as a matter of national security. But that doesn't mean that we don't take it very serious in trying to develop how we might mitigate that. The technical impact of a HEMP event on the electric infrastructure is uncertain. Though through a collaborative effort, as mentioned by Rob, with the Electric Power Research Institute and the Federal Government were conducting research to gain more information to be able to provide that mitigation. Some proposed the electric industry should install a particular protected device or fully gold-plate the entire grid so that it could survive a HEMP event. However, there's really no consensus on what measures should be taken at this point. The potential unintended effects of that type of protection on the grid or how successful the efforts would be if we, in fact, tried to do that at this time. Cost is a significant factor. As a community-owned, not- for-profit utility, all additional costs borne by LES, for example, would have to be passed directly on to our customers. Assuming EMP blocking devices could be installed to protect the entire grid, power supply would still likely be disrupted by a HEMP event due to the collateral impacts on other critical infrastructures, as mentioned by Ms. Durkovich, the utilities rely on to provide services. EMP are one of many threats the electric sector must confront, as other witnesses identified, including severe weather events, geomagnetic disturbances, cyber and physical attacks. Given this broad threat landscape, our industry understands that we cannot protect all assets from all threats and instead we must manage that risk. To do this, the electric sector follows a multilayered risk management approach to grid protection. A HEMP event is a high- impact, low-probability threat. We take EMP event threats seriously, but we must consider them within the context, a broader context of all threats. A cyberattack aimed at disrupting electric service would be a relatively cheaper and easier weapon to deploy and finding the needed nuclear materials and delivery vehicle to deploy that type of weapon. So clearly, we must place more effort on mitigating the highest and most profitable risk, probable risk. Given industry cannot protect the electric grid from all potential threats, we focus on all hazard recovery, that is, regardless of the cause of damage to the electric system, preparations to ensure mitigation, response and restoration are substantially the same. Grid operators must prioritize critical asset protection, engineer redundancy on to the system and stockpile spare equipment and as also mentioned, there are several programs that are ongoing with respect to enhance that capability given these new threats. In conclusion, electric utilities are working on multiple fronts to increase the scientific understanding of the potential impacts of EMP. As policymakers, there are several ways that you all can support that effort. First, the EMP Commission should be directed to work with owners and operators of critical infrastructure, EPRI, the North American Electric Reliability Corporation, and help assist the Electric Subsector Coordinating Council (ESCC), I'm sorry, and assess the vulnerability to the electric grid to EMPs. Collaboration between experts on EMP and experts in the utility industry will end up with the best product. Second, we need to ensure that the classified reports and research produced by both DoD and DOE are available and that can accurately reflect the threat we're trying to evaluate so we can come up with the best solution. Finally, this is an extremely complex issue that cannot be solved with a one-size-fits-all solution, as previously identified. Prescriptive legislative directives could have unintended consequences and saddle ratepayers with increased cost with no associated value. Similarly, protecting the current successful standards in process put into place by the Energy Policy Act of 2005 is critical. This structure produces standards based upon expert input and necessity when it comes to vast and complex bulk electric system. Thank you for the opportunity to testify, and I look forward to answering any questions as part of the panel. [The prepared statement of Mr. Wailes follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] The Chairman. Thank you, Mr. Wailes. Thank you, all, for your comments here this morning. Let me start with just a broad question to you all. Is it fair to say that you would all agree that an EMP attack is, in the first instance, a threat to national defense? Do we agree that is what we are dealing with? Ms. LaFleur. Yes, Senator. The Chairman. Chairman? Mr. Gingrich. Yes. Ambassador Cooper. Yes. Ms. Durkovich. Yes. Mr. Manning. Yes. Mr. Wailes. Yes. The Chairman. Okay, we have agreement here. Now the question is what we do with this? I do appreciate the various suggestions that have been presented here and how we can work to protect, how we can become more resilient. Speaker Gingrich, you mentioned the prospects for a broad infrastructure package and what we might be able to do in the context of national security. It begs the question, though, and you have indicated, Mr. Wailes and I think others have said, this is a tough order. There is really not a one-size-fits-all here. But is there commercialized technology the industry could use to protect against EMP attacks, and if not, what are the barriers to deploying the technology? Cost has been mentioned, most specifically, but how prepared are we, if we were to get this infrastructure package? Do we have something that we could actually lay down there that could be constructive? I will let anybody jump on this one. Mr. Gingrich. Let me, if I can for a second, I want to make, sort of, a deeper point about where we're at. We've done an extraordinarily elegant job operating off of a paradigm of efficiency to create an electric system for North America. It's really extraordinary. You now have to shift from that model to a model that says you want resistance, redundancy and resilience. Then you have to create, first of all, just the model and that's why I said-- part one of this is, at least in part, the Department of Energy and the Department of Homeland Security modeling what would that system look like. It's not a situation where you get a choice, where you get to say, you know, I'm going to take the risk of being destroyed by cyber because I'm really going to focus on EMP. You've got to look at all the major threats, figure out what the notable points of defense are against all of them and then design a policy to fit that. And this will be the more expensive system. Then you've got to figure out what part of that more expensive system is a national defense requirement in which case it ought to be borne directly by the government. What part can you legitimately say we can find offsetting savings, as I mentioned earlier, just in cutting the red tape and the time, value and money you could save an enormous amount of resources that the industry would, I think, be happy to swap and put that money back into a more resilient system. But I think you've also got to ask the question, I think there ought to be real urgency and cutting through all of this and setting very tight deadlines for implementation because I think we've known since 2004 that the Russians have given the North Koreans this capability. We've known since the 1990s that the Chinese have been developing this capability. And the capacity for a North Korean satellite to have an EMP weapon is a very real danger in real time, today. So, I think we have to have, well, almost, a wartime urgency of setting this up, offsetting the cost and to your point, in some areas we don't currently have a solution and there are obvious significant research projects, DARPA and others, to be engaged in figuring out the specific breakthrough points, how are we going to solve these things? Because if we don't solve them there's a genuine catastrophe that could happen that would be of horrendous consequence. The Chairman. Chairman LaFleur, and as you answer this I want to know whether you believe FERC has sufficient regulatory authority to address these EMP concerns and really, where we are with that, as you respond to this other point. Ms. LaFleur. Thank you, Senator. I'll take the questions in turn. So, your first question was is there technology available to protect against EMP? The answer is there is some technology available to protect some equipment against EMP. For example, the military sheaths some of its intelligence equipment in metal in some of its intelligence centers. So there is some technology available. The difficulty on the electric grid is knowing where you would deploy the technology to best protect the grid in an effective way because when we are going to mandate a standard for thousands of transmission owners, we want to make sure it's going to work and it's going to do the job that it's intended to do. Speaker Gingrich has referred to the study of the nine substations. I know that's a controversial study. I've testified about it here before. That was a study that was looking at simultaneous physical attacks on transformers and cascading of transformers, whether its results are right or not, that's what it was talking about. If I were to go to protect the grid from EMP I'm not sure, I'm quite certain those nine substations, wherever they are, are not where I would go. I'd probably go to the control centers first because you can't even turn a substation on and off without the communications from a control center. Those are ubiquitous in every territory. So we need to figure out, for this risk, which is different from a storm or a, even different from the risk we're protecting against with the physical security standard which was for the substations, where is the best place to go? That's the work Mr. Manning and others are doing. To your second question, we do not have the authority, as you know, under the law to write a requirement ourselves and say everyone, you have to do this. We have been given a complex statute under which we oversee NERC in a voting protocol, and they file a standard. We can reject it if it's not strong enough and make them change it. We can direct them to do a standard but it's a--that's the way the structure works. Within that authority, we could certainly direct NERC and the industry to do a standard if we believed we knew what they should do. And I have every confidence they would respond as they have with GMD, physical security, supply chain management and other things where they opposed initially but when we directed it, they did a standard. The Chairman. I appreciate that, thank you. Senator Franken. Senator Franken. Thank you, Madam Chair. In reading through the testimony provided for today's hearing, it became clear that some of the witnesses are quite alarmed about the threat of an EMP attack and the potential societal impacts and others are clearly more circumspect. Chairman LaFleur, could you comment on where we should direct the efforts and resources we devote to enhancing grid security? What should our priorities be? Where would you place physical attacks which is on Metcalf, cyberattacks, EMPs, GMDs and other threats on a triage list? Ms. LaFleur. Well, it's a difficult question because we're comparing attacks that are very numerous and kind of low barriers to entry, like cybersecurity when you don't have to be a nation-state. A lot of people can do it too, as several have said, high impact, low probability. I mean, I think that, first of all, we have to have a strategy for all attacks. I think right now I would probably put cybersecurity as number one, but that doesn't mean we don't need to protect our substations from physical attacks or that we don't need to protect against solar storms, which we are protecting against, and work on the EMP issue and figure out how to protect that. I think taking a step back, to me, where we should be going, the real solution, is to build resilience into the grid, to build the grid in a way that we have more redundancy, that we can island, that we have more inventories as we're working on because that works against all risks. I think resilience, which is increasingly where our efforts are going, is the strategy that works, whether it's a hurricane or an earthquake or something else. Senator Franken. So when you are talking about island mode, making sure there are just, sort of, circuit breakers, the opposite of circuit breakers, just so that if one goes down, not everything goes down. Ms. LaFleur. Well, you can't obviously, you can't have a backup for everything, but we have standards, for example, that critical control centers have to have backups, secondary supply lines and so forth. In the geomagnetic disturbance standard, the first part of the standard we put out was an operating procedure standard. When we hear from NOAA that there's a solar storm coming within half an hour, there's an immediate transmission to every control center in the United States. And they have to know, okay, which--how do I go into safe mode? What do I do in the time that I have? Now, we might have no warning of a bomb, but for GMD, that's precisely what they're working on. Senator Franken. Okay. Mr. Wailes and Mr. Manning, can you give the perspective of those who work in the industry and daily face of the near end, long-term threats to the security reliability and resilience of our electrical system? Which threats do you believe we should prioritize? Mr. Wailes. I actually concur with Chairman LaFleur. And we're looking at today's environment, we see the cybersecurity threat as a much higher threat. And we have a significant investment and a lot of work going toward that, as we speak. But I would like to address, kind of, the perception that we don't have a lot of redundancy built into the system now. That is actually part of the core of reliability, again, is electric utility, reliability and low cost are our primary objectives, but reliability is the primary one. So whether you're talking about, you know, transformer capacity to serve substations or you're talking about circuits, all of that is looking at that reliability is built into your generation fleet. When you look at how you plan against generation and reserves for different types of events, that is something we do routinely, but there are different things that we're looking at with current day threats that hadn't existed previously and how we're going to deal with those. The research that EPRI is doing, the work we do, for example, with the ESCC. I think one of the striking things, many of you may have heard about the GridEx exercises which are really significant exercises that are developed between the Electric Subsector Coordinating Council, NERC and the ISAC, which is the electric sector Information Sharing and Analysis Center. They take a year and a half to develop these exercises, and they look at very catastrophic types of events. Some of the learning out of that that we get between the Federal Government partners and the industry is more of an understanding of how much redundancy is in the system and some of the issues that we have to actually share information about how are we going to be more resilient and how are we going to respond. All of those things are an ongoing approach for us, on a continual basis. The difference is those threats are changing. And that's one of the things we found, even with the EMP threat. And we all thought there was a cold war we didn't have to worry about that anymore, nor did we have, as pointed out in the opening comments, the kind of sensitive--we had analog devices. We didn't have devices that were as sensitive as we do today. So as those threats have evolved, we have to get more understanding about how they impact what we do. And we also know that the easier threat now to us is a cybersecurity threat and the physical security threats. Senator Franken. I know I am way over. Mr. Manning, would you respond to that briefly? Mr. Manning. Yes, Senator. The first thing that came to my mind is that we like the information to make that decision, that we react, based off of our experiences. So if we have a high probability of cyberattack, then we immediately respond to cyber issues. We lack sufficient information to understanding exactly what the probability is and what the severity is of attacks like EMP. That information is becoming clearer and we're beginning to understand that. And once we have adequate information about EMP, then we can balance that sufficiently, I believe, with threats like cybersecurity where we have quite a bit of information. Actually, I think we talked about it earlier that risk is really about managing probability and severity and we have to look at both of those things. Well, in the industry we can do absolutely nothing about probability of an EMP attack, so we're focusing all of our efforts on severity. And if we can reduce the consequences of an EMP attack to the point where the probability no longer matters, then I think, we've actually made progress. Senator Franken. I just want to make one last comment which is really a question. Is this an argument for more distributed energy, more solar panels on rooftops, more island mode energy? The Chairman. Let's go to Senator Cassidy. We will leave that question hanging. Senator Franken. The hanging question. Senator Cassidy. I will start with Ms. LaFleur. Madam Chair, the Hawaii outage after the atmospheric nuclear test, was that due to an E1, E2 or E3? Ms. LaFleur. I believe it was due to E1. I believe it was communications equipment that was destroyed. Senator Cassidy. Mr. Manning, you all have looked at, you said, E3 and found it to be less consequential than a severe GMP. What I read in my notes is that E2s are more like lightning so it seems like E1 is, you said, not yet tested. Now, again, just coming up to speed, what you already know. So that is communications. Would that also threaten the grid or no, would this be specific--more likely to affect communications? Mr. Manning. If I can circle back on that question. Our findings on E3 are also partial. There is still additional work to be done on E3. We specifically investigated impact of bulk power transformers. We looked at the 37,000 or so bulk power transformers in the continental U.S. grid. As a result of only the E3 pulse, what we discovered is that the damage to those would likely be less severe than originally thought. It has---- Senator Cassidy. I only have three minutes. You have got to hustle, man. I am sorry. [Laughter.] Mr. Manning. It has a correlation to GMD, but it's not directly related to GMD; however, you can't stand that up on its own. It must be associated with the plethora of energy waves from a nuclear attack. So you must consider E1, E2, E3, all together, and we've only begun to consider that. Senator Cassidy. I got ya. So, whatever my questions about E1, it has to be considered within the context of E1, E2, E3, conglomerately. Mr. Manning. Absolutely, unless it's a handheld device which is only an E1 pulse. Senator Cassidy. Madam Chair, speaking of a geomagnetic, if I am getting all that right, what I quickly read about the Carrington event is that there was a 17.6-hour lead-in. They saw the flare, but the physical effect was not seen. And I read that in some places they actually unhooked their telegraph from the power source. Typically you would have a several day lead-in. We see the flare. That said, is it possible if there is such a flare from the sun that everybody could go home and unplug their computers, put in their surge protectors and otherwise protect their equipment? Ms. LaFleur. Well first of all, much more so than in 1859, our weather satellites give us good information, usually you know several days ahead something is coming, but the details of where it's going to go is more like in minutes or hours than days. That's the purpose of the operating procedure standard that is communicated to the control centers so they can protect the high voltage transformers and so forth, which take a lot longer to replace which are the most impactful equipment on the system in many ways. In theory, you could go protect your own equipment, but the solar storm doesn't have the same effect on communications. So, I don't think there's a lot of concern that it would destroy home electronics. Senator Cassidy. I guess I was using that as, kind of, a metaphor. Ms. LaFleur. Yes. Electric companies could do things like that. Senator Cassidy. They could. So we do have some advance notice and we could take some protection? Ms. LaFleur. That's why that was the first standard we put in place because you don't have to do equipment modifications. It's actually just planning of what you would do. Even when I used to run a distribution company, even when we had hurricanes or snow storms coming, sometimes you configure your system in a different way to prepare because you know where your vulnerabilities are. It's similar, but bigger scale. Senator Cassidy. Now going back to the point that Senator Franken made that some of you were more sanguine and others less so. I read about a 1989 geomagnetic storm which only affected Quebec and maybe a few Australians over in Namibia, but as far as I know it didn't affect Louisiana. That said, it tells me that even though we were about this being global at first, at times we have these geomagnetic storms and it is local. Ms. LaFleur. It depends on the size of the solar flare. One like a Carrington event is larger. Most of them are more regional. Our standard that's now in effect requires specific mitigation depending on the latitude and the soil and so forth. Louisiana is a little closer to the equator. In general, the poles are--this is one--you have a lot of hurricane issues, but this particular problem closer to the poles is generally considered more exposed to solar radiation. Senator Cassidy. So my kind of sense from everything, what you're saying is that we really do have an understanding and some advance warning that someone said if we can prevent it, it's a lot better, that at least with that which might come from the sun, granted it could overwhelm and the Speaker mentioned that. Ms. LaFleur. Yes. Senator Cassidy. But still we are somewhat prepared for that from the solar. Ms. LaFleur. Well, because we monitor all the time, some of the transformers have monitoring attached, they can get regular updates on what's happening with the sun and how it affects them. Fortunately we don't have a lot of experience monitoring explosives in the upper atmosphere. That's not the kind of monitoring experience we want to get. So, you can't develop the fact-based, experience-based information like with the sun. Senator Cassidy. Got it. Thank you. I yield back. The Chairman. Thank you. Senator Wyden. Senator Wyden. Thank you, Madam Chair and thanks to all of our witnesses. This is a very, very hectic day. The Speaker knows a little bit about what those are like up here. I just have a couple of questions. First, I want to note a point I am not sure has been made, and that is in the skinny budget the cuts that the Administration is looking at for agencies like NOAA and NASA is going to make it much tougher, much tougher, for the Congress on a bipartisan basis to deal with the important issues that we are talking about here today. I think there is a real role for government to play as it relates to improving the resiliency of the grid, and those are the questions that I want to touch on with all of you. I will start, Mr. Manning, with you and Ms. Durkovich. As you know, what we really are concerned about in our part of the world is the large earthquakes along the Cascadia Subduction Zone. This is a major, major issue for the people of the Pacific Northwest with respect to this whole issue of resiliency. Now my take, with respect to the science, and it picks up on a point where, I think, Senator Franken was trying to go, is microgrids and distributed energy resources. And here we are talking about rooftop solar. Energy storage can play a very real role in helping the grid quickly recover if you get hit by an event like this. So, for you, Mr. Manning, and you, Ms. Durkovich, could you just briefly walk the Committee through the role that these technologies could play in adding resiliency to the electric system when we are thinking about, in our part of the world, a physical threat like a Cascadia disaster? For you, Mr. Manning, and you, Ms. Durkovich. Mr. Manning. So it's an excellent question, thank you, Senator. There is no doubt that distributed energy that is grid connected introduces additional redundancy to the grid. As Kevin mentioned earlier, redundancy is a part of reliability. So the more redundancy we can add and couple into the grid, the greater potential we have for increasing reliability. But it's not a failsafe. In the event of an earthquake, for example, distributed energy is probably an excellent solution to offer alternatives to centralized generation. In the event of an EMP, by contrast, there's nothing that specifically protects those distributed energy resources any better than the centralized energy resources. So in the event of an EMP, you're likely to see the control systems for rooftop solar or for storage or for microgrids would also be impacted by that EMP. They would also be rendered ineffective unless they're hardened specifically for that. However, for weather events, for other events, even potentially cyber events, they add value because they add redundancy. Senator Wyden. Okay. Ms. Durkovich? Ms. Durkovich. Thank you. That's really an excellent question. I think another example of how government and industry have come together to think about how we are going to address impacts to the grid from some of these lower probability, high impact events. In 2016, there was a major exercise called Cascadia Rising which focused on just this, the Cascadia Subduction Zone and the fact that, like a Carrington event, we are a little bit overdue for this scale of earthquake in the Pacific Northwest. I would agree that certainly distributed energy can help speed restoration to the communities, but this is, again, another type of incident where we really need whole of community effort when you think about the potential damage and consequences that we're going to see in something like this. And so, it is important for us to continue to do the large- scale exercises that bring together our state and local's industry and government to help us think about, alright, what are the impacts going to be to the grid? What are the impacts going to be to communications? To transportation? How are we going to get basic commodities into this area? How are we going to make sure first responders can get in and equally important the utility and the linesmen, to help get the systems up and running? So this is not an easy challenge, but it's why we bring folks together to think through, alright, what are we dealing with and how are we going to speed recovery? Senator Wyden. Very good. Thank you all. The Chairman. Thank you, Senator Wyden. Senator Risch. Senator Risch. Thank you, Madam Chairman. Thank you for holding this hearing. We have heard a lot of criticism, or at least concern this morning, about the government's response to the growing threat of grid security and to cybersecurity. In large part, I think, there is certainly criticism to be had and certainly a lot of concern to be had. Part of it, I think, has grown out of frustration that, I think, there isn't a lot out there about what the government is doing. I sit on the Intelligence Committee, Senator King sits on the Intelligence Committee and Senator Wyden sits on the Intelligence Committee. I can tell you that these issues have not been ignored by the United States. Most of what we know about it, most of what we are doing about it, cannot be discussed in this setting. It is going to be a closed setting, only for people with the security clearance necessary. So, in that regard, it isn't quite as bad as what everybody is saying. But Speaker Gingrich, your deep insights into the consequences are greatly appreciated. We have been through these exercises and your statements are certainly not overstated. I would take issue though, as far as your recommendation, if we have an infrastructure bill coming. I can tell you based on what we know about where we are and what we are doing, I think that is appropriate at some point in time, but we are not ready yet. You saw what happened when they had this last $2 trillion, whatever it was, bill to stimulate. When you start throwing money at the wall a lot of it doesn't stick, and the term ``shovel ready'' was used a lot. We are really not ready. We do not have shovel ready products yet. Certainly, we need more research and that could be included in that, but I would just be a little reluctant to start digging and laying stuff in the ground at this point. But there are things going on on this, and I think a lot of us on the Intel Committee are convinced that the next significant events in America are going to be a cyber event. That is where we have vulnerability. But certainly the grid is linked to that. And the bad guys, of course, Senator Franken had asked which was more, what is the most concerning right now? Well, we have to be able to walk and chew gum at the same time because, as we sit here today, there are different people working on different ways to attack us. And these are all included in that, whether it be North Korea trying to develop a weapon to drop on us or whether it be other state actors and non-state actors who are trying to get us through the grid and through the cybersecurity. Ms. LaFleur, thank you for the shout out today at our National Laboratory. Obviously, we are becoming, in Idaho, the go-to and the flagship on grid security. You saw the test bed that we have out there and the kinds of things that we are doing there on grid security, working with private industry. I think most Americans would be very pleased to see what is going on out there and the kinds of things that we are doing to try to mitigate them as we go into the future. In any event, we are going to continue to work on this. I think it is important. I really appreciated Ms. Durkovich and Mr. Wailes' description of risk management because, you know, after you sit here for a while today, you realize the threats to America, how many there are and how diverse they are and the widespread places that they come from. There are a lot of people out there that just, for their own reasons, want to do us harm. And yes, we have to be able to walk and chew gum at the same time. Yes, we have to be able to address all those threats. But you have got to do it on a risk management basis because there isn't enough money in the world to protect us 100 percent, whether it be the grid or whether it be the cybersecurity or just a normal kinetic attack. There was frustration, I think, expressed for the Department of Defense. We work with the Department of Defense, the Intel community works with the Department of Defense all the time, and I think that criticism is probably pretty well taken. I say this with great love and respect for the Defense community, but they are much more focused on the classical kind of warfare and the classical kind of defense that has always been and we have always challenged them to provide for America. These new things that are coming along, like cyber and grid and what have you, have not been in the wheelhouse. They are getting up to speed but so is the electrical industry and everything else. Probably one of the most telling things we hear in the Intel community is when we have these experts in on the grid and everything and I think this, kind of, put it in perspective for me. When you work on these problems and you try to predict what is going to happen and then try to design a defense to it, these people will tell you, when it comes to cybersecurity we are where the Wright Brothers were. We don't know what we don't know. And we keep learning things. A good example of that as Speaker Gingrich very rightly pointed out is the fact that all of this stuff is designed for efficiency. Well, when you design it for efficiency, you design in huge vulnerabilities. The Ukrainian attack taught us something. In fact, some legislation came out of that, and that is that the Ukrainian attack was not as bad as what it could have been because their system was not very efficient. It actually had to go through human beings. And when it got to these human beings, the human beings recognized what was going on and they were able to mitigate that. Senator King and I are co-authors of---- Senator King. S. 79. Senator Risch. S. 79. Thank you, Senator. We call it the back to the future bill where you actually back up and start to look at these efficiencies and see if there are some places where we can put in some of these kinds of things. Anyway, I have talked long enough. Again, this is an incredibly important hearing, incredibly important subject. Thank you for holding it, Madam Chair. The Chairman. We appreciate that input, Senator Risch. Senator King, now you can speak to your bill here. Senator King. Thank you. First, I want to welcome Speaker Gingrich. It is always a pleasure to have your wisdom and insights. I still remember very well a day we spent in Maine when we were lonely voices talking about digital education back in about 2000, so I appreciate that. Mr. Manning, and I think this gets a little bit to where we have been focusing today, we were talking about distributed energy and you appropriately said that could be a part of the redundancy and defense. Unless they are hardened, you said. That is my question. Are there reasonably priced, hardening tools out there? In other words, could we build in to every house, as part of the electrical system, some kind of high test surge protector that would be a defense in this situation? And by the same token, a similar kind of device in the grid back at transmission points? Mr. Manning. That's a wonderful question. I think the answer to that is there could be. Today, it's probably not, as we just heard, is not shovel ready. There are a lot of different components that need to be added together. But this will take a fundamental design change, in some respects, particularly for home-based equipment. You'll have to think about it differently and make just complete design changes---- Senator King. Are the utilities thinking about this for their critical points? In other words, to me this is an insurance question. Mr. Manning. Yes. Senator King. How much is the insurance policy going to cost versus the risk? Mr. Manning. And one of the things that we are doing with our report which will be out this summer is taking the military EMP standards and converting those to utility standards. What we will find is that applying those utilities, those military standards to utilities broadly, will be prohibitively expensive. It's very difficult, it's very challenging, it's hard to do and it's very expensive. So utilities may still choose, as we've heard already, they may choose to pick perhaps nine points or something like that and harden those points with military standards. But it won't be practical to support the whole system until we develop some more effective and lower cost alternatives. Senator King. It seems to me this is a place for American ingenuity and inventiveness and creativity to market for somebody. Mr. Manning. Absolutely. Senator King. An important market for homes as well as for the grid itself. The bill that Senator Risch mentioned mandates a study. I should not have used the word mandate, suggest a study involving Idaho National Lab and several volunteer utilities on the possible importance of putting at certain points in the grid, analog devices, which is what saved the grid in Ukraine and that is exactly what we are trying to do. It is a bill that came out of our work on the Intelligence Committee, both of us are also on this Committee. And it is a great bill, Madam Chair. But I think, Mr. Speaker, you have done a lot of thinking about this. We cannot defend ourselves. We cannot install defenses that are so expensive that they far outweigh the risk. How do we get products that can solve the problem? Mr. Gingrich. Well, let me use this as an excuse to make three quick points, ending on that one, okay? Senator King. Fine. Mr. Gingrich. First, every member of Congress already got briefed on the concept of hybrid warfare, what you're seeing in Ukraine. Senator King. Yes. Mr. Gingrich. Because it's what makes the whole panoply of risks come together simultaneously. You don't know---- Senator King. We are seeing warfare change before our eyes. Mr. Gingrich. That's right. And just as I talked about the paradigm change earlier, from efficiency to looking at resistance, resilience and redundancy, we have to rethink from the ground up what we mean and what the military means and what Homeland Security means. Two, if I walked in here and said to you, you know, I've been thinking about how we run our cities and I can't decide whether we've got to cut out food inspection in the restaurant, the sewer, the fire department or the police. Which one do you think we should drop? Because that's what we're doing right now in terms of this. If we had no choice as we rethink our infrastructure but to look at the totality of potential disasters and decide are we going to figure out a design that meets the totality. See, you can't say let's set priorities because the one you don't pick may be the one that kills you. Senator King. Sure. Mr. Gingrich. Lastly, there's a terrific book. I just did my newsletter yesterday. I very seldom do book reviews in my newsletter but it's called, ``The Weapon Wizards.'' I recommend it. I'd like to get every member of Congress to read it. It is the Israeli capacity to innovate and how dramatically they've done it and they're really cheap, okay? One of the things that I hope Trump is going to bring to the Pentagon, which would, as a Conservative, I'd like to see reduced from a Pentagon to a triangle by eliminating 40 percent of its redundancies. [Laughter.] But I mean this quite seriously. We start out and we say, since we have to design an absurdly expensive, over-engineered obsolete model based on work done in 1963, if you applied that to the grid you couldn't afford it. To which the correct answer is, well, what if you went out and asked every smart, young person in America to come up with a $9 version that could be sold on Amazon? Senator King. Exactly. You would be interested to know that we have had testimony at the Armed Services Committee in the last couple of months that Silicon Valley basically will not deal with the Pentagon because it is so, I would call it byzantine, but that would be an insult to the Byzantium empire. [Laughter.] Because it is so burdensome and cumbersome, and we are losing the innovation race. Mr. Gingrich. And at least half of that is the Congress which imposes patterns that are so stunningly stupid that if the Congress would look at the things it has passed into law in the past 40 years and get rid of half of that and then challenge the Pentagon bureaucracy to get rid of the other half, you'd be startled a year from now how rapidly we'd be innovating and how cheap it would be. Senator King. I am shocked you would use the words stupid and Congress in the same sentence, Mr. Speaker. [Laughter.] Mr. Gingrich. I apologize. Senator King. Thank you, Madam Chair. The Chairman. Thank you. Senator Manchin. Senator Manchin. Very quickly, thank all of you for being here, we appreciate it very much. Speaker Gingrich, it is always good to have you here. Chairman LaFleur, first of all, anybody can answer this and if you have any comment to it, but the likelihood of the EMP attacks, the likelihood of where we are most vulnerable. I came in a little bit late because, as you know, in this place we have competing committee meetings. But is it basically from a weapon from another country or is it basically going to be home grown to do damage to the delivery system? Where do you think we are the most vulnerable? Or what are you concerned about in vulnerability? Ms. LaFleur. Well, the so-called suitcase EMP. Senator Manchin. Yes. Ms. LaFleur. A handheld device is, obviously, much easier to build than a bomb, but it's also easier to protect against. I think some of the these we're doing, we do know how to put fences on substations and cameras and perimeter zones if you have to throw something in somewhere, we know how to protect that. So I think that's more likely, but easier, to protect against. Senator Manchin. You are requiring that because I can tell you we have an awful lot of power generating in West Virginia. Ms. LaFleur. Excuse me? Senator Manchin. We have a lot of power generating in West Virginia. Ms. LaFleur. Yes. Senator Manchin. And we light up most of the East Coast which they do not know about. Ms. LaFleur. Yes. Senator Manchin. If we ever turn the coal off, they would go dark. Maybe we should do that. Anyway, the substations, I have seen substations that are very vulnerable. Are you requiring them to basically solidify that and protect? Ms. LaFleur. What the physical security standard did was required each company, each transmission operator or owner to identify their most critical substations and come up with a specific plan to mitigate against physical attack. Senator Manchin. Do you have anybody that inspects it? Ms. LaFleur. Excuse me? Senator Manchin. Does anybody inspect it? Ms. LaFleur. Yes, we are inspecting and NERC does the first audit and FERC---- Senator Manchin. Well, if I see some vulnerable situations I can call you? Ms. LaFleur. Yes. [Laughter.] Always. But the--so that's that thing. I think the high-altitude HEMP---- Senator Manchin. Yes. Ms. LaFleur. The high-altitude EMP is, I don't remember the adjective you used in your question, troubling because we, unlike the smaller, we don't know---- Senator Manchin. I understand. Ms. LaFleur. The most--way to protect it. Senator Manchin. You had something, right? Ambassador? Ambassador Cooper. Yes, I don't know how to put a probability statement on but let me give you a couple of facts. In 2004, several Russian generals who were experts in EMP, and I would note that they did more effective tests on this effect over populated areas, in fact, in the '62, '63 timeframe than we did. They learned more about it than we did. They told the commissioners, the EMP Commissioners, that they had passed, inadvertently, I think they said, but the information on how to design a super EMP weapon that is a low- yield device that produces lots of gamma rays. Senator Manchin. At a high altitude? Ambassador Cooper. High altitude, to the North Koreans, okay, who in turn, as you know, worked in a direct alliance with Iran on everything. North Korea, by most estimates, has already anywhere from 10 to 20 nuclear weapons. We take comfort in the fact that there have been low-yield tests in North Korea. Well low yield is what you use to produce a super EMP weapon, and they allege that they can launch this. They don't allege, a lot of experts I know claim that they can launch this, as Speaker Gingrich said, or put it in a satellite which comes toward the United States from our south, our undefended south, okay? We have no defense against that nor do we have a defense against missiles launched from ships in the Gulf of Mexico. We have not put our--we know how to do it. This is not a matter of ignorance. And actually it's not a matter of cost either, which I'd be happy to defend another time, but we know how to do it. We just simply are not doing it. We're deploying what's called Aegis Ashore, and I'm proud of that system because I started it, you know, when I was running the SDI program. It's deployed around the world on our ships, it's deployed on the ground in Romania and will be operational in Poland by the end of the year. We have an operational site in Hawaii. We ought to put a site in Panama City on First Air Force base at Tyndall Air Force base where First Air Force has the responsibility of the defense of the United States, give them a missile defense mission too. Senator Manchin. Do you mind if we bring in---- Ambassador Cooper. We know how to do this. Senator Manchin. Do you mind if we bring you to the Intel, a little Intel briefing? Ambassador Cooper. I beg your pardon? Senator Manchin. The Intel Committee for a little briefing, would you come? Ambassador Cooper. I certainly would. I have my clearances still, by the way, so I wouldn't mind transferring them in. Senator Manchin. That is great. Ms. LaFleur, if I may, while I have got you, just real quick. The vulnerability basically is reliability of the grid system. Do you feel comfortable of the system of this grid when the vortex almost, the polar vortex, about took us down that one time? I mean, where are we today, right now, in your evaluation, with the amount of diversity we have going into the grid, as far as electricity sources? Ms. LaFleur. Well, today we still have quite a bit of fuel diversity. Coal, as you already referred to, plays a very important role in baseload in most parts of the country. And we have increasing natural gas and increasing renewables. And the system operators are learning to run---- Senator Manchin. Do you consider gas as being a baseload? Ms. LaFleur. It depends. Some, the big combined cycle, some of them are run as baseload run all the time and then there's also---- Senator Manchin. But are you concerned? I am just saying from the reliability, baseload, to me, means uninterruptable power. Coal and nuclear base are uninterruptable. They have what they have. Gas is a pipeline delivery system that can be targeted by terrorists or any other type of a natural disaster. But you are building, we are building baseload of something that could be interrupted. Is that correct? Ms. LaFleur. It's correct that to the extent we rely on gas, we have to build in fuel security that's different than the fuel security of coal which you can look out and see the pile. Senator Manchin. Sure, absolutely. What is your feeling of comfort on the reliability of the grid? Ms. LaFleur. I think most parts of the United States are well supplied with gas pipelines but we have places where there are constraints and I think operating the grid with all the new technologies is something we're still working on. Senator Manchin. Does anybody have anything else they would like to add? Ambassador Cooper. Yes, Senator. We've talked about E1, E2, E3. E1 is the high frequency, high amplitude, narrow pulse that causes damage to solid state electronics. Our natural gas pipelines, portions of the grid itself and petroleum pipelines, probably are controlled with little units called SCADAs, little, small computers that are vulnerable if we haven't taken special precautions to harden them. And my information is we haven't. So, we have critical infrastructure to the operation of the, of all of our grid to these kinds of effects from nuclear, high-altitude explosions. And as I said earlier, I don't know how to put a probability statement on it, but I can tell you the threat is absolutely real. I've worked on these problems for most of that half century since we began seriously improving our strategic systems to deal with it, and we set priorities in the Department of Defense. We didn't try to harden everything. We hardened what we thought was the most important things. In my opinion, in the grid, we should be paying careful attention to our nuclear power plants to make sure they aren't a hazard if their grid goes down and they have to shut down--we don't want Fukushimas all over the place. So we need to make sure we have power to those, just to keep them safe and then to bring them back up to help support---- Senator Manchin. I want to thank all of you. I appreciate it very much. Thank you. Ambassador Cooper. Thank you. The Chairman. Thank you, Senator Manchin. There has been discussion here about what we see out of Israel with their level of innovation. Ambassador Cooper, you have referred to other initiatives around the globe, but in terms of what other countries are doing specifically to address a HEMP or other EMP-related event. Is anybody, kind of, leading the way here? Are there best practices that we might want to be looking to? Who is doing some good things? Ambassador Cooper. The Israelis, the United Kingdom, I would go talk to those folks. We have international conferences every year---- The Chairman. To what extent do we cooperate with them then? Ambassador Cooper. We meet with them. There's a big difference though, their government tends to control what's going on. The Chairman. Right. Ambassador Cooper. Whereas in this country, as I said to you earlier, we have a crazy quilt of electric power companies across the nation. Why, I believe, we have to work from the bottom up and island, that term we've used here, around our nuclear power plants, keep them safe, bring them back online. We get 20 percent of the nation's electricity from those plants. And so, that's a valid resource if we lose the entire grid. Today, I don't have confidence that we can do that because we don't have these crazy quilt components connected. So, we have a serious problem here, and we have been ignoring it collectively. I'm not trying to point fingers at anybody, but that's the reality. The Chairman. Chairman? Ms. LaFleur. Thank you for the question. We have Memoranda of Understanding with Israel, Norway and some other countries, the U.K., to work on these things. I would say, in the solar storm area, Scandinavia, is probably, the Scandinavian countries are doing the most. Obviously, their location would justify it and---- The Chairman. Well, the United States actually has a location up there too. Ms. LaFleur. Yes, that is correct. The Chairman. It's called Alaska. [Laughter.] Ms. LaFleur. My feelings exactly. Ambassador Cooper. She noticed that. [Laughter.] Ms. LaFleur. That's why GMD has really been one of my biggest priorities, my feelings exactly. On the grid security defense area thing, I would agree with the Ambassador that Israel, the entire Israeli grid is--it's just a different society in the way things are run. We have a much more open society in terms of how our infrastructure is designed and set up, I mean, and so, I think, in security Israel is probably leading. The Chairman. Let me leave you with one question. Again, I am going to allow anybody to step in here. Ambassador, you mentioned this crazy patchwork that is out there. Some have mentioned the imperative of public/private partnership, but in order to have a public/private partnership there has to be a little bit of trust there, there has to be a willingness to share some information. In fairness, I think we have seen some instances where information gets out there and you get burned in the media. Probably the most current example is what happened in December in Vermont. As I understand it, Burlington noticed an alert about a suspicious IP address that had connected to one of their computers. They responded, reported. The next day, the Washington Post somehow learns about it. Then you have reports about Russian hackers infiltrating. Later follow-up shows that the IP address was not necessarily linked to Russia. It was not necessarily malicious activity. But you really have eroded any trust that may have been out there. So how do we do a better job of this? How do we work to restore this level of trust and build a relationship that is going to be necessary in order to really address this? Mr. Wailes? Mr. Wailes. Well, I think that we have a perfect example of that of the relationship that the industry has built with the Electric Subsector Coordinating Council, the Department of Energy and the Department of Homeland Security. There is no doubt that that was a significant issue and a learning experience for everyone. But I think that one of the things that needs to also be taken away is that proves the effectiveness of getting that information out because information came out, you know, here's some suspicious IPs that you need to look for, report to us right away. And that function worked. Now was there a communication issue and a potential issue associated with that, yes, and I think we're working on fixing that like we are lots of other issues between us. The relationship, I think, between the industry, actually within the industry and within the industry and the Federal Government is stronger than it's ever been, recognizing we have a lot of common issues and we need each other's help in order to make the nation stronger. And I think we're doing a good job of that. We have a long ways to go. There are a lot of threats, a lot of issues. But there are just so many examples of how that working relationship has worked. And I think, when we talk about that, one of the things we should even think about is five years ago you did not have a lot of security clearances in the industry. And now, thanks to DOE and DHS, even a utility our size has six or seven people that would have security clearances. We're able to do things they could never do before, and we're able to share information that we couldn't do before. So it's a learning experience. We all understand the communication challenges, and I think we're on the way to, at least for our sector, to do that. Now, we also are very interested in trying to build a stronger relationship with those other connected sectors that have issues and trying to make sure that we actually look at cross sector coordination, such that the other critical sectors, along with the electricity sector, actually can have that same functionality with the government. The Chairman. Well, I am encouraged to hear you say that you think things are getting better in terms of providing that level of security clearance because we had a hearing, not more than six weeks ago, where that issue was raised about the frustration with how long it actually took and it was actually a former member who was the former head of the Intelligence Committee on the House side and was still having trouble getting his clearance. Mr. Wailes. I don't know what the current process is, but the number of people from years ago that we got in, through that process, was much higher than through that. The Chairman. Yes. Ms. Durkovich? Ms. Durkovich. Yes, an excellent question. And while the incident that you referred to is unfortunate, I would say, overall, the trust that has been established between government and industry in the partnership is stronger than it's ever been. Kevin alluded to many of the activities that we have underway. In my former position I actually ran the private sector clearance program which is the program that provides clearances to infrastructure owners and operators who have the need to know. When I left, I think there were roughly about 3,000 owners and operators that had clearances. Clearly what happened at OPM has slowed the ability for us to provide those clearances in a timely manner. But I think that those timelines are clearing up and those clearances, as well as many other authorities that Congress granted DHS, and that's everything from the protected, critical infrastructure information program to the critical infrastructure partnership advisory committee which allows us to both share information, to ask for vulnerability information from owners and operators to protect it from regulatory purposes from state sunshine laws, from FOIA. So we can take that information, we can investigate, we can do forensics, we can anonymize and we can push it out. Industry is one key part of how we share information. As part of the Electric Sector Coordinating Council and all of the other sector coordinating councils, we bring industry in on a regular basis to provide them with threat briefings, with classified briefings, to help them understand this complex risk environment. We can have conversations that are not available to the public about what we should be doing to protect our infrastructure. And the list really goes on. But I think, there's two important points that I want to end with is one, better understanding the intersection of these critical lifelines and the vulnerabilities caused by them and how we can continue to ensure and have plans in place to mitigate cascading impacts in the event of some of the incidents that we've been talking about. And then, I think, the second piece of this is as we begin to modernize our infrastructure and we begin to move to smart cities, I cannot underscore the importance of baking security in at the beginning. You need the security people sitting next to the coders, the architects and the builders. It is imperative. Security is the new normal. It will be a differentiator. It will be a differentiator for companies. It will be a differentiator for utilities. It will be a differentiator for cities. And it has to be one of the core principles as we go about modernizing our infrastructure. So, thank you. The Chairman. Good. Ambassador Cooper, why don't you wrap up, please? Ambassador Cooper. Okay. Thank you, Madam Chair. I just wanted to comment on this last discussion about security. I think someone needs to do a serious look at the levels of security that is inhibiting this kind of open discussion of what the environments are that the industry has to design against as well as other factors. I don't believe that there is an absence of technology to deal with the EMP issue in an affordable way. And I want for your peripheral vision to just make one more point. I absolutely agree with you about the need for trust between the people and the parties that have to deal with this issue which is why I gave up on trying to get institutions here in Washington and even in the states, to deal with this issue. Lots of folks have tried, are trying, and are frustrated by the issues that you've mentioned. That's why I'm working very closely on an individual level with key people and when I say local, I mean, in three counties right now, and we're going to couple into the NERC exercise this November, the GridEx exercise as well, to expand our lessons learned upward in South and North Carolina and we'll go elsewhere. I think that we have to wake up to the sense of priority of dealing with the issues. The EMP Commission has looked at the briefings that some of the folks at this table have given. It is their assessment that they're underestimating the threat, even for the solar threat. The magnitude of the E3 component for a nuclear device is larger than for the solar event. So, if we harden the grid for a solar threat, we will still leave ourselves vulnerable for the other. And in addition, you have E1 as a component that threatens the solid state electronics throughout our grid and that includes the distribution systems for petroleum and natural gas. So, we need to deal with this issue in a very, I believe, direct way. I think that we have hope that what we're doing to accomplish locally. And when I say island, I want to build an island around Duke's nuclear plant and its hydroelectric plant and coal plant all on that lake so that the local people are engaged in working the problem. And by the local people I mean the, you know, the mayor, the city council at the political level, but Joe Sixpack, who understands what we're doing through the National Guard and so on. Our--general is an electrical engineer graduate of Georgia Tech. He understands these issues and he is committed to try to work with us and we'll expand outward from there to other states and other locations. I believe that's the way we have to go to really build trust among the key players that are required to cut across the patchwork, quilt patchwork, that I tried to describe to illustrate earlier. And that's not to argue against initiatives at the state level or the federal level or so on. At least that raises consciousness about the nature of this threat. But my concern is the devil is in the details. And we learned hard lessons in the Department of Defense, that it's not just having the right design. It's not just having the right deployment, and it's not even just having an operational concept that's important. If you don't test it, I don't believe it. And we learned through hard experience that maintenance and that sort of operations of operational systems that were well designed and deployed, we create holes by which EMP can get through. So this is a hard problem. We have to choose where we work carefully and protect what we need to work to ensure the viability of the grid and for the American people. The Chairman. Well, ladies and gentlemen, thank you. I think the testimony this morning, the questions and responses back and forth, have been very helpful. I think this has been a great discussion. I appreciate some of the suggestions that we have, but I also appreciate the urging that we really not let our guard down, recognizing that this is complicated, multifaceted and it requires an attention to it that is really daunting. But just because it is daunting does not mean that we should not be working with you, with our agencies, with the sector, really across the country. I appreciate what you have said, Ambassador Cooper, about really starting out very local and understanding the implications, not just those that are tasked on the day-to-day, but helping to educate Americans about our vulnerability and what we can do to reduce that. It is always important here in Congress that we be reminded of the urgency and the imperative of our task, and I think we were given that message this morning. I thank you all for your contributions. With that, the Committee stands adjourned. [Whereupon, at 11:57 a.m. the hearing was adjourned.] APPENDIX MATERIAL SUBMITTED ---------- [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]