What is the proper framework for thinking about cybersecurity?

Long-time MR reader here. I have a question: what is the appropriate framework to think about incentives (economic or otherwise) for electric power utilities to beef up their cybersecurity?

The Biden administration is reportedly putting together a plan to “rapidly shore up the security of the US power grid” [1]. As we know from the Solarwids hack, our nation’s cyber defenses (whether private industry or government) are inadequate [2], especially when targeted by nation-states [3].

The Bloomberg article says “The White House plan, which is voluntary, lays out a series of possible incentives to get power companies to sign on, a less politically precarious route than mandating their participation through regulation.”

It seems to me that the government offering money to private entities to buy some cybersecurity software products is not the optimal, and certainly not the sustainable, solution. There are needed investments in research & development, workforce training, and much more. Simply deploying today’s tech won’t solve this going forward.

So, what’s the right way to approach this from an incentives perspective? It seem to me that this is a very nuanced problem. We have no easy “target” to shoot for; there is no miles per gallon efficiency metric that can be used as a carrot.

That is an email from Matthew Backes.



Add Comment