Feeds:
Posts
Comments

Posts Tagged ‘Public Citizen’

Cyber-Security Grid

The Freedom of Information Act (5 U.S.C. 552) was originally enacted in 1966, and has been amended a few times since. The U.S. Supreme Court has said that “[t]he basic purpose of FOIA is to ensure an informed citizenry, vital to the functioning of a democratic society, needed to check against corruption and to hold the governors accountable to the governed.” NLRB v. Robbins Tire & Rubber Co., 437 U.S. 214, 242 (1978). There are, however, nine exemptions, including three related specifically to law enforcement, under which the federal government can withhold information that would otherwise be disclosed under the FOIA.

At federal agencies today, and particularly at the Federal Energy Regulatory Commission, those exemptions from disclosure have been so broadly construed that one can say with reason that FOIA has been administratively repealed. Instead of starting with a policy of full disclosure, from which certain specific categories of information are carved out, federal agencies instead start with St. Peter’s maxim: they’d rather cut off their left hand than allow it to obtain information about their right. Imagine being at the British Admiralty circa 1906 and receiving a request from Kaiser Wilhelm for a complete set of plans for the H.M.S. Dreadnought. That will give you an idea of the view contemporary federal agencies take toward FOIA requests.

Like water in a state of nature, less interesting work in a bureaucracy always flows downhill, where it is handled by persons of lower seniority and even less authority. This leads to over-classification of agency materials as top secret and exempt from FOIA. After all, if you’ve been at your agency job for four years or less and your responsibilities include responding to FOIA requests, why would you release something and risk your superior’s ire, if not your job? Better to pick out an exemption or two from the FOIA menu and send back a response of

REQUEST DENIED

Of course FOIA provides for remedies to obtain disclosure, and those often work for large media companies and the like. But for the vast majority of Americans who lack the resources to commence a FOIA enforcement action in federal district court, those remedies are worse than useless. They’re a cynical joke played on the American people.

Now we have another FERC FOIA dust-up. The North American Electric Reliability Corporation (NERC) submitted to FERC a Notice of Penalty against an electric utility for 127 cybersecurity violations between 2015 and 2018. The company agreed to pay a record-setting $10 million fine its cybersecurity violations. According to some reports the utility is Duke Energy, though that hasn’t been officially confirmed. FERC doesn’t want to publicly release the name of the electric utility.

Why shouldn’t the public be able to know whether their utility is the one that’s risking the reliability of their electricity supply and distribution system because they’re unable to get their cybersecurity act together? These violations, and the $10 million fine, are the fault of the utility’s management, not its ratepayers. Shouldn’t the ratepayers be allowed to know whether their utility is going to try to pass this cost onto them through rates?

Public Citizen, a watchdog group, has demanded that FERC disclose the utility’s name. They have stated that

“Concealing the name of the recipient of the largest fine in history sends a confusing message to the public that large penalties do not come with full accountability,” said Tyson Slocum, director of Public Citizen’s energy program and author of the filing. “Future violators may be able to similarly hide behind the veil of anonymity. Moreover, keeping the public in the dark about the cybersecurity track record of our electric utilities may create a false sense of security and reduce the likelihood of more public awareness and vigilance needed to protect cybersecurity.”

The real problem is that bureaucracies like FERC do not want the curtain pulled back on anything they do, regardless of whether any exemption applies. Any unplanned exposure of their operations risks upsetting their messaging and tarnishing the public image they want to create. Every public performance by an agency has to be staged just so, or else, in this internet media-driven age, a public relations catastrophe could occur.

 

Read Full Post »