The Fix for Hacked Pipelines Isn’t Spare Pipelines

Former energy secretary Dan Brouillette raises a novel answer to the problem of the East Coast relying on a single, vulnerable pipeline for so much of its fuel: permits for more pipelines. To quibble, it’s one pipeline system. Still, he’s right that the Northeast, and East Coast in general, relies on it enormously. But the idea that the solution lies in just permitting more pipelines — assuming millions of Americans in some of the country’s most densely populated states were okay with that — requires a bit more nuance. Indeed, one big reason nobody’s building a Colonial clone is something Brouillette championed: energy independence. Three things transformed the US oil equation over the past 15 years: plateauing demand, shale supply and growing environmental concerns, especially around climate change. One result is that US refining capacity stayed pretty flat, but more of it has become concentrated where the oil is the cheapest and most plentiful: the Gulf Coast. East Coast demand for oil peaked in 2005 (on an annual basis), and refineries there have struggled to compete; capacity has fallen by more than half over the past 15 years. Much like anything else, we like our energy to be as cheap as possible. Redundancy costs extra. And competition doesn’t work with energy networks in quite the same way it does for supermarkets. There’s a reason we don’t have a dozen different networks strung or buried across our towns and cities vying for your business; network economics (along with aesthetics) favor interconnected grids, not parallel ones. Instead, we regulate these natural monopolies to balance investment requirements with pricing. Building extra pipelines, especially in a flat to declining market, is a recipe for lower utilization and higher carrying costs. Any company would of course love a regulated rate of return to build more stuff that just sits idle most of the time (just ask Warren Buffett). It’s drivers who would pay for it. As an aside, if you find anyone drawing a parallel between Colonial’s situation and the Keystone XL pipeline, do them a favor and point them toward an atlas. Brouillette wasn’t alone in drawing dubious conclusions from the Colonial hack. His successor at the Department of Energy, Jennifer Granholm, pandered to her own side, commenting last week that “If you drive an electric car this would not be affecting you, clearly.” Because power grids never go down, obviously. The ultimate goal of electrifying transport is crucial in addressing climate change. But let’s not pretend power grids aren’t also giant, vulnerable networks. Similar to climate change, cyberattacks represent a 21st-century challenge to US energy networks mostly designed in the 20th. As it is, we face an enormous investment requirement to retool them for reducing emissions. Building shadow networks that also ultimately add more capacity for emissions would fail on both cost and outcome. Equally, assuming a plug will shield you better than a pump from online baddies would be ridiculous. The far more straightforward answer is to address the issue at hand — cybercrime — by strengthening investment in countermeasures to cybercrime. That isn’t just a question of dollars, but also how we incentivize those dollars and best practices on the part of the people who manage and maintain these vital pieces of infrastructure. This is the sort of redundancy we need. Prevention is everything here. Once Colonial was compromised, paying the ransom was unavoidable; there’s simply not much time for standing on principle when folks start filling plastic bags with gasoline. The only issues worth debating now are what mistakes were made by Colonial to let this happen in the first place and whether our voluntary system of reporting and standard-setting really makes sense for such important pipelines. In light of recent events, I’m going with a hard “no” on the latter. And who knows, this might be a pipeline Pearl Harbor that galvanizes Washington’s two tribes into agreeing on common-sense regulations to encourage and enforce cybersecurity. It’s been almost nine years since a major cybersecurity bill with mandatory standards for critical infrastructure was first watered down and then squished by a largely Republican senate filibuster. At the time, opponents deemed the measures too burdensome for business. Experience is teaching us the alternative is a risk society cannot tolerate. Bloomberg