I was just watching a video on cybersecurity for electrical utility companies (In case you are interested) and in it, they pointed out that utilities operate on razor-thin margins and that it would be difficult to justify to a board additional spending on cybersecurity when there has not been such an attack going on thirteen years after 9/11.
Another commentator remarked that it would require regulation and the word makes some “scream and jump out the window”. To me, we are talking about an economic externality which requires an external incentive to fix (most likely in the form of a regulation, say authorization to assess a security surcharge).
In general, I feel it’s fair to say that where we see externalities, or at least negative externalities, regulation is called for. Now, the nature of regulation can take the form of something like Clean Air Futures, such regulations are required.
I don’t disagree about externalities, but is this really an externality? Isn’t an externality pushing off the cost of something onto another party? Are the power companies really doing that?
Yeah - razor thin margins as a regulated monopoly allowed to set prices to get a certain level of profit.
Our explosive gas company, PG&E asked for and got money to monitor and improve gas pipelines - and put the money into profits. Result - a neighborhood blew up. But it had never happened before!
I can’t imagine decent cybersecurity is very expensive given the mass of infrastructure and power generation capital equipment they have. And the time you fix something is before a disaster, not after. I bet what they are really doing is angling for a rate hike to cover what should be a normal cost of doing business. I trust they have guards protecting their plants. Is that an externality also?
Tell them what. Don’t pay for security, but if their grid ever goes down due to an attack we get to line all the senior management up against a wall and shoot them. (Or better, electrocute them.) If they feel so confident, they’ll take the deal.
If the grid ever goes down due to an attack, I think you will have bigger problems. However, you could probably execute them and get away with it, if you think you can spare the ammo.
It is not an externality just because it affects other people. An externality is when you make other people pay the cost of something that benefits private interests. The classic example is pollution. I dump toxic waste into a river and it kills all the fish downstream. There is a fishing guide down the river who loses his business. My action was costless to me but imposed a massive cost on the fishing guide. That is an externality, external entities pay the entire costs of my actions.
If an electrical company suffers a cyber attack they are the ones who will have to replace databases and computers and suffer ill will of their customers. They took the action and they suffer the consequences.
It is complicated by the fact that many electrical utility are not actually private companies but state mandated monopolies. Thus if they are attacked and their systems go down they will just raise rates and pass the cost on to their customers who have no choice but to pay. The problem is not lack of regulation but rather the initial regulation which set up a monopoly which has no incentive to serve its customers. In this case it is conceivable that additional regulations mandating cyber security protections will be worthwhile, but to know that requires a level of expertise unavailable to the layman.
The utility company is already a heavily regulated entity providing a public good. Basically, the utility company is an externality – a positive one. Whether or not to spend money on cyber-security is just a question of the cost of its operations, like whether to pay for a fence around the property and locks on the doors.