The President's Executive Order on Grid Security Creates Peril and Uncertainty for US Power Companies
The security of the bulk-power system has long been an issue of deep concern in the US. In late 2019, the North American Electric Reliability Corp (NERC) reportedly suffered a cyberattack which created blind spots at a grid control center and several power generation sites in the western US.
In mid-April 2020, “Electric Panda” hackers allegedly sponsored by China apparently had been targeting critical US infrastructure, including power generation. These factors have only exacerbated the on-going concerns about the perceived security risks of using foreign manufactured components in critical US infrastructure systems.
In purported response to these concerns, on May 1, 2020, President Trump issued an Executive Order on Securing the United States Bulk-Power System (the Executive Order), which prohibits any acquisition, importation, transfer, or installation of any US bulk-power system electric equipment where:
The transaction involves any property in which any foreign country or foreign national has any interest (including through supply contracts);
The transaction was initiated after the date of the Executive Order; and
Where the Secretary of Energy, in coordination with the Director of the Office of Management and Budget (OMB) and in consultation with the Secretary of Defense, the Secretary of Homeland Security, the Director of National Intelligence (DNI), and, as appropriate, the heads of other executive departments and agencies (agencies), has determined that:
The transaction involves bulk-power system electric equipment designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and
The transaction: (i) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of the US bulk-power system; (ii) poses an undue risk of catastrophic effects on the security or resiliency of US critical infrastructure or the economy of the US; or (iii) otherwise poses an unacceptable risk to the national security of the US or the security and safety of US persons.
The Secretary of Energy, in consultation with the heads of other agencies as appropriate, may:
Design or negotiate mitigation measures, which may serve as a precondition to the Secretary’s approval of certain transactions or of a class of transactions; and
Establish and publish prequalification criteria and procedures criteria for recognizing particular equipment and particular vendors in the bulk-power system electric equipment market as pre-qualified for future transactions; and may apply these criteria to establish and publish a list of pre-qualified equipment and vendors.
Political Perspective: Continuation of Election Year “Tough on China” Policy
The Executive Order appears to be another element of the Trump Administration’s broader strategy to counter what it sees as the Chinese government’s strategic efforts to expand its grip on various sectors of the US economy. In recent weeks, senior White House advisor and Director of Trade and Manufacturing Policy Peter Navarro has sought to advance the goal of shifting medical and pharmaceutical supply chains away from China. Navarro’s effort is aimed at returning production of these goods to the US, but he has faced significant push back from agency officials concerned that any near-term actions limiting access to medical and pharmaceutical products today could hamper the fight against COVID-19 in the US. With that separate action having been stymied (at least for now), anti-China forces within the administration have identified a new avenue to increase pressure on the Asian superpower.
Apparently as justification for taking this extreme measure, the trade hawks in the White House have seized on evidence of possible cybersecurity threats. As noted above, in recent months, US intelligence officials have been sounding the alarm over risks to critical infrastructure, including the electrical grid. Cybersecurity experts say a group they believe is tied to the Government of China called “Electric Panda” launched cyberattacks against contractors that work in various critical US infrastructure areas, including power generation, earlier this year.
By casting the Executive Order as a national security measure, the administration hopes to insulate it from legal attack. Moreover, doing so gives the President another opportunity to appear to be “tough on China” heading into the 2020 presidential election this fall. Since this order is justified as necessary for national security, efforts to reverse it at the World Trade Organization (WTO) are unlikely to succeed (even if the trade body’s dispute settlement mechanism was fully operational, which it is not currently). Article XXI of General Agreement on Tariffs and Trade (GATT) provides an exception from WTO obligations for actions aimed at protecting security interests. The WTO has only addressed the national security exception a limited number of times, as countries have been hesitant to challenge the invocation of a provision on which they too may rely.
Dramatic Changes to Existing Grid Security Regulation
The Executive Order indicates a dramatic shift by the Trump Administration in the manner in which grid security could be regulated in the US. Since the US Department of Energy (DOE) was established 40 years ago, regulation of the electricity industry has been in the hands of the US Federal Energy Regulatory Commission (FERC), with a few narrow exceptions. In 2005, reliability had become a prominent concern, for example, because of the 2003 blackout across the northeast US. Congress established NERC as a self- regulatory organization to set the complex standards needed in an industry like electricity, subject to FERC oversight. The Executive Order borrows the same scope as that 2005 reform in applying to the “bulk-power system.” But this effort at regulating reliability goes in the opposite direction. The US federal government has already been quite active about threats to the security of the US power grid. Since 2005, FERC has been tasked with protecting the reliability of the grid. A 2016 statute set up an information-sharing program between FERC, DOE, and utility operators to ensure that the agencies can get real-time information about critical electrical infrastructure, and that the agencies can share threat information with utilities. In 2018 the US government established a Cyberthreat Office at DOE specifically focused on grid issues.
For several years now, FERC and NERC have been upgrading the standards of security and reliability that utilities must meet. At present, reliability and cybersecurity standards for the industry are enforced through NERC. NERC develops these standards through extensive rulemaking, subject to FERC approval. It then enforces the standards with solely monetary penalties, set at a maximum of US$1 million per day of noncompliance but typically much lower. (During 2019, penalties were mostly in the range of hundreds of thousands of dollars.)
But the Executive Order changes the equation for companies in the US electricity industry, because the tools in it are so blunt and potentially threatening. The Department of Homeland Security (DHS) and DOE play coordinating and policymaking roles, but they do not actually regulate the industry. Now, a company found to violate the Executive Order—which was issued under the International Emergency Economic Powers Act (IEEPA) —could incur a penalty of up to US$250,000 per violation. The Department of Justice will have the authority to impose the penalty on anybody who causes a violation, including a utility executive. Willfully violating the order or assisting a violation is a felony. Meanwhile, instead of the standards carefully developed by FERC and NERC, we will see equipment lists and transaction approvals through DOE. Stated another way — whether or not this was intended — the Executive Order appears to be an end run around FERC’s authority in this area.
It is also important to note that manner in which the Executive Order interacts with the authority of the Committee on Foreign Investment in the United States (CFIUS). CFIUS has long considered the US bulk-power system to be “critical infrastructure”, a designation that subjects businesses to increased scrutiny when accepting certain foreign investments. CFIUS, which historically had its authority limited to only acquisitions resulting in foreign “control” over a US business, had its authority expanded on February 13, 2020, when regulations became effective implementing the Foreign Investment Risk Review Modernization Act of 2018 (FIRMMA). See our presentation on the regulatory updates. Among the new authorities granted to CFIUS at such time was the authority over non-controlling investments in critical infrastructure, if the investment affords the foreign person some form of access, managerial, or governance rights. In an effort to provide clarity to investors, CFIUS enumerated the types of “critical infrastructure” that would be subject to such expanded authority, which included businesses that own or operate any system or facility used for the “generation, transmission, distribution, or storage of electric energy comprising the bulk-power system”; that own or operate “any electric storage resource” that is “physically connected to the bulk-power system”; and that manufacture or service any industrial control system utilized by any such system or facility “comprising the bulk-power system.” While FIRRMA provided CFIUS the expanded authority to protect the bulk- power system against foreign investment that raised risks to national security, the Executive Order now gives the US Government the tools to protect the bulk-power system against foreign equipment used by US businesses.
General Concerns About the Executive Order
In its current form, the Executive Order also give rise to many general concerns and questions:
Authority of the President under the IEEPA. One area of concern may be whether the President really has the authority to regulate the electricity industry in such a sweeping way. As noted above, the Executive Order relies on the IEEPA, a late 1970s statute that has mostly been used for sanctions against countries like Iran. As with some of the President’s other orders, this Executive Order tests the IEEPA authority to its limit, and perhaps beyond. A notable example is that the Executive Order covers any “transaction” in which a foreign person has an “interest”, such as by being party to a contract. In contrast, the IEEPA allows the President to block transactions involving “property” in which a foreign national has an interest—a narrower authority than the Executive Order asserts. Thus, we may see litigation over the interpretation of the scope of the Executive Order.
Conflict between the Role of DOE versus that of FERC. Litigation may also arise about the role of DOE versus FERC. The Executive Order purports to address concerns about grid reliability and security that Congress had already directed FERC to address, using particular mechanisms established by Congress. Against that backdrop, the broad authority of IEEPA might not justify the President in setting up a parallel regulatory regime run by the Secretary of Energy.
Lack of clarity in drafting. Additional concerns arise due to the lack of clarity in the drafting of the Executive Order. One of the primary problems is that the scope of the Executive Order is poorly defined. It applies to equipment used in the “bulk-power system,” but that term is quite vague—including, for example, “electric energy from generation facilities needed to maintain transmission reliability.” The Administration presumably pulled this concept from the 2005 Energy Policy Act—the very same provision that delineated the scope of FERC’s authority to regulate reliability issues. But in that statute, it governs the scope of FERC’s and NERC’s reliability authority, and perhaps for that reason FERC and NERC have both declined to elaborate what it means. A company does not usually need to know whether it is part of the abstract “bulk-power system”; what it needs to know is what NERC standards apply to it. However, to comply with the Executive Order, companies will now need to know what specific facilities and equipment are part of the bulk-power system. Without such clarification, installing any foreign-made equipment in any part of the system without DOE approval will be risky. However, given the complexity of current global supply chains, this will present a considerable burden to US companies.
Scope of the Executive Order. The Executive Order also leaves many unanswered questions about its scope. For example, which generation facilities are “necessary to maintain transmission reliability” in the President’s view?
Does that include the generating equipment itself, or only the equipment that regulates voltage and frequency? Does it exclude storage facilities, since those are not generation at all? The order provides a list of bulk-power system electrical equipment, and then it says the category excludes “[i]tems not included in the preceding list and that have broader application of use beyond the bulk- power system.” Is an item excluded from the scope of the Executive Order only if it meets both tests – i.e., if it is not on the list and it has broader use? But then certain items on the list like capacitors, which unquestionably have very broad use outside of interstate transmission, might arguably be subject to the ban.
Numerous transactions and projects of key actors in the power industry (such as utility companies, independent power producers, developers, EPC firms and private equity groups) may now be in jeopardy due to the issues identified above about the Executive Order. Such industry players are now concerned about what risks they might incur in initiating new projects and transactions and proceeding with ongoing ones due to the lack of clarity in the Executive Order. For example, does their transaction involve equipment utilized in a “bulk-power system,” which is vaguely defined by the order? It is difficult for them to proceed with their projects and transactions without understanding the precise equipment which is meant to be captured by this term in the Executive Order. Also confusing for these important actors is the potential manner by which the poorly defined scope of the order will be carried out by DOE. Will DOE use a “white list/black list” methodology? Or will DOE need to approve or prohibit separately each equipment transaction that is potentially covered by this order? The former could be subject to political influence, while the latter could be fraught with delays and inconsistent determinations endangering the viability of significant power-related projects and transactions. Furthermore, it is not clear whether the government could pursue to retroactively impose penalties to a company’s use of equipment that is later determined to be prohibited. The Executive Order creates a quandary for the US power industry which might well hamper further growth and development of this sector for the immediate future. Without the necessary clarifications, it could be perilous to start new projects and transactions, or even continuing with ongoing ones, but terminating them could also be unacceptably costly.
If the Administration follows its pattern from past trade initiatives, this Executive Order will be followed over the coming months by a series of further orders adjusting it. Some of the ambiguities will hopefully be ironed out in that process. In the meantime, industry attention will focus on DOE. It is critical that DOE issue regulations or at least provide some high-level guidance quickly, both to set up its processes for implementing the order and its determinations about what equipment is and what is not acceptable.