In this episode, I speak with Harry Krejsa of Carnegie Mellon about why cybersecurity experts and clean energy advocates need to work together. Drawing from his White House experience, Krejsa explains how a modernized clean energy grid could actually help defend against China's cyberthreats — for the benefit of both peaceniks and natsec hawks.
(PDF transcript)
(Active transcript)
Text transcript:
David Roberts
Hey, hey, hey, everyone. This is Volts for February 5, 2025, "The cyber security implications of a clean-energy grid." I'm your host, David Roberts. Last year FBI Director Christopher Wray warned Congress that China is engaged in large-scale efforts to hack vulnerable US infrastructure, including the US electricity grid. Agencies like the Government Accountability Office have warned for years about the grid's increasing vulnerability.
Into that milieu, we are introducing gigawatts of clean energy, which tends to involve systems that are much more digital and online and interconnected than their fossil-fuel predecessors. Is all that new "smart" tech going to increase vulnerability to Chinese hackers? Or can it help guard against them?
Harry Krejsa has lots of thoughts on that subject. Until recently, he was working in the Biden White House, helping to develop the 2023 National Cybersecurity Strategy. Now, he is the director of studies at the Carnegie Mellon Institute for Strategy & Technology, from whence he has just released a new white paper with the somewhat overheated title “Sun Shield: How Clean Tech & America’s Energy Expansion Can Stop Chinese Cyber Threats.” So, will clean energy be a cyber shield or a cyber vulnerability? We're going to dig into all the details.
All right then. So, with no further ado, Harry Krejsa, welcome to Volts. Thank you so much for coming.
Harry Krejsa
Thank you for having me. I'm honored to be here.
David Roberts
This is a subject of much fascination for me, and I feel like it's an undercovered subject that's going to be covered a lot more in the coming years. So, I'm glad to get here on the front edge of it. But I'll just tell you, just putting my cards on the table up front, I am, in my heart of hearts, a dirty hippie, what they used to call a peacenik, and as such, have what I think of as a pretty healthy skepticism toward the US security apparatus and US security agencies. So, I will just say that when Christopher Wray comes to Congress, in the context of asking Congress for a bunch more money and says, "Ah, there are Chinese hackers everywhere, they're behind you right now. They're probably under your desk, like, this is a looming threat, we need lots more money." I am — my eyebrow goes up. And I kept reading these articles about the Chinese threat and one thing I thought was notable is that at no point does anyone say, "The Chinese hacked US infrastructure and then did X, had X effect, caused X damage, X dollars of damage." It's all "they're preparing and lurking and they're out there just waiting." So, you see where I'm coming from as a peacenik. All of this sounds like classic US security apparatus threat inflation to me somewhat.
So, I want to just start by maybe you can just convince me that there's a real and pressing threat here.
Harry Krejsa
Certainly. And that skepticism that you mentioned is a healthy one. And it's why I was excited to come talk to you and the Volts audience, who I imagine probably share some of that skepticism. Skepticism that I also shared coming into this space. I'm a Chinese linguist by training. I began my career working in China and Taiwan. And when I came back stateside, I started researching US-China technology competition, which brought me into government service. I started in the Pentagon on their civilian staff during the first Trump administration. And then after the Biden transition, I took a political appointment into the White House.
And across that time in government, I was the most granola-crunching person I knew at the Pentagon, but —
David Roberts
Probably a pretty low bar.
Harry Krejsa
Indeed, but I cleared it. But during that time, I learned all about how and why China's building these kinds of cyber capabilities to threaten our infrastructure, and to my pleasant surprise, how clean energy could be uniquely capable of helping protect us from exactly those kinds of threats. There's a cliché that the thing that Americans most frequently get wrong about international relations is that other countries have domestic politics too.
David Roberts
I thought they just sat around talking about America. Like, "What do you think about America?"
Harry Krejsa
Well, I think that might be the case in lots of places and that their politics also reflect that part of our politics. But yeah, they have their own internal considerations, as it turns out. The domestic politics of China, the People's Republic of China, revolve specifically around the Chinese Communist Party's obsession with remaining in power and protecting itself against challenges to its legitimacy. That includes decades of talking points about how democracy and democratic values are just not appropriate for or compatible with Chinese history and culture. The problem with that line of argument is, of course, Taiwan.
You know, Taiwan is this flourishing, self-governing democracy of 25 million people who have the same Chinese lingual and historical heritage.
David Roberts
Kind of embarrassing that it's just sitting right there, next door.
Harry Krejsa
Yes, and its continued existence, as you said, is an embarrassment and a source of frustration for the Chinese Communist Party, one that Xi Jinping has said in speeches he does not intend to pass on to a successor. So, it's been widely reported that he's told his military to be prepared to violently conquer Taiwan by the end of the decade. These preparations include a buildup of arms and ammunition, construction of amphibious landing craft to cross the hundred-mile strait of Taiwan, and storm its beaches. We can see these craft from space.
But it also includes preparing to kneecap the United States so that we cannot come to Taiwan's rescue.
David Roberts
Yeah, I was going to say the last I heard, and I haven't followed this closely, but the last I heard, Biden was asked very straightforwardly, "Will you step in if they go after Taiwan?" And he said very straightforwardly, "Yes." So, as far as I know, the US Government's position, correct me if I'm wrong, is still "This will trigger action on our part."
Harry Krejsa
We have historically had a strategic ambiguity about that answer. And so, that level of explicitness, there's been some debate about what was said and what was meant and all that.
David Roberts
Whether Biden was fully in control of all the implications of his speech, you mean?
Harry Krejsa
Right, but that is probably why China has not done so yet. And in addition to the political affinity that we share with Taiwan, being a long-time partner and democratic friend, the global semiconductor market is centralized in Taiwan to a tremendous degree. And so, any kind of violent confrontation over Taiwan would be very likely to damage the famously fragile semiconductor manufacturing base there and could, you know, as a result, plunge the globe into a worldwide catastrophic depression.
David Roberts
And this was, if I'm not mistaken, a large part of the impetus for the CHIPS Act. Right. I mean, it's the whole reason we're trying to onshore that industry.
Harry Krejsa
Precisely, precisely in partnership with Taiwan. Though that dependency does help give them more confidence in our friendship and willingness to come to their rescue in the event of such a violent takeover.
David Roberts
Right. So, it's really just all down to Taiwan? Like, I mean, there are larger, major power maneuvering considerations going on here, surely?
Harry Krejsa
Sure. And I think that Taiwan is more of the lens through which the general two last superpowers-standing kind of dynamics are unfolding, right?
David Roberts
Yeah, yeah.
Harry Krejsa
And unfortunately, it's a very sharp lens through which that is coming together. We know that these kinds of cyber attacks on critical infrastructure are not science fiction because we've seen them unfold elsewhere. Just a decade ago, Russia was able to bring down Ukraine's power grid with a series of cyber attacks that plunged hundreds of thousands of people into darkness. At the beginning of the Biden administration in 2021, Colonial Pipeline suffered a ransomware attack by criminal gangs that caused a fuel shortage and momentary gas panics on the eastern seaboard. There was even a water treatment plant in Florida where, again, a criminal actor was able to remotely access the control systems for that water treatment plant and set it to flood its water stores with lye.
But that was, like, caught and reversed at the last minute.
David Roberts
Yeesh.
Harry Krejsa
Yeah.
David Roberts
It's also the case that, like, three drunk rednecks in North Carolina shot an electricity transformer and shut down electricity service to an enormous swath of the region. By which I mean, US infrastructure is vulnerable in a lot of ways. And it seems to me a lot of those ways are domestic. Entirely domestic. And a lot of those ways are analog. Do you know what I mean?
Harry Krejsa
Absolutely.
David Roberts
So what percentage of the total vulnerability of US Infrastructure is foreign digital hacking specifically? I guess I want to try to contextualize it a little bit.
Harry Krejsa
So, it's qualitatively different buckets. Right. You know, it's difficult to protect a random rural substation against anti-government activists from shooting it up with an M16. Right. But that is not very systemically impactful. It could have a local impact. But the threat advisories put out over the last year and a half or so by Microsoft and reporting by various news outlets and those congressional testimonies you mentioned have all been pointing to the Chinese security services attempting to gain access for systemic impact into places like, again, according to publicly available reporting, the Texas power grid, water utilities in Hawaii and Guam, major west coast ports, things that, because of their digital connectivity, are able to leverage it into systemic impact for two effects, right.
The first one is to scramble our logistical ability to mobilize a rescue mission for Taiwan. But the second, as you mentioned from Director Wray, was to disrupt essential services for US civilians, and as another government leader put it, to "induce societal panic" so that we wouldn't have the political will to support that rescue mission.
David Roberts
So, the idea is that this is all basically to thwart any US effort to save Taiwan? It seems like a little bit of, like a bank shot. Well, wait, aren't they more direct?
Harry Krejsa
The Chinese Communist Party sees the United States as probably the only actor that could stand in the way of a violent takeover of Taiwan. And so, they're doing everything they can. They're pursuing missiles that are particularly good at targeting and taking down aircraft carriers because that's one of our comparative advantages. They are trying to bulk up on ammunitions that can get to Taiwan and destroy Taiwan's defenses before our ships can make it across the Pacific Ocean. But they do see our disproportionate digitization as a society, as an economy, as a way that they could try and circumvent our conventional military advantage.
And that's what's motivating them.
David Roberts
And I think they also view us as kind of lush, decadent, weak-willed, and unlikely to put up with much sacrifice in the name of defending a faraway land.
Harry Krejsa
That is correct. I think that they might be off there as far as like a "rally around the flag" technique if they indeed started trying to target American civilians. But whether or not — in like, China analysis circles, it is a truism that China has generally been bad at predicting the political intuition for democratic countries. Like, they just don't have practice at it. In the 90s, Taiwan was flirting with electing a more pro-independence party for the first time. And so, China fired a series of missiles over Taiwan to try and intimidate them out of it.
And of course, that just inspired Taiwan to rally around those candidates.
David Roberts
It sparked weeks-long rallies and people in the streets.
Harry Krejsa
Exactly right. And so, that's like, I think, an underrated source of instability.
David Roberts
Well, I mean, the inability to predict the US response is one thing. The inability to predict a Trump administration response is perfectly forgivable and understandable as it is.
Harry Krejsa
Exactly. But I think that the fact that we have now found Chinese hackers lurking on civilian critical infrastructure, gaining and maintaining access and the ability to control it, including infrastructure that doesn't have a military purpose.
David Roberts
Right. But to be clear, the examples we have on record are them gaining access. We can't really point to them having done anything with it yet, can we?
Harry Krejsa
Absolutely. But part of that is because doing something with that would be seen as an act of war, like targeting civilians. Right. So, what you would want, if you are the PRC and you want to, you know, frighten or deter the American people out of coming to Taiwan's rescue, you want to be in place to pull the trigger.
David Roberts
Keeping your powder dry.
Harry Krejsa
Precisely.
David Roberts
But accumulating powder.
Harry Krejsa
Exactly.
David Roberts
All right. And explain what Volt Typhoon is in the context of this.
Harry Krejsa
Sure. Volt Typhoon is a taxonomic moniker, a code name that Microsoft's threat intelligence shop gave to a part of the Chinese military, the People's Liberation Army, or PLA, that has particular expertise, tactics that they can recognize over time and track to different kinds of targets. And so, Volt Typhoon is this corner of the PLA that has been — with particular skill and stealth — embedding itself in various critical infrastructure networks, those power grids, water utilities, ports, et cetera. And Microsoft unveiled this in, I believe, late 2023.
David Roberts
So, it was a private Microsoft investigation that uncovered all this stuff.
Harry Krejsa
It's often — there is a fair amount of collaboration in both the unclassified and classified spaces where governments and threat intelligence firms will pass information and say, "Are you seeing this? Do you have context for that?" Indeed, Microsoft was able to track this down in the public domain. That also allowed the United States to connect a few more dots together and provide that context and declassify intelligence for Congress to do that.
David Roberts
Did the Chinese Communist Party ever acknowledge Volt Typhoon or admit, or is it all full denial down the line?
Harry Krejsa
It is all full denial down the chain. And this has been the case forever, including when, like, we are able to track the forensics of various hacking operations. And they all, like, start at 8 a.m. Shanghai time and conclude at 5 p.m. Shanghai time. Like, you know, they're getting much better at their tradecraft. But even when it has been obvious, they have a, you know, "We will never acknowledge this" sort of posture, of course.
David Roberts
And let us not be naive. Surely, there are groups of Americans working to penetrate Chinese infrastructure systems. Do you not think?
Harry Krejsa
Well, surely I would not be naive, but I don't have anything further to say about that.
David Roberts
We should just deny that all down the line, too.
Harry Krejsa
I would say that the United States observes international standards and norms around the law of war and humanitarian protection, and targeting civilians in peacetime is not something that we or our allies do.
David Roberts
Okay, well, I'll just leave that there with my raised eyebrow. So, let's talk then about the vulnerability of the grid, basically. This is about the digital vulnerability of the grid. So, before we get to clean energy, the grid that all these people are talking about being more vulnerable is, for the most part, not composed of clean energy. The one that we're talking about being increasingly vulnerable is still mostly the fossil fuel grid. So, why, given that the grid has been basically the way it is for like, a century now, why is it suddenly becoming more vulnerable to hackers?
Harry Krejsa
So, you had mentioned at the top those GAO reports about how the threat is proliferating. Basically, the dynamic here is if you're trying to think of the cybersecurity of a complex system like our grid, you can think of your options along a spectrum. On one end, you have basically no Internet connectivity whatsoever. In tech policy, we call that an air gap where there's nothing connected to the Internet.
David Roberts
Certain nerds in the audience right now will be thinking about Battlestar Galactica.
Harry Krejsa
Precisely, the Adama maneuver, that's right.
David Roberts
"Reboot," which begins with a fully analog ship, because the robots have taken over all the computers.
Harry Krejsa
Exactly. And there are benefits to that approach. Indeed, some extremely valuable but extremely fragile parts of our infrastructure, of our national security apparatus, are indeed air-gapped and they depend on that kind of thing.
David Roberts
Oh, interesting, because I was going to ask like, is that a substantial part of anyone's recommendations that we sort of have like some percentage, some small percentage of power infrastructure air gapped, just in case?
Harry Krejsa
It depends on particular circumstances. I think the issue is like the opposite end of that kind of spectrum of security perspectives from the air gap is leaning in totally on being digitally native, on recognizing that, you know, we are living in a digitally enabled world. The ship has sailed on, you know, some parts of our infrastructure being connected to the Internet. So, we might as well.
David Roberts
The only way out is through.
Harry Krejsa
Exactly, exactly. And so, you want to say, "All right, we're going to make everything as digitally native as possible, where it can be updated, it can be patched, it can, you know, fail gracefully and quarantine the bad stuff." Unfortunately, where we are is in that messy middle, which is the worst of all worlds. I'm exaggerating when I say, "Dams with dial-up modems slapped to the side of it," but only slightly.
David Roberts
So, we have infrastructure that was not designed to be digital, not digitally native, that has been sort of drafted into digitization, slapped a modem on the side of it. And so, we're kind of in a worse of both worlds.
Harry Krejsa
Exactly, exactly. And the promising thing about the clean energy transition is that it is bringing a wave of recapitalization into the electricity sector of new technology that is digitally native, that can be made defensible.
David Roberts
Right. And here we come to, I think, a really central question because, like my strong, I guess I'm guessing probably anyone's strong intuition is just that if you bring in much more digital equipment, you are proliferating your threat surfaces or whatever the hell they call them in the security world, you know what I mean? Like, you have now digital interfaces by the millions. And what's more, I mean, I'm getting a little ahead of myself now, but we'll get all this out now. What's more, not just lots more digital equipment onto the grid, but digital equipment coming from small vendors and like mom and pop shops, like startups.
You know, there's lots of — now there's like, it's not just a couple of big power companies that you could theoretically corral and control. We're proliferating the places from which things enter the grid too. And, it's just that's distributing too. So all of that sounds to me like more vulnerability. More, more, more. So convince me that a distributed grid filled with digital interfaces is not more vulnerable to hackers.
Harry Krejsa
Absolutely. And your intuition is correct and historically well supported. But as we said earlier, the only way out is through here. And so, it is both simultaneously true that the threat surface is proliferating exponentially and we are gathering the tools we need to make everything more secure, resilient, and defensible than it would have been in a legacy fossil infrastructure paradigm otherwise. One of the analogies that I like to use is basically the fire code before the 20th century. You know, in the 19th century, you hear all these stories about how like, Chicago and London and every developed city, every few years would have a citywide fire that would wipe out a tinderbox of all these buildings.
Right? Because every piece of our built environment was contributing to risk, right? Unregulated materials, unregulated stoves. And people didn't have an intuition for how flammability worked. And so, you were just, everything was a tinderbox and you would have catastrophic wipeouts every few years. And if we approached the built environment today, like our cybersecurity paradigm is today, I'd be saying, "Hey, before you go into this building, you need to put on your fire suit, your own oxygen tank, and carry an axe with you," which is no way to organize our modern society. But instead, today, every piece of a building contributes to its safety rather than its risk.
Like, every layer of paint has had a fire retardant coat and everything.
David Roberts
Right, right. And this is all just by boosting code so that all new buildings have a certain level of hardened infrastructure to them. And it more or less worked.
Harry Krejsa
More or less worked. But also, with that boosting of code, was also an intuition. Like, you know, "Oh, there's paper towels on the stove, I should move that." Or like there is, you know, the individual is not in charge of their own fire safety alone by themselves anymore. But there's still an intuition of safety that you can see when things feel off. And we are trying to — the way through this is to cultivate both, you know, that pincer movement of top down and bottom up.
David Roberts
Right, top-down being the codes. Bottom-up meaning more of like a cultural sensitivity.
Harry Krejsa
Just exactly right.
David Roberts
Pay more attention, care more, keep an eye out. But that's like you're trying to cultivate a culture again among, potentially, hundreds of thousands of small vendors. So that almost seems more challenging than the codes.
Harry Krejsa
Absolutely. And it's hundreds of thousands of, as you said, peaceniks, folks who have, you know, people coming from the climate and clean energy sort of pipeline.
David Roberts
Not security-minded people, maybe.
Harry Krejsa
Precisely. Right, and it is true in the other direction as well. When we were in the White House working on this issue, my glowering, risk-focused national security folks would look up from their keyboards and say, "Wait, you're doing what to my power grid?"
David Roberts
They'd sniff the air. "Is that patchouli somewhere?"
Harry Krejsa
Precisely. Whereas indeed, the climate policy folks whom I adored and had a great relationship with at the very beginning were like, "Wait a second, are you trying to throw a wet blanket on this? Are you coming in here with your military-industrial complex biases?" When in reality, their worlds have way more common cause than I think they necessarily appreciate.
David Roberts
Yeah, yeah, I should have maybe framed that a little bit better in the intro. Like the thrust of your piece, the whole thrust of this project, is to get the glowering security folks in the security blob and the hippies doing clean energy just to talk to each other and start cooperating and collaborating more, because they are, like, physically now part of the same concern. But culturally, I think you'll know better than anybody, still quite worlds apart.
Harry Krejsa
Absolutely. And I think that this union will be especially important in the next few years, where we're going into a political environment where decarbonization is probably going to drop several rungs down the priority ladder, and national security and competition with China is going to move up it.
David Roberts
Well, I mean, you could argue, I would argue that even in the Biden administration, it was concerns about China that pushed climate legislation over the top. It's already, you know, that's — those melding of concerns is already somewhat underway.
Harry Krejsa
That's right. And the ability of clean energy to kind of clear out that technical debt and make our grid more defensible and resilient is a huge national security asset and imperative. And you can talk about that without ever using the word carbon in a very compelling way.
David Roberts
Right, right. Well, let's talk then a little bit — like, one of the points you make, which of course I love, because I love talking about grid architecture, is just that the architecture of a clean energy grid in and of itself is more cybersecure. So, talk about that just for a second. The sort of benefits of this kind of nested architecture.
Harry Krejsa
Absolutely. So, as your audience will know well, we are moving from this paradigm of a few centralized nodes of electricity generation pushing electricity out in one direction to distribution into various neighborhoods, to one that is dramatically more flexible and interconnected, where we have distributed generation — electricity capable of moving up and down the same wires in both directions all the time. And that kind of architecture, if implemented thoughtfully and with security benefits in mind, can be a second pillar of national security benefit here because it's able to recover. And as our mutual friend Costa Samaras at the Scott Institute at Carnegie Mellon —
David Roberts
Former Volts guest.
Harry Krejsa
Precisely, he refers to this as "a self-healing kind of system" where you can have, whether it's a hurricane or a hacker who takes down some portion of the grid, you can have smart inverters and grid-forming technologies and batteries say, "Whoa, I detect something bad happening there." And I can surge electricity of the right frequency to try and restabilize the grid, or failing that, I can quarantine off that portion that is being disrupted.
David Roberts
Yeah, that's the key bit. So, like electricity heads will remember, like in the massive blackouts of years past, it's often just like one squirrel eats through one transformer and the faults just cascade and there are no natural fire breaks, so they just cascade out of control through an entire region. And the idea here is that your clean energy grid, you know, people will remember this from several previous pods with Octopus Energy with Lorenzo Kristov. This idea of like at the neighborhood level, you have a microgrid, right, where everyone's communicating with one another within the microgrid, but that microgrid just has one single connection to the larger grid.
And then, that could be inside a city-sized microgrid, which could be inside a regional-sized microgrid. There's this nested quality. All of which means there's tons of fire breaks. So, you can isolate the fault relatively easily with that kind of architecture in place.
Harry Krejsa
Exactly. There was a squirrel in Ohio in 2003 that did almost as much damage to the Eastern seaboard as Vladimir Putin did to Ukraine in 2015. But that is like —
David Roberts
But here we come to a question, which is: that architecture, well implemented, is safer, but like, do we see that being implemented that way? Do you know what I mean? What I see is an uncoordinated herd of just a chaos of people storming onto the grid, and the architecture not really keeping up.
Harry Krejsa
That's right. And I think that the answer is like, it's hard to know in many cases because we don't have the visibility that we need. And we can get that from uniting the tree huggers and the dragon slayers, both inside government and outside more effectively. In the critical infrastructure protection space, there are these public-private coordinating bodies, sectoral coordinating councils, where representatives from the various major private sector stakeholders for a given sector will gather, will interface with government, will receive threat intelligence about what they should do to protect themselves against new and emerging risks, and they will translate that and send recommended actions out to their private sector counterparts.
And those sectoral coordinating councils have been slow to modernize and reflect the clean energy space.
David Roberts
You mean the ones in electricity specifically?
Harry Krejsa
Yes, that's right. Yes. So, like last year, the Electricity Subsector Coordinating Council (ESCC), which serves this role for the electricity, the bulk power sector, admitted American Clean Power (ACP) as the representative for the clean energy space. But that took a long time. It took longer than it should have. And well after clean energy had a systemic level presence on our grid. But that was for two reasons from both directions. One was the kind of creaking institutions that came before; they were used to legacy energy actors that had been unchanging for decades, kind of not being prepared to integrate those new entrants.
But also, from the other direction, the new entrants not knowing how to organize themselves, not necessarily having the intuition for security and knowledge that they should be there. And we have work to do to ensure that the liability of that space, of the diffuse number of actors, can be an asset of dynamism and technological innovation. But it has to work from both ends.
David Roberts
Well, before we get to governance, which we are going to talk about in a sec, let's just talk for a minute about the tech itself. You have an interesting observation in here about the difference between IT and OT, between information technology and operational technology. Talk a little bit about what that distinction is and what is the significance of that distinction here.
Harry Krejsa
So, information technology is what you often think of when we talk about tech today, right? Like computers, Internet networks, those kinds of machines. Whereas operational technology, OT, is often used to describe a category of stuff that changes things in the real world. Pumps and switches and substations.
David Roberts
So, the former is sending information hither and thither, the latter is moving physical objects in the physical world.
Harry Krejsa
Exactly, yeah. The atoms and bits distinction, right? Yes. And for most of the existence of IT, it has been generally separate from OT. There's been relatively rare intersections of the two. And we're moving into the world where they are colliding. Even before the clean energy transition began, you know, we were slapping those dial-up modems on the sides of dams. And there's a business case that's irresistible for that kind of work to bring together IT and OT. Any infrastructure operator is going to have distant and remote substations or assets that are difficult, time-consuming, or dangerous to send someone to.
And so, if you're wanting to just every so often adjust some gauges and flip some switches and you don't want to send someone out there every single time, then it is irresistible to slap a dial-up modem to the side of that dam and have the ability to do that. But a lot of those dials, switches, and operational technologies were never designed with that kind of connection to the outside world in mind. Like the designers of those technologies, they assumed if you wanted to flip that switch, you were going to walk into that building. The guard would say, "Hey, David!"
And that is the paradigm that it was built for. And by slapping it onto the side of it, we are opening this door to the entire world. Being able to look in there and turn those knobs and flip those switches with no identity checks, no authentication, no firebreaks, unless you build it in intentionally on top of it. And that is just not the case in most of these places. A lot of utility operators have extremely narrow margins. Many of them do not have the kind of technical sophistication to know that this is a problem. And unless you take action to swap out those OT so that they have a layer of sophistication on top of it to be like, "Hey, is this who I expect to be coming in here and turning the knobs and flipping the switches?"
David Roberts
But why can't you build that sophistication into the modem that you slap onto the side of it? Like why do you have to rebuild the thing from the ground up?
Harry Krejsa
Well, you can, but that's a single point of failure. In IT right now, the big kind of trend is towards what's called "zero trust architecture" where you have to be authenticated every time you go to a new folder, a new place. And so, this is not to get into too much inside baseball, but the security paradigm for like government networks used to be organized around on-premises or on-prem security where as long as you passed one check, you could look at anything, go anywhere. And now we're moving toward like you are continuously authenticated. It is more like if you're working on collaborative Google Docs, right.
You have to be signed into Google, and the browser needs to know that that's you before you can open that link from someone else who only meant to share it with you and not everyone else who has the URL.
David Roberts
Right, right.
Harry Krejsa
And so, similarly, like you want that kind of digitally native layers of security. Which, to a human user, would hopefully look like nothing. It would be the easiest thing in the world if you're doing it right. But it is a sophisticated amount of engineering on the back end and in most cases, your old OT is not capable of that. And you could build everything you want to into that modem you slapped onto the side of it. But if it is a single point of failure, that's an intolerable amount of risk. And the rule of thumb we have for these, these state-based hackers is they have so many resources and so much patience to throw at this that they will eventually get in. Like the key is how many layers of defense and how resilient you are to recover.
David Roberts
And so, one of the points you make is that the OT involved in clean energy is sort of better suited to this sort of security.
Harry Krejsa
Correct.
David Roberts
Say a little word about that.
Harry Krejsa
Sure. So, there's kind of two dynamics there. One is a lot of clean energy was just designed from the ground up in the Internet era and so started with that as an assumed possibility. But the other part of it was that you need your clean energy technologies to be capable of much more sophisticated activity. And so, of course, you're going to design it with software-defined abilities to interact with each other. Right?
David Roberts
Right. Yeah. Like everything is going to be talking to everything else and talking to the grid. That's sort of like the tidal movement in clean energy. This is a big part of why clean energy proponents think clean energy is going to be able to do what dirty energy used to do. It's not going to have to replicate the brute force. It's going to, through digitization, be a lot smarter and then more efficient.
Harry Krejsa
Exactly. Your variable source generation, like solar and wind power, needs to be constantly considering, "Where do I send this power? Am I storing it? Am I transforming, transmitting it across space or time?" And your future energy parks that you discussed in an episode recently of on-prem generation and consumption is now introducing new multivariate interactions with the grid. Like all the things you want your clean energy technologies to be able to do require software-defined interactions with the real world. Like from the start on the tin.
David Roberts
Right. So, what you like here, what we would like to happen, is for these digital technologies to be built with top-level security built in such that every piece you add to the grid improves — rather than making the grid more vulnerable — it improves grid security.
Harry Krejsa
Exactly.
David Roberts
This is what we want in our future. But then, we come to the sort of million-dollar question here, which is governance. What standards and who is it that's making people do this? Because as you say in your section on governments, the first part of the section on governance is the governance of the US electricity system is an absolute jalopy, Rube Goldberg nightmare of overlapping jurisdictions. So, it's not even clear if you had a sort of US God emperor with great standards in his back pocket, how he would proliferate them to all the necessary actors here.
So, how do you get around that?
Harry Krejsa
Well, you know, federalism is a drag.
David Roberts
Although, we should just say here, in the coming four years, we might feel much more fondly towards federalism than we do right now.
Harry Krejsa
You're absolutely correct. And you know, man, I was just thinking about how great Greg Abbott is with all that clean energy in Texas.
David Roberts
I know. Go, Greg.
Harry Krejsa
Yep. The way I think that you start — what's that line about how do you possibly start eating an elephant? One spoon at a time. Same case here where we need to approach this from a prioritization framework. Like, what can we get our arms around most easily? What's the most systemically important? What tools do we have? And so, one of the last things that I did in government in this kind of collaboration between the glowering natsec folks and the utopian climate folks, was identifying a list of linchpin technologies. Right. Like recognizing this is a huge undertaking.
What are the technologies that are the most critical to the near-term success of the transition and have the most sort of digital exposure that we should be ranking above the others and thinking about their systemic importance relative to one another? And to that end, if you're thinking about solar panels, they are relatively dumb machines. Yes, they're the workhorse of the clean energy transition. And yes, they have some semiconductors in them and most of them are made in China, but they're pretty dumb. They aggregate up into inverters and substations.
David Roberts
That's where the intelligence is. Right?
Harry Krejsa
Persistent inverter, indeed. Yes. And so, I'm not too terribly worried in the immediate term about the risk from a solar panel. On the opposite end of that spectrum are your virtual power plant software and similar tools that are entirely software-defined. They can move megawatts or even gigawatts of electricity around and concentrate a lot of that risk in a single, systemically important place. And so, that's one of the very first things we should probably prioritize.
David Roberts
What would that translate to? Prioritizing smart inverters? That just means getting some minimal security standards in place, and that would affect the inverter manufacturing industry. Like, what does it mean to prioritize inverters?
Harry Krejsa
It means figuring out, like, what are the sources of risk here? What does the software, like — who makes inverters? What does the software and hardware supply chain for inverters look like? Do adequate existing standards cover the software supply chain for inverters? If not, how do we make sure that we update standards to that end? The tricky part there is that the clean energy transition is happening faster than most of the standards-making process.
David Roberts
Yes, I mean, I run into this problem a lot —
Harry Krejsa
Indeed.
David Roberts
on Volts, which is like the tech is racing out ahead. People are doing this already. And the standards-making bodies comparatively are like Ents in Lord of the Rings, just sort of lumbering along slowly behind.
Harry Krejsa
That's right. The thing we learned at the White House. Any honest, you know, alumni of a White House policy council will tell you that the formal powers that the White House has, legally, are actually pretty narrow. It is mainly through other agencies and stuff like that that you work. But one of the things that we can do very well is host parties and hosting parties where you bring together this very diffuse ecosystem and say, "Look, I, Mr. Government, don't know what the right standard looks like for the cybersecurity of a smart inverter, but everyone here has a piece of what that answer is.
So, let's put our cards on the table and figure it out." Then, everyone goes home and has learned a lot more that day about how to think about this. Even if it takes another, you know, 18 months for a formal standard to roll out, you have done a lot of the work. This is the reality for lots of standards; often by the time it is published, most of the industry has already coalesced around what it looks like.
David Roberts
That's interesting. In this distinction between kind of dumb physical technology like a solar panel and a smart digital technology like an inverter that you need to worry about, I'm sort of curious where EVs come on that scale because they kind of fit both. Like, you can have a car that's not digital at all. Like, we've had them for many years. But on the other hand, like EVs are like rolling smartphones. And it seems to me — like I don't want to give China any ideas or whatever — but like in terms of threat vectors, EV chargers and EVs are like, you know, you stick a bug in an EV and then it carries it to a new charger.
They're like deliberately bug-spreading devices. So, how do you think about EVs in the context of this security?
Harry Krejsa
So, the good news and bad news. The bad news is your intuition is exactly correct. But the good news is that the technologies that make that so in an EV are also found in lots of other parts of our electricity ecosystem. And so, if we are able to make progress on vendor trustworthiness for battery development or the standards for safe bidirectional electricity flow as controlled by software, then we're making progress in all those directions.
David Roberts
So, the EV interface with the grid is not unique. If you just solve that sort of interface problem, you're solving that problem too. Or at least somewhat solving, getting at it.
Harry Krejsa
Somewhat solving. You'd also get at it from the direction of like virtual power plants and how they interface with the grid, because virtual power plants are probably going to tap a lot of EVs as they unfold. Also, like, there's been a lot of news lately about Chinese EVs and BYD kind of taking the world by storm.
David Roberts
Indeed.
Harry Krejsa
And that's the reason why the recent import controls and limitations on BYD cars coming into the United States primarily focused on the software component of it. Right. It was the fact that it is Chinese-made software on those cars that was one of the key distinctions.
David Roberts
I mean, even if we put standards in place and say you can't sell an EV in America unless it meets these standards, you still have an enormous enforcement problem, don't you? Right. Because you're going to have millions upon millions of Chinese EVs coming in, any one of which could — you know, like, how do you enforce that? It's hard enough to enforce it on domestic manufacturers. How do you enforce that when it comes to imports?
Harry Krejsa
Right. And while you also saw, a lot of folks in my part of this ecosystem noticed the Israeli pager operation against Hezbollah with great interest.
David Roberts
Creepy. Didn't get the attention it deserved. Super creepy.
Harry Krejsa
I completely agree. And it is a great demonstration of how easy it can be to hide nefarious intent in a supply chain network. Right. And so, how do you get confidence in the provenance of these kinds of technologies and imports?
David Roberts
These are some pretty long supply chains too.
Harry Krejsa
Absolutely.
David Roberts
A lot of nodes in that supply chain to worry about.
Harry Krejsa
Absolutely. And there are different ways that you could approach this. One is the way Apple does it where yes, your iPhone is probably almost entirely made in China. We trust it with the most intimate parts of our lives, but we have trust there because Apple is deeply vertically integrated. They have a great understanding of the hardware bill of materials and they have total control over every byte of software that is on that phone.
David Roberts
I mean, in terms of like knowledge and control over supply chains, Apple is sort of like an inn of one, is it not? You can't expect other companies to —
Harry Krejsa
Precisely. And so, the way that you can get at it if you are merely one actor of many in this marketplace is things like the various national labs have done teardowns of EV charging equipment and EVs themselves to kind of look for that kind of stuff. But that's difficult to scale, particularly if you want to do that before you order 100,000 widgets. And in fact, this is actually something I'm optimistic we can make some progress on in the short term. A lot of standard contracting language in both the public and private sectors for these kinds of imports have what are called anti-reverse engineering provisions where you are not allowed to get a widget and tear it down and inspect it before ordering.
And so, a lot of my former colleagues in government are working to put together new model acquisition and contracting language for government purchases where we can tear down the widget before we order 5 million pieces of it and do those kinds of inspections because it is the kind of close physical access to advanced technology where you could prod and poke and plug in and see how it reacts to different kinds of environments where you can get that kind of confidence. And so, this is one of those things where tweaking some contracting language could make a big difference.
David Roberts
Interesting. And here's a somewhat cynical question which came up online and which I think is very apt. We get sort of naturally outraged when we talk about privacy violations done by China. Ooh, scary China. But of course, in the average American's life, the people who are invasively taking their data and using it for nefarious purposes are entirely domestic. You know what I mean? Like these are, this is what the big tech companies want to do. And part of me sort of thinks that putting standards in place that would truly protect consumers against, you know, ill-willed foreign hackers would also preclude domestic actors from doing a lot of the data mining and shady crap that they want to do.
And so, there might be some pushback from domestic actors against safety standards and privacy standards with real teeth. Am I off base in thinking that?
Harry Krejsa
I think that is true in some particular circumstances, like around right to repair laws and being able to get in and fiddle with things. But I think in most spaces, and particularly those around which I'm trying to bring together, the tree huggers and the dragon slayers, Meta is not trying to collect ads on you in a way that would blow up your car.
David Roberts
Well, not yet. I mean.
Harry Krejsa
Right.
David Roberts
It's the trajectory of these guys. I don't know.
Harry Krejsa
But these are, I think, two categories of concerns with Chinese activities of collecting information on you and pre-positioning access in places and in ways that could only be used in a way to harm civilian Americans.
David Roberts
Right, but can you really in practice cleanly distinguish between those and leave Meta all its data mining capabilities while blocking all of China's ability to do something nefarious? Like can you really make that distinction in practice?
Harry Krejsa
I think that in most cases, when we're talking about public safety, yes, we can. I think when it gets fuzzier into how the information that China is collecting on Americans so that they can socially engineer them, so that they can phish them more effectively.
David Roberts
"Propagandize them on TikTok," apparently, is the big problem.
Harry Krejsa
Indeed, yes, that's where things can get fuzzier. But when it comes to the safe functioning of our infrastructure and the delivery of essential services, you can separate the two pretty cleanly.
David Roberts
I don't know. I would just put on record that, like a lot of shady security stuff, you know, sort of approaching it through the lens of China fear, I feel like it distorts it a little bit since we are constantly subject to privacy and security violations all the time by actors who are multinational at best and have only a light allegiance to domestic policy and domestic actors. So, but anyway, one other thing I wanted to hit on with you before we run out of time, which I was just delighted to find. So, you finish your report with these sort of recommendations for, you know, "lines of effort," you call them, going forward, most of which are around trying to sort of get the security people and the clean energy people to talk to one another and work together.
But one of the things you say here, which I agree with entirely and have not yet encountered in the actual buttoned-up, suit-wearing halls of D.C. and think tanks, is this. I'm going to read the quote from the report. "The possibility of electricity generation so clean, cheap, and abundant as to test the bounds of energy scarcity is increasingly linked to the concept of artificial superintelligence and arguably possesses a scientifically clearer pathway to near-term deployment. The US Government should invest a similar urgency in understanding the potential of this abundance agenda as it is in artificial intelligence and in assessing whether or not it should be racing to realize it before Beijing."
So, just to restate that, you're saying the prospect of energy that is clean and super abundant, the end of energy scarcity, which has characterized our species' development from the very beginning, right? It's been an absolute feature of life on Earth up until the present. The end of energy scarcity is a real possibility here. And as you say, arguably there's a clearer path from here to energy abundance than there is from here to AI superintelligence. And yet, AI gets all this hype, all these billions of dollars, all this like carpet bombing AI on everything now. Whereas the prospect of energy abundance, which to me is like massively more promising for the welfare of humanity, is also sort of within sight.
And yet, you never hear anybody talk about it. We don't — there's no formal government recognition of it. We talk about competing with China, but we never discuss it in that vein. So, a) thank you for just like bringing this possibility into this world, but like, b) talk about that a little bit more. How do you see that fitting into this larger security framework?
Harry Krejsa
Yeah, absolutely. And indeed, I feel like I'm taking crazy pills. Like, this is a clear —
David Roberts
Me too, man.
Harry Krejsa
It is a clear potential that is absolutely, like a little speculative, but not that speculative. Right?
David Roberts
Less speculative every day.
Harry Krejsa
Absolutely. And I think that part of the issue is among my colleagues, that prospect of the potential end of energy scarcity and resource abundance is talked about today in a way that I recall people talking about AI in policy spaces, like, five years ago, where it was like, "This seems like it could be a big deal. I don't want to sound like a crackpot." But, like, the tech is really —
David Roberts
Rendering crackpots of all of us, right?
Harry Krejsa
Indeed, right. So, I indeed wanted to intentionally make sure this was included there because, you know, as you described, my title being a little overheated at the top, I am intentionally doing that to try and make sure that some of these arguments kind of extend out of our circles of climate and clean energy tracking wonks. Right. These are ideas and arguments that are useful in different circles in different ways. And the abundance piece of it is, I think, under-discussed in our climate and clean energy circle, but way under-discussed outside of that.
David Roberts
I mean, I can't imagine anything that would have a more profound effect on national security than energy abundance and global geopolitics. It's like everything these security people think about all day is just going to be profoundly affected by energy abundance if it happens. And yet, as you say, I never see it come up. Is it just fear of, like, fear of looking like a crackpot? Like, is that still just, like, what's holding people back?
Harry Krejsa
I think that's part of it. I also think that, you know, Brian Thompson or Ezra Klein might have tweeted something like this. So, I don't want to steal their valor here, but I think there was a line about how we have had a sort of scarcity mindset in our economic policy debate for a while now. Our arguments around energy usage have been focused on efficiency because of pollution concerns. The troubles that we've had with wealth distribution and the unequal gains of internationalism, trade, and automation over the last couple of decades have, I think, given Americans an intuition of scarcity, like a zero-sum world.
David Roberts
Yes, and I'll just say, because you probably won't, but I will like every bit of conservative or reactionary politics anywhere you find it: if you pull the string, you find scarcity at the root of it. Like scarcity and fear of not getting enough. Right. The sort of zero-sum mindset, "There's only a set amount, there's more of us than there is of it. All of life is a competition for that resource." Like that is the root of conservative politics. Which is why I've always wanted the Democrats to adopt the slogan, "We can have nice things."
Harry Krejsa
Yes, and I think the good news there is, I feel like we're starting to — the ship, the aircraft carrier of public discourse, I think is starting to move in that direction. And it would have indeed profound impacts on climate, on human flourishing. But also, if you need a hawkish argument, you know, to push forward this agenda, it also would have profound import for our national security.
David Roberts
I mean, among other things, if every nation had a domestic supply of energy sufficient for its needs, just the motivation for a lot of fuckery would disappear. You know what I mean? Like, the reason people go out and do corporate espionage and all that stuff, a lot of reasons for doing that would vanish. Like, why bother?
Harry Krejsa
Absolutely. And it's part of why I am actually optimistic about the sprint to artificial intelligence having positive spillover effects there. Because I think that it will bring with it a lot of demand for more energy infrastructure. Right. Like Ben Thompson of Stratechery likes to make the analogy to the 90s era build out of fiber optic cables around the country where there was a big over-construction of fiber optics that ended up not making a ton of economic sense when the fervor over web 1.0 kind of died down. But if we're in a situation where the initial kind of sprint towards AI in this near term ends up resulting in a ton of energy parks of giant solar and storage or SMRs —
David Roberts
It's forcing the issue on all sorts of things that clean energy people have been after for a long time.
Harry Krejsa
Absolutely. And I think with the cloak of national security import atop of it, it will be a great supporting argument, especially over these next few years. And I think in our entire conversation here today, with all this enthusiasm around clean energy's potential, I'd point out we've probably used the word carbon fewer times than maybe any other guest on Volts.
David Roberts
Right. So, the idea here is sort of the overarching idea you're getting at with this paper and your whole sort of like this whole push is just clean energy and security people have common interests and need to work together. And furthermore, deploying clean digital technologies on the grid can improve US national security. So, you should, no matter how deep your glower, how deep your cynicism, and how deep your contempt for hippies: if you want a more secure grid, you should want more clean digital technology on it. That's sort of the take-home.
Harry Krejsa
That's correct. And no matter how skeptical you are of the motivation behind American foreign policy, or whether we have a military industrial complex at the core making decisions or not, there are security imperatives for clean energy that you can use in conversation with people who are more concerned about those security imperatives and persuasively make that case.
David Roberts
Well, let's conclude with that then. Just say a little word like, obviously, decarbonization, as you say, is going to take a bit of a backseat in the coming years. And that doesn't just look like the US either, like not to doom scroll a little bit, but it looks like momentum is flagging all over. Do you think there is — you know, like if I'm a grizzled, glowering Republican security hand of decades and the hippies come to me and they say, "Oh well, guess what? We discovered we're actually secure too. We're actually helping you be more secure too."
Obviously, my eyebrow is cocked, right? Obviously, I'm skeptical. Do you think that this style of argument, this argumentative sort of space you've opened up here, has enough purchase to get some bipartisan consensus in the coming years? Like, are there enough people on both sides of this divide that get it, that you can see an actual germ of cooperation starting in coming years?
Harry Krejsa
I think that it would be an important part of the equation, a part of the recipe that helps make it so. You know, very unfortunately, energy has become, you know, another battlefield of culture wars. Right. And cleantech has been coded as liberal and people negatively polarize against it. And anything we can do to attenuate that reality, I think is going to be very important and helpful. And the incoming Secretary of Energy, Mr. Wright, he was an investor in advanced geothermal. There are ways to come at this in a different direction, to talk about some different ways.
David Roberts
Yeah, it does seem like he's reachable with reason. I don't know if you've had any direct dealings with him, but it seems like he is the kind of person who might bite on this argument.
Harry Krejsa
Indeed. And I think that Doug Burgum could be, too. With Mr. Burgum postured to chair this new policy council in the White House, he had a similar kind of investment in energy dominance. Precisely. And the intersection here that I am also cautiously optimistic about is the role of big tech or hyperscalers.
David Roberts
Yeah, that's really the X factor in a lot of things going on right now.
Harry Krejsa
Indeed, yes. And, you know, big tech occupies this rare point in our economy of folks who understand energy economics, understand technical risk, and how much Xi Jinping is trying to hack into their systems all day, every day, and are filled with a workforce who wants to be able to say that their work is powering clean energy and making the world a better place.
David Roberts
And crucially, they have giant sacks of money.
Harry Krejsa
Correct.
David Roberts
They're too big to code liberal. They're too big to — I've got to come up with some sort of slogan there, but, like, they have too much money to be dismissed as hippies.
Harry Krejsa
"Right, exactly. And the coding of liberal is attenuating pretty quickly, right?"
David Roberts
And for good reason.
Harry Krejsa
Yes, you know, Sam Altman, announcing the big build-out at the White House, right, with Donald Trump.
David Roberts
Oh, my God, Sam Altman sort of trailing along after all the other tech guys, being like, "Wait, wait up, guys. I like Trump too. Guys, wait up." It's just the most — all right, I won't go off on this. It's just the most pathetic thing in the entire universe.
Harry Krejsa
But, yeah, all the big CEOs, you know, were at the inauguration. They're trying very hard to be nonpartisan and to code as less democratic. Right. And so that is a valuable factor there where if it looks like the Trump administration is embracing the sprint to artificial intelligence, it looks like they're embracing energy economics, energy dominance, or whatever we want to call it. There's a — to make a Dune reference here — a golden path that unites these things that could push all of this forward.
David Roberts
Right. Clean energy is our digital firewall against China, basically, like, this is the sales pitch. Well, Harry Krejsa, it's been a delight and a pleasure. This is really interesting. This is something I think we'll have to return to in coming years, but I think it is a very helpful intervention to arm the dirty hippies in Volts' listenership with this argument that clean energy is security, is cybersecurity, is conducive to cybersecurity. I think it is a good intervention and very well timed. So thank you for coming on.
Harry Krejsa
Thank you for having me as the most granola-crunching listener in the Pentagon of your podcast. It was an honor to be here.
David Roberts
Thank you for listening to Volts. It takes a village to make this podcast work. Shout out, especially, to my super producer, Kyle McDonald, who makes me and my guests sound smart every week. And it is all supported entirely by listeners like you. So, if you value conversations like this, please consider joining our community of paid subscribers at volts.wtf. Or, leaving a nice review, or telling a friend about Volts. Or all three. Thanks so much, and I'll see you next time.
Share this post