Research

How Local Governments Meet Federal Commitments: Federally-funded, Locally Implemented Energy Efficiency and Conservation Projects

By Jessica N. Terman, Ph.D.
Assistant Professor
Schar School of Policy and Government
George Mason University

Federal grants place cities and counties as implementers of federal policies and provide them the resources and ability to shape the policies that get implemented in their jurisdictions.  Yet variation in local resources, capacity and leadership commitment lead to challenges and imbalances in policy implementation.  In some cases, this translates into a failure to accomplish the objectives of federal programs.  Through a statistical analysis of the US Department of Energy’s (DOE) Energy Efficiency and Conservation Block Grant (EECBG) program, we determine that adequate local administrative capacity in terms of staffing as well as direct mayoral involvement in the application process and general support among municipal government actors can mitigate these performance problems.  These findings shed light on how to increase the chances of success in implementing energy efficiency and conservation policies at the local level.

Much of the literature on federal goal achievement in the intergovernmental grant process focuses on principal-agent relationships between the grantor and grantee governments (Chubb 1985; Nicholson-Crotty 2008; Volden 2007).  One key problem identified in this literature is a disparity in policy preferences between levels of government: local governments receiving federal grants have policy preferences that actually diverge from those of the federal government. Existing literature offers several ways in which the federal government can overcome this implementation problem.  The intergovernmental management literature points toward more restrictions on state and local government spending (Gramlich 1977) and increases in federal monitoring and oversight (Chubb 1985).  Literature on grant effectiveness promotes the development of mechanisms to overcome goal conflicts, which may be rooted in partisan differences (Nicholson-Crotty 2004), funding levels or project design (Becker 1996; Gramlich 1977; Hines and Thaler 1995).  An underlying assumption in much of this literature is that goal alignment is sufficient for successful implementation and that when incentives align, the federal government has substantial control over implementation performance.

Yet the emphasis on the grantee-grantor relationship is unable to explain implementation delays in cases where there is shared interest in implementing the policy.  We address this gap by directing attention toward political commitments and administrative capacities that are crucial to policy implementation.  While capacity can take many forms, we focus on local administrative and fiscal capacity and policy-specific expertise and analysis, both of which have proven to be particularly salient to implementation (Howlett 2009).  The involvement of elected officials in the grant application process can also affect implementation by signaling to the local bureaucracy the importance of the project under consideration and by attracting public attention to the administrative process.  By virtue of their position, elected officials also have the ability to pressure local administrators to expedite public projects, although the extent to which they may do so depends on the institutional structure of the municipal government.

The EECBG, a block grant funded by the 2009 American Recovery and Reinvestment Act (ARRA), is informative in examining the role of local circumstances in implementation outcomes.  Despite shared grantor-grantee interest in the expeditious implementation of EECBG projects, which were anticipated to create new jobs and stimulate the economy, many local governments missed reporting deadlines and did not complete performance reports.  The torpid implementation of EECBG-funded projects did not result in timely spending nor did it stimulate the economy as was initially expected.

We tested the influence of administrative capacity and political involvement on the implementation timing of EECBG projects (Terman and Feiock 2014).  In terms of capacity, we find that the number of financial management staff members, managerial capacity, the presence of a dedicated sustainability staff and a lack of information resources to reduce energy consumption have no significant effect on implementation.  The only statistically significant capacity predictor is a lack of staff capacity to reduce energy consumption.  The nature of this relationship is unexpected: as lack of staff capacity became more of an obstacle, the number of days to begin implementation decreases.  However, this apparent anomaly is explained by the fact that governments are aware of their lack of staff capacity and thus only pursue projects that fit their staff capacity (Terman and Feiock 2014).  In other words, lack of staff capacity influences project selection; governments with lower levels of staff capacity did not apply for EECBG project types that they would not be able to effectively and promptly implement.

Our findings on political involvement by local officials are multifaceted.  As expected, mayoral involvement in the application process decreases delay in implementation as compared to municipalities where mayors are not involved in the grant application process.  The structural context of the local government affects the extent of mayoral influence on implementation.  In municipalities with a mayor-council form of government, in which there is a separation of powers between an independently elected mayor and the council, the mayor has more influence on the bureaucracy and is better able to expedite implementation.  Where governmental authority is concentrated in a council that can hire or dismiss a manager, the effect of mayoral involvement in the application process diminishes.  Put simply, a mayor can influence the implementation progress by becoming involved in the application process, but this is constrained in contexts where administrative power is shared with a council-appointed executive.

Unlike mayoral involvement, direct involvement by the city council in the grant application process increased the time to implementation by about 15 days.  This reflects the diversity of preferences that council involvement brings to the application process due to the presence of multiple principals.  Administrators can play city council members against one another to deflect political pressure that might otherwise force more prompt implementation, or administrators may simply find it difficult to decipher the implementation preferences of multiple city council members.  Despite the problems wrought by the direct involvement of city councils, general support within the city council for energy conservation and sustainability efforts in absence of their direct involvement led to faster implementation.

Taken together, these findings have a number of implications for the successful implementation of energy efficiency and conservation policies.

1. We must look at local circumstances in determining the likelihood of successful energy efficiency and conservation programs that are federally funded. Shared preferences between federal and local government are not sufficient
2. Support and administrative guidance by the federal govt at the local level appears to mitigate most incapacity problems. For instance, the DOE provides EECBG recipients with several training and technical support opportunities to help with the substantive issues associated with applying for and implementing energy efficiency and conservation projects.  They do not, however, provide additional local staff members who could utilize these resources, which proves to be the main capacity problem in implementation.
3. The lack of local staff capacity highlights a third policy implication. Governments with lower levels of capacity may actually select the simplest projects – the lowest hanging fruit- in order to expedite project success.
4. The findings on political commitment suggest that the federal government can benefit from building general support among municipal governments. In particular, concentrated government support from a mayor may help accomplish program goals.
5. Finally, in cases where the municipal government is managed by a council, the grantor government will have greater efficiency in implementing policies if it can unite the preferences of council members.

——————————————————————————————————————-

Understanding the Effect of Formal and Informal Contracting Mechanisms on Implementation Performance

By Jessica N. Terman, Ph.D.
Assistant Professor
Schar School of Policy and Government
George Mason University

The use of private and non-profit contractors to implement federally funded energy efficiency and conservation projects at the local level has become common practice.  The implementation of federally funded projects and programs at the local level is referred to as fiscal federalism while the use of third parties – organizations other than the state or local government to which federal monies are funneled – in the implementation of these federally funded projects is referred to as third-party federalism (or third-party implementation).  While reliance on such third-party implementers in the context of fiscal federalism often takes more time it generally results in greater economic stimulation than if local governments implement these projects our their own (Terman and Feiock, 2015). Yet little is known about how specific contract management techniques can contribute to the success or failure of federally funded, locally implemented energy projects.  In looking at the United States’ Energy Efficiency and Conservation Block Grant (EECBG) Program, one of several programs funded by the American Recovery and Reinvestment Act (ARRA), my coauthors and I identify formal and informal contract management mechanisms that increase the prospects for successful project implementation. Specifically, we find that the contract bidding and contract design processes offer local contracting governments levers by which to promote efficient third-party implementation and thus more effectively advance energy conservation and efficiency policy initiatives.

Early research on third-party implementation indicates that market competition allows non-government organizations to produce better quality public goods and services more efficiently than government organizations (Savas 2000).  A variety of studies provide at least limited support for these claims (Becker and Sloan 1985; Miranda and Lerner 1995) and suggest that using contractors projects an image of improved performance (Joaquin and Greteins 2010; Terman and Yang 2010). Research on contract management has refined these conclusions by demonstrating that formal management of contractual relationships between the government and third-party implementers is necessary to produce favorable performance outcomes (Brown, Potoski, and Van Slyke 2006; Yang, Hsieh and Li 2009).  However, research within this body of literature has produced mixed results and indicates that formal management and market competition are not a guarantee of efficient implementation or of the long-term success of federally funded projects at the local level (Yang, Hsieh, and Li 2009; Romzek and Johnston 2005; Lamothe and Lamothe 2010).

We add to this literature by specifying particular contract management techniques that can explain a variety in third-party implementation outcomes.  Drawing on existing literature, we identify three formal mechanisms of contract management (full and open competitive bidding, contract rescission, outcome-based performance measures) and four informal mechanisms (trust, contractor reputation, previous relationship, government-contractor goal congruence) that may affect implementation (Terman and Feiock 2016).

The U.S. Department of Energy (DOE) EECBG Program offers insight into the role of these mechanisms.  The federal government intended for the EECBG Program to create jobs and boost local economies in the areas of energy efficiency and conservation by implementing projects as expeditiously as possible (DOE 2010, 2011; GAO 2011).  However, the effectiveness of the ARRA-funded programs was hampered in many cases by implementation delays (Carley, Nicholson-Crotty, and Fisher 2015; Terman and Feiock 2015).  To better understand whether formal and informal contract management mechanisms can help explain the success or failure of local implementation by contractors, we look specifically at energy audits and energy retrofits within the EECBG Program.  Audits and retrofits are particularly instructive since they were the most common grant-funded activities and tended to involve third-party implementers; eight-six percent of local governments that engaged in energy audits and retrofits through the EECBG Program relied on third parties to conduct energy audits, and ninety-four percent used contractors for energy retrofits  (Terman and Feiock 2014; EECBG 2012).  Moreover, the implementation performance and effectiveness of these federally funded energy project types affects public and private energy consumption.  As such, the local government contract management practices associated with project implementation shed light on how to advance energy efficiency and achieve desired outcomes in the intergovernmental grant process.

Using primary data sources from the 2011 national survey EECBG: Implementation and Impact, conducted by the Florida State University Local Governance Research Laboratory, and from the U.S. DOE administrative records on each city’s grant projects and performance, we estimate separate models for energy audits and energy retrofits (Terman and Feiock 2016).

We find that the three formal mechanisms of contract management have a strong effect on local third-party implementation.  To start, top performance in energy audits and full and open competitive bidding are positively associated.  When the contracting government gives potential contractors the opportunity to compete unfettered by preferential treatment to more influential vendors, it helps incentivize contractors to maintain high levels of performance in order to maintain the contract.  Likewise, the use of outcome-based performance measures was positively associated with implementation performance for both energy audits and retrofits.  This suggests that when project implementers choose to focus on the implementation process rather than outcomes, it is less likely that the ultimate purpose of the contract will be achieved.  For example, in energy audits, the desired outcome is the achievement of reduced energy use through behavioral modification and technological upgrades.  In energy retrofits, the desired outcome is energy savings.  Being assessed based on these outcomes encourages contractors to employ more technically thoughtful and rigorous implementation to ensure desired outcomes.  On the other hand, analyses of both energy audits and retrofits demonstrate that contract rescissions are negatively associated with implementation performance.  In other words, contracts including rescission clauses, which specify the circumstances under which either party may withdraw from their contractual obligations, hinder implementation performance.

Informal mechanisms, including trust, contractor reputation, previous relationships with a contractor, and shared goals between the government and contractors ultimately have little effect on the success or failure of project implementation.  Of these, only goal congruence has a significant effect: for energy audits, municipalities that report considering whether they have shared goals with the contractor have heightened implementation performance.  Shared goals between the contractor and contracting government reduce the risk of contractors pursuing their own interests at the expense of the government (Miller 2005).  And while trust and reputation are somewhat speculative in the decision-making process, governments can look at an organization’s stated mission and goals to make inferences about contractor goals.

These findings indicate that local governments using contractors to implement federally funded energy projects can use formal contract management techniques to increase the likelihood of successful implementation.  There are four main lessons for contracting governments.  First, contracting governments stand to benefit from ensuring a full and open bidding process, which broadens the market with sufficient suppliers and offers governments more tools to maximize contractor performance.  Second, including rescission clauses in contracts may deter highly qualified potential contractors from accepting the job, while hedging the level of effort others are willing to put into performance.  This reflects contractors’ fear that they will lose any monies for duties already performed should the contracting government choose to rescind the contract and a fear of opportunistic behavior by the contracting government. While the ability to rescind contracts protects governments against opportunistic or poorly performing contractors, it introduces a potentially unacceptable risk for the contractor.  Third, outcome-based performance measures appear to be a useful tool for facilitating contractor performance for products such as audits and retrofits.  These metrics help formally align the goals of the contractor with the goals of the government and incentivize the contractor to think about the long-term purpose of the public good or service being purchased.  Finally, the informal mechanism of shared goals indicate that the government should consider the mission and goals of prospective contractors to ensure it selects one that is a good fit for the project at hand.  This will help minimize problems moving forward.

These techniques hold broader relevance as well.  At the local level, we expect these lessons to apply more generally to government contracting, beyond the realm of energy efficiency and conservation policy.  At the federal level, the government is increasingly relying on state and local governments to implement federal programs, and these state and local governments continue to use third-party contractors.  This is creating new obstacles and increased complexity that impedes the ability of federal agencies to ensure implementation performance (Terman and Feiock 2014).  Future federal grant design might enhance implementation performance by including additional formal requirements in contract design regarding the use of third-party implementers.  By aligning goals and increasing contractor incentive, the use of formal contract management techniques holds promise at all levels of contractual relationships to improve prospects for advancing federal energy policy initiatives.

This policy paper has been adapted from: Terman, J. N., & Feiock, R. C. (2016). The Effect of Formal and Informal Contracting Mechanisms on Implementation Performance in the US Federalist System. Local Government Studies, 42(2), 309-331.

References

Becker, E. R., and F. A. Sloan. 1985. “Hospital Ownership and Performance.” Economic Inquiry 23 (1): 21–36. doi:10.1111/ecin.1985.23.issue-1.

Brown, T. L., M. Potoski, and D. M. Van Slyke. 2006. “Managing Public Service Contracts: Aligning Values, Institutions, and Markets.” Public Administration Review 66 (3): 323–331. doi:10.1111/puar.2006.66.issue-3.

Carley, S., S. Nicholson‐Crotty, and E. J. Fisher. 2015. “Capacity, Guidance, and the Implementation of the American Recovery and Reinvestment Act.” Public Administration Review 75 (1): 113–125. doi:10.1111/puar.12294.

Goldmacher, S. 2010. “Stimulus Projects Delayed by Review Backlog.” Los Angeles Times, January 4.

Joaquin, M. E., and T. Greteins. 2010. “Determinants of Program Performance: Results from Ombs PART Analysis.” Public Performance and Management Review 33: 4.

Lamothe, M., and S. Lamothe. 2010. “Competing for What? Linking Competition to Performance in Social Service Contracting.” The American Review of Public Administration 40 (3): 326–350. doi:10.1177/0275074009337621.

Miller, G. J. 2005. “The Political Evolution of Principal-Agent Models.” Annual Review of Political Science 8: 203–225.

Miranda, R., and A. Lerner. 1995. “Bureaucracy, Organizational Redundancy, and the Privatization of Public Services.” Public Administration Review 55 (2): 193–200. doi:10.2307/977185.

Radnofsky, L., and M. Trottman. 2010. “Red Tape Delayed Stimulus Projects.” Wall Street Journal, February 19, p. A1.

Romzek, B., and J. Johnston. 2005. “State Social Services Contracting: Exploring the Determinants of Effective Contract Accountability.” Public Administration Review 65 (4): 436–449. doi:10.1111/puar.2005.65.issue-4.

Savas, E. S. 2000. Privatization and Public-Private Partnerships. New York: Chatham House.

Terman, J., and R. Feiock. 2014. “Third-Party Federalism: Using Local Governments (and Their Contractors) to Implement National Policy.” The Journal of Federalism 45 (2): 322–349.

Terman, J. N., and R. C. Feiock. 2015. “Improving Outcomes in Fiscal Federalism: Local Political Leadership and Administrative Capacity.” Journal of Public Administration Research and Theory 25 (4): 1059–1080.

Terman, J. N., and R. C. Feiock. 2016. “The Effect of Formal and Informal Contracting Mechanisms on Implementation Performance in the U.S. Federalist System.”  Local Government Studies 42 (2): 309-331.

Terman, J., and K. Yang. 2010. “Contracting and the Performance Assessment Rating Tool: Politicization or Sound Management.” Public Administration Quarterly 34 (3): 400–433.

U.S. Department of Energy. 2010, May 24. Energy Efficiency and Conservation Block Grant Program: Funding Opportunity Announcement. 75-28801. Washington, DC: Government Printing Office.

U.S. Department of Energy. 2011, June 23. EECBG Program Notice. Washington, DC: Government Printing Office.

U.S. Government Accountability Office. 2011, April. EECBG under the Recovery Act, 11–379. Washington, DC: Government Printing Office.

Yang, K., J. Y. Hsieh, and T. S. Li. 2009. “Contracting Capacity and Perceived Contracting Performance: Nonlinear Effects and the Role of Time.” Public Administration Review 69 (4): 681–696. doi:10.1111/puar.2009.69.issue-4.

Cyber Security of Energy Systems: Institutional Challenges

Introduction

To promote energy security, efficiency, and sustainability, many national and local governments continue to advance adoption of smart technologies for energy systems. These smart systems rely more heavily on interconnected IT networks than traditional energy systems. This reliance poses new challenges from increased risk of natural and human-induced disruptions, as well as wider-ranging and more severe impacts of such disruptions.

These expanded technological vulnerabilities highlight the importance of cyber security for resilience of these smart energy systems. The December 2015 “BlackEnergy” malware attack on Ukraine’s power grid demonstrates these vulnerabilities and the need to address them. The attack destroyed computers and control systems, causing blackouts for hundreds of thousands of people.

Addressing Challenges to Cyber Security of Energy Systems

Recognizing these challenges and risks to energy system resilience, governing bodies at all levels—local to international—have made efforts to catalog and address them. The United States is considered a global leader on these efforts. The U.S. General Accountability Office (GAO) has identified protection of the electricity grid as a government-wide high-risk sector since 2003.[1] Since 2004, the Department of Energy (DOE) has been working with asset owners, operators, government agencies, and other stakeholders to develop roadmaps to address cyber security threats. Examples include building a Supervisory Control and Data Acquisition (SCADA) Test Bed to help identify vulnerabilities, developing the Cybersecurity for Energy Delivery Systems program, and providing funding for projects through the Smart Grid Demonstration program (SGDP).[2] In 2008, the Federal Energy Regulatory Commission (FERC) approved critical infrastructure protection standards developed by the North American Electric Reliability Corporation (NERC).[3] The same year, a Congressional commission provided Congressional testimony and a report formally assessing the threat of an electromagnetic pulse (EMP) attack on the nation’s electricity grid.[4] DOE also leads an interagency team to develop smart grid cyber security requirements, which produced cyber security guidelines published by the National Institute of Science and Technology (NIST) in 2010. In 2011, DOE released the Roadmap to Achieve Energy Delivery Systems Cybersecurity, a 10-year plan engaging government, industry, and academia.[5] The same year, an SGDP project managed by the National Rural Electric Cooperative Association (NRECA) released guides for utilities to utilize in developing cyber security plans.[6] The guidelines developed by both the interagency team and NRECA were updated in 2014. NIST also developed a cyber security framework for critical infrastructure, and the Department of Homeland Security (DHS) and DOE are working with the electricity industry to implement it.

And yet, despite this awareness of the risks of cyber attacks on energy systems and efforts to address them, effective protection against them remains elusive, even in the United States. A recent CNN article quotes a U.S. government official as stating that safeguards for U.S. systems are no better than those protecting the breached systems in Ukraine.[7]

Before the watershed event in Ukraine, numerous pieces of legislation emerged and died in both the House and Senate for more than a decade. In 2011, reports by the GAO and the International Energy Agency (IEA) both identified six major ongoing challenges impeding resolution of power grid vulnerabilities on national and global scales:

• Inadequate information provided to consumers about the benefits, costs and risks associated with smart grid systems.
• Inconsistent implementation of sufficient security features built into smart grid systems.
• Lack of an effective mechanism for the electricity industry to share information on cyber security.
• Absence of electricity industry metrics for evaluating cyber security.
• An electricity system regulatory environment that could inhibit cyber security of smart grid systems.
• Utilities’ focus on regulatory compliance instead of comprehensive security.[8]

The GAO report also identified a related problem: an uncoordinated approach to monitoring of industry compliance with voluntary standards. Testimony by the GAO before the Senate Committee on Energy and Natural Resources in 2012 reiterated these challenges.[9] A CRS report from the same year identified similar problems, including utilities’ right to self-identify critical assets subject to standards for infrastructure protection, ambiguous federal leadership on cyber security, and standards driven by the minimum needed to achieve compliance.[10]

The Role of Institutional Relationships

All of these challenges reflect underlying problems in the institutional relationships that govern and operate our electricity grid. These problems in relationships between policymakers, regulators, utility companies and consumers comprise four broad categories:

• Unclear leadership on and responsibility for cyber security of energy systems;
• Divergent views on cyber security protection and priorities;
• Discrepancies in risk perceptions;
• Poor communication and transparency of data and policies; and
• Tension over liability.

Understanding these problems will enable more effective cyber security solutions to address vulnerabilities of traditional and smart grids. While numerous studies examine the technological requirements for cyber security of traditional and smart energy systems, none analyze these crucial institutional factors.

In the United States, overlapping responsibilities for oversight of cyber security measures to protect the power grid frame the other challenges. At the federal level, regulatory and policy jurisdiction is split across the Department of Homeland Security (DHS), the Federal Emergency Management Agency (FEMA), the Federal Energy Regulatory Commission (FERC), the Department of Energy (DOE), and NIST. This allocation of responsibility requires close cooperation, communication, and alignment of risk perceptions. State regulators’ roles add to this oversight complexity. The 2011 CRS report noted overlapping claims of power grid cyber security leadership across DHS, DOE and FERC.[11] In testimony at a 2015 hearing before the House Subcommittees on Energy and Research and Technology, the GAO mentioned FERC’s lack of coordination with other regulators on monitoring of industry compliance with voluntary standards. The GAO’s 2015 testimony also reiterated the continued need for clear delineation of responsibility for cyber security of energy systems, noting that the introduction of smart grid in energy systems further complicates federal versus state jurisdiction.[12] Unclear responsibility and leadership for cyber security of energy systems can contribute to delays in introduction and implementation of cyber security initiatives, as well as delays in responses to cyber attacks.

The operational structure also complicates implementation of cyber security measures for the power grid. In the United States, electricity providers operating in different regions include publicly owned utilities, investor-owned utilities, cooperatives, federal power agencies and power marketers. These complex policy, regulatory and industry structures have contributed to unclear delineation of responsibility and leadership, divergent risk perceptions, lack of transparency, and liability concerns. Industry organizations such as the Edison Electric Institute (EEI) have asserted a need to limit federal authority over cyber security of electricity assets, while highlighting the need for coordination on cyber protection of the electricity sector and interrelated sectors such as telecommunications, water and transportation.[13]

Effective protection against cyber attacks on the electricity sector requires consistency in priorities and risk perceptions across these government agencies, electricity providers and consumers. These groups’ continued disagreement on the likelihood and severity of potential cyber attacks inhibits development and implementation of cyber security measures. Historically, DHS has focused on risks associated with natural disasters, rather than cyber attacks. FERC asserts that cyber attacks pose a real threat to U.S. electricity infrastructure. FEMA has struggled to overcome internal disagreement over the potential for and consequences of a cyber attack on the U.S. power grid. Broadly, the utilities operating power plants have asserted that adequate cyber security measures are in place. In contrast, U.S. consumers tend to distrust unfamiliar and complex technologies, and books such as Ted Koppel’s Lights Out have informed and heightened public perceptions of the risks associated with cyber attacks on energy systems.[14] Transparency of information and the policy process serves as an important factor that can foster coordination of risk perceptions across these groups.

And yet, several of the problems identified by the GAO and the IEA reflect transparency problems between the government, the utilities and the public. For instance, failure to provide sufficient smart grid cost, benefit and risk information to consumers represents a lack of transparency that limits public understanding of cyber hazards of smart grid systems, perpetuates divergent risk perceptions, and limits governmental and private sector efforts to engage the public in cyber security measures. The electricity industry’s lack of an effective mechanism for sharing cyber security information represents another transparency failure that compounds these effects. At the same time, the public and Congress have demanded greater transparency regarding potential threats and measures to address them.

Concerns regarding liability for cyber security problems have inhibited the electricity industry’s interest in transparency. The utilities fear that acknowledging cyber security vulnerabilities or problems may lead to responsibility for compensation, as well as calls for stricter standards. Industry organizations like EEI have emphasized the need for liability protection to promote greater information sharing across the government, industry, and consumers.[15]

Leadership ambiguity, divergent cyber security goals and risk perceptions, insufficient transparency, and liability concerns all have contributed to a problematic regulatory environment. The 2011 GAO and IEA reports describe it as potentially inhibiting smart grid cyber security. Both reports also assert that the relationship between federal and state regulators and the electric utilities has emphasized compliance with regulations rather than promoting a joint focus on comprehensive security.[16] This depiction of problematic regulations and misdirected focus reveals tensions in the regulator-utility relationship that can improve with clarity of leadership, alignment of cyber security goals and risk perceptions, and improved transparency and liability frameworks.

Progress and Remaining Gaps

Since 2013, U.S. government agencies, Congress, and NERC have taken steps to address the issues identified by the GAO, IEA and CRS. NERC revised cyber security standards in 2013 to reflect FERC’s 2011 guidance.[17] A 2015 CRS report describes these revised standards as moving from a focus on compliance toward security-based goals.[18] In 2014, Congress passed five cyber security bills signed by President Obama. A 2016 CRS report highlights the improvements this legislation makes in codifying the respective leadership roles of NIST and DHS.[19] The Consolidated Appropriations Act signed into law in December 2015 contains cyber security provisions that aim to promote transparency by addressing liability concerns.[20] These provisions, contained in the Cybersecurity Information Sharing Act of 2015 (CISA), could contribute to greater information sharing that could, in turn, foster alignment of risk perceptions.[21]

Effective cyber security for the electricity system requires solutions that address the underlying institutional challenges of leadership and responsibility, transparency and liability, and alignment of priorities and risk perceptions. If new policies do not clarify coordination between DHS, NIST, DOE, FERC, NERC, and the states, leadership challenges will remain. CISA’s passage as part of the spending bill reflects the difficulty of passing a stand-alone policy on information sharing and liability. Ongoing tensions over privacy concerns influence government-utility-consumer relationships and the ability to advance cyber security in the electricity sector. Compounding this problem, existing legislation has focused on industry’s provision of information to the government, but critiques of cyber security transparency have included a lack of information to consumers. Further, coordination and transparency challenges continue to exacerbate differences in government, utility and consumer views of cyber security and risk perceptions. Progress on all of these areas is needed for cooperation on creation of a security culture that transcends compliance.

Need for an Inventory of International Best Practices

The United States is not alone in facing these institutional challenges to cyber security of energy systems. Other advanced nations with similar government and industry attention on resilient energy systems, such as Japan and Germany, also are struggling with comparable issues. A comparative study of these three countries can illuminate practices that can foster clear leadership, alignment of views and risk priorities, and transparency. An evolving inventory of such practices would facilitate technological and regulatory cyber security measures that contribute to global development of resilient, secure smart grid systems.

[1] U.S. Government Accountability Office, GAO-11-278, High-Risk Series: An Update (Feb. 2011), available at http://www.gao.gov/assets/320/315725.pdf.

[2] “Cybersecurity,” SmartGrid.gov, accessed June 3, 2016, https://www.smartgrid.gov/recovery_act/overview/cyber_security.html; “Smart Grid Demonstration Program”, SmartGrid.gov, accessed June 3, 2016, https://www.smartgrid.gov/recovery_act/overview/smart_grid_demonstration_program.html.

[3] Mandatory Reliability Standards for Critical Infrastructure Protection, 18 C.F.R. pt. 40 (2008), available at http://www.balch.com/files/upload/FERC%20Order%20706.pdf.

[4] Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack: Critical National Infrastructures (Apr. 2008), available at http://www.empcommission.org/docs/A2473-EMP_Commission-7MB.pdf; see also Clay Wilson, Cong. Research Serv., RL 32544, High Altitude Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: Threat Assessments (2008), available at http://www.mountainx.com/files/EMP_from_CRS_July_2008.pdf.

[5] For details, see Energy Sector Control Systems Working Group, Roadmap to Achieve Energy Delivery Systems Cybersecurity (Washington, D.C.: U.S. Department of Energy, 2011), available at http://energy.gov/sites/prod/files/Energy%20Delivery%20Systems%20Cybersecurity%20Roadmap_finalweb.pdf.

[6] Evgeny Lebanidze and Daniel Ramsbrock, Guide to Developing a Cyber Security and Risk Mitigation Plan – Update 1 (Dulles, VA: NREC/Cooperative Research Network, 2014), available at https://groups.cooperative.com/smartgriddemo/public/CyberSecurity/Documents/CyberSecurityGuideforanElectricCooperative-U1.pdf (revision of the original 2011 version).

[7] Evan Perez, “First on CNN: U.S. Investigators Find Proof of Cyberattack on Ukraine Power Grid,” CNN, Feb. 3, 2016, http://www.cnn.com/2016/02/03/politics/cyberattack-ukraine-power-grid/index.html.

[8] GAO-11-278, High-Risk Series; International Energy Agency, Technology Roadmap: Smart Grids (Paris: IEA, 2011), 16, available at https://www.iea.org/publications/freepublications/publication/smartgrids_roadmap.pdf.

[9] Cybersecurity Challenges in Securing the Electricity Grid, Before the S. Comm. on Energy and Natural Resources 112th Cong. (2012) (statement of Gregory Wilshusen), available at http://www.gao.gov/assets/600/592508.pdf.

[10] Richard Campbell, Cong. Research Serv., R41886, The Smart Grid and Cybersecurity – Regulatory Policy and Issues (2011), available at https://www.fas.org/sgp/crs/misc/R41886.pdf (subsequently updated in 2013).

[11] Ibid.

[12] Critical Infrastructure Protection: Cybersecurity of the Nation’s Electricity Grid Requires Continued Attention, Before the H. Subcomm. on Energy and Research and Technology, Comm. on Science, Space and Technology, 114th Cong. (2015) (statement of Gregory Wilshusen), available at http://www.gao.gov/assets/680/673245.pdf.

[13] Edison Electric Institute, Electric Sector Priorities in Cybersecurity Legislation (March 2015), available at http://www.eei.org/issuesandpolicy/cybersecurity/Documents/EEI%20Cybersecurity%20Legislative%20Priorities.pdf.

[14] See Ted Koppel, Lights Out (New York: Crown Publishers, 2015).

[15] American Public Power Association et al., letter to Majority Leader Mitch McConnell and Minority Leader Harry Reid, Aug. 3, 2015, http://www.eei.org/issuesandpolicy/testimony-filings-briefs/Documents/150803Eei-IndustrySenateCybersecurityCisa.pdf.

[16]GAO-11-278, High-Risk Series; IEA, Technology Roadmap, 16.

[17] Cyber Security Standards Transition Guidance (Revised), North American Electric Reliability Corporation (Sept. 5, 2013), available at http://www.nerc.com/pa/comp/Resources/ResourcesDL/Cyber%20Security%20Standards%20Transition%20Guidance%20(Revised).pdf.

[18] Richard Campbell, Cong. Research Serv., R43989, Cybersecurity Issues for the Bulk Power System (2015), available at https://www.fas.org/sgp/crs/misc/R43989.pdf.

[19] Rita Tehan, Cong. Research Serv., R43317, Cybersecurity: Legislation, Hearings, and Executive Branch Documents (2016), available at https://www.fas.org/sgp/crs/misc/R43317.pdf.

[20] Consolidated Appropriations Act, 2016, Pub. L. No. 114-113 (2015), available at https://www.congress.gov/bill/114th-congress/house-bill/2029/text/pl.

[21] For more information, see Tehan, Cybersecurity: Legislation. The report describes H.R. 1560, H.R. 1731, H.R. 3490, S.754, and H.R. 3878.