"Your government has failed you... Every major company in the United States has already been penetrated by China." These are alarming words. But that's the analysis of our current cybersecurity status by Richard Clarke, the United States' former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism. Indeed, the theft of digital information alone is said to cost American companies in the neighborhood of $250 billion every year. As one of only three members of Congress who currently holds a patent, I am keenly aware of the importance of intellectual property protection, a goal that is impossible without effective cybersecurity.

But while the economic effects of cyberattacks are already staggering and unquestionably must be addressed, the true threat is the prospect of a hacker -- whether operating alone or backed by a rogue regime -- infiltrating vital components of our infrastructure and wreaking havoc. The topic is a timely one. Just yesterday, it was reported that computer networks at major South Korean institutions, including banks and broadcasting networks, crashed simultaneously. Though unconfirmed, all signs seem to point to a cyberattack originating in North Korea.

A recent project by Deutsche Telekom, the parent company of T-Mobile, has highlighted just how ever-present the threat is. Earlier this month, the company set up 97 "honeypot" systems all over the world that appear to hackers to be vulnerable networks, computers, and websites. Deutsche Telekom created a map showing, in real-time, the number of attempted cyberattacks these systems were enduring, as well as the point of origin of the attempted attacks. A visit to the online map indicates a continually-flashing catalogue of world-wide attempted cyberattacks -- with sometimes half a dozen or more attempted attacks occurring every second.

It is an overwhelming problem without one single, simple, comprehensive fix. But any attempt to address the issue absolutely must include provisions to facilitate voluntary information sharing. When cyberattacks occur, the entities affected must have an efficient and effective means of sharing relevant information with other companies that could find themselves at-risk, as well as with authorities. By pooling all of the information we have about the sources and nature of various cyberattacks, we are far more able to effectively respond, if not avoid the attacks entirely.

But in the midst of all the discussion above, we must not miss the forest for the trees by ignoring a less discussed threat to our infrastructure and electric grid: the prospect of an electromagnetic pulse (EMP) of either natural or man-made origin that could disable any electrical components on a catastrophic scale. Whether originating from the sun -- we are currently in the middle of the "solar maximum," during which the sun is expected to be most active -- or from a rogue regime like Iran -- which has conducted tests consistent with EMP attacks -- such a burst of electromagnetic energy could disable large swaths of America's electric grid and become the ultimate cybersecurity threat.

The threat has received attention from organizations ranging from NASA, the National Association of Scientists, and the Federal Energy Regulatory Commission. All of them reached the same conclusion: our civilian electric grid is vulnerable to EMP. Ongoing and largely successful efforts over the years have hardened much of our critical defense apparatus to electromagnetic pulse. However, in the continental United States, the Department of Defense depends upon an unsecured civilian grid for 99 percent of its electricity supply, without which it cannot successfully effect its mission. Thus our ability to defend the homeland, as well as much of our ability even to function as a modern society, would be greatly compromised should we find ourselves unprepared in the face of a major unexpected attack or a solar event like the 1859 solar superstorm (or Carrington Event) that caused aurorae worldwide, and knocked out telegraph systems -- the only major electrical system in the world at the time -- all over Europe and North America. Telegraph systems were so overwhelmed by the burst of energy that fires were started by the sparking telegraph pylons. Another large solar event occurred in 1921, and the National Academy of Sciences predicts this effect will recur globally approximately once every 100 years. In other words, we could be due for another occurrence.

It is time we take the relatively inexpensive steps necessary to make our transformers and other major grid components survivable to such a threat to our national security.

To that end, as Chairman of the Congressional EMP Caucus, I introduced the SHIELD Act (H.R. 668) last Congress and will soon reintroduce it in the new Congress. The bill would finally take the first critical measures to protect our grid from a potentially catastrophic electromagnetic pulse.

We live in an almost miraculous digital age. Unfortunately, our modern electric technologies are far more susceptible to cyber attack and electromagnetic pulse than ever before, and we are far more reliant on those systems than ever before. This year, even as we witness what NASA has called "unexpected" solar activity, along with the threat posed by radical regimes with nuclear weapons capability, may we seize the opportunity to finally begin to systematically address all dangerous cyber threats, including those that could be precipitated by a major man-made or natural electromagnetic pulse, and begin to ensure that our reliance on digital systems is finally matched by our ability to defend those systems.

Every one of us depends on a safe, secure and reliable energy supply – to light our homes, power our businesses and ensure our national security. As such, the electric utility industry must be actively engaged in addressing cybersecurity threats that arise and make every reasonable effort to protect our infrastructure against cyber threats. As our industry increasingly relies on electronic and computerized devices and connections, and cyber threats become more complex, cybersecurity will remain a constant and very real challenge.

Fortunately, the electric utility industry is well on its way to implementing cybersecurity standards to safeguard our critical infrastructure. In fact, the electric power sector is the only industry with mandatory, enforceable cybersecurity standards. Drafted with input from grid engineers, information technology experts and federal regulators, this common set of standards helps to ensure reliable operation of the electric grid.

However, while standards enforce a baseline level of security, they alone are not sufficient. Cyber threats are constantly and rapidly evolving. They require quick action and flexibility that can come only from constant vigilance and close collaboration with the government. To continue our progress on cybersecurity protection requires improved information-sharing and public-private partnership between industry and federal and state governments.

The private sector is sometimes disadvantaged in assessing the degree and urgency of possible or perceived cyber threats because of its limited access to intelligence. The government, entrusted with national security, has access to volumes of intelligence that electric companies do not. At the same time, electric utilities understand how their complex systems are designed and operate, and are in a unique position to understand the consequences of a potential malicious act and proposed actions to prevent such exploitation.

President Obama’s executive order on cybersecurity last month was a clear step in the right direction. It calls for permitting intelligence to be gathered on cyberattacks and cyberthreats to utility networks and other critical infrastructure, which would allow utilities to better protect themselves, our citizens and our economy.

In addition, we have long supported cybersecurity legislation that would facilitate greater cooperation, coordination and intelligence-sharing between government and the private sector. The proposed CISPA legislation would provide utilities timely and actionable information from government partners that can help protect our computer networks. It could remove legal and logistical barriers that have limited the sharing of cyber threat information. In addition, we believe the information-sharing CISPA envisions would supplement, not replace, public-private partnerships already in place, which continue to mature.

But improving information-sharing is only part of the solution. It is important that we continue to develop an “operational relationship” at the highest levels of both government and industry. And we must conduct drills on a regular basis to ensure that, in times of crisis, those with relevant information and operational expertise can coordinate and communicate quickly and seamlessly.

Some have raised concerns over the potential impact of legislation on privacy rights. But we believe CISPA can improve the way we prevent, deter and mitigate the cyberattacks we face while protecting individuals’ right to privacy. As an electric and gas utility company, we take very seriously our responsibility to ensure our customers’ personal information and data are safeguarded. And we believe CISPA would facilitate the voluntary exchange of information between the public and private sectors in a way that respects and protects individuals’ privacy rights.

In 1994, Tom Clancy wrote Debt of Honor, which included an economic attack on the U.S. stock market caused by a computer “logic bomb” that led to the collapse of the stock market. In less than 20 years, cyber warfare and cyber terrorism have gone from fiction to major economic threats.

The Obama Administration and Congress have not been able to agree on the best legislative path forward, in part because of wrangling over which agency should have the lead in implementing legislation. This bureaucratic infighting is analogous to rearranging the deck chairs on the Titanic. We are engaged in the new warfare of the 21^st century and the government should react with focus and seriousness. That was supposed to be accomplished through the creation of the Department of Homeland Security.

Companies have indicated a willingness to share information with the government and to pursue mechanisms for coordination as well as sharing. If all of the issues involving cyber security cannot be dealt with in one piece of legislation, then Congress and the Administration should make progress one-step at a time. If there is no beginning, there can be no end point!

To get around congressional gridlock, the president issued a cybersecurity Executive Order to address security gaps in the critical infrastructure computer networks. The EO is supposed to improve information sharing about cyber threats between government and industry and establish a set of cyber security best practices for companies that operate critical infrastructure, such as water systems, power plants and telecommunications networks.

While this first step was probably necessary, it is mainly a stop- gap measure and that is hardly sufficient. Until Congress acts, the Administration should supplement executive branch actions with a public-private mechanism that represents true collaboration, especially on best practices, legal protections, and real time information sharing. The government should not presume that it has a monopoly on the best path forward. Private companies have strong incentives to make strategic investments in cyber security and to work together in better understanding risks and counter measures.

The cyber attack last year on Saudi Aramco computers is an example of the significance of the threat. It would have been catastrophic if it had caused a shut down in production. Even a very short interruption would have caused crude oil prices to spike significantly. Similarly, a successful attack on computers controlling power generation and distribution, pipeline flows, and refinery operations would cause serious economic havoc.

A 2012 research report from Rice University concluded that energy companies face vulnerabilities to their control systems serious enough to disrupt operations. It stated, “The potential for a real cyber-attack capable of physically impacting electricity generation and transmission as well as upstream and downstream oil and gas operations has moved from hypothetical to possible.” It also concluded that “Energy firms ... must reorient from a reactive, tactical posture regarding intrusions and attacks to a more strategic, holistic view that expands beyond the categorization of the issue as only an IT problem.”

Cybersecurity has to be as deeply embedded into company cultures as health and safety operating practices. Conducting risk assessments, prioritizing corporate resources, proactively planning, and effectively interacting with government policy makers are all necessary components part to being prepared. But, they are not sufficient. Cyber warfare or cyber terrorism involves nation-states as well as groups and individuals who are hostile toward our way of life. Hence, the threats are both more diverse and more numerous.

That makes countering them much more complex and places a very high premium on high quality intelligence and responding to ambiguity. In her book, Pearl Harbor: Warning and Decision, Roberta Wohlstetter observes, “since we cannot rely on strategic warning, our defenses… must be designed to function without it. …We shall prearrange actions that are right and feasible in response to ambiguous signals…that might be false.” While she was referring to actions related to thermonuclear war, the observation is also relevant to cyber warfare.

Last week, National Intelligence Director James Clapper declared that “a cyberattack is the number one threat to the country.” The White House recently called upon China to take “serious steps” to stop hackers from breaking into the computer networks of American companies. And this week, Treasury Secretary Jack Lew will reinforce that message when he meets with Chinese leaders in Beijing.

Without question, a cyberattack on America’s energy infrastructure—if successful—could do great damage to the economy. In a worst case scenario, parts of the electric power grid would go down, oil and gas flowing through pipelines would stop moving, and refineries and power plants would become inoperable. So how can we best protect ourselves against such an event?

Asking the Chinese and other hacker havens to behave isn’t enough. Though Director Clapper admits the chances of a major cyberattack against critical infrastructure systems are remote for the next several years, the threat remains. Still, Congress was unable to pass a cybersecurity bill last year because of concerns about privacy rights. Congress is again holding hearings, and the House Intelligence Committee has re-introduced a bill that would improve information-sharing about cyber threats between government and industry.

This is an important step because the lion’s share of America’s energy infrastructure is owned by private companies. We also need legislation that will incentivize private companies to implement tough cyberstandards, increase law enforcement powers to fight cybercrimes, and establish rules for reporting data breaches.

Though it may not be true in football, when it comes to cybersecurity the best offense may be a strong defense.

Cybersecurity is not new to the electric power industry—it has been a growing priority over the past decade. Protecting the nation’s electric grid and ensuring a reliable supply of energy are the industry’s top priorities. As the trade association representing nearly every shareholder-owned electric utility in the United States, the Edison Electric Institute (EEI) understands that, in addressing cybersecurity, close coordination and preparation with the government—and with each other—are imperative. Critical infrastructure protection is a shared cause that demands planning, as well as an understanding of roles and responsibilities ahead of time.

The electric power industry currently employs threat mitigation known as “defense-in-depth” that focuses on preparation, prevention, response, and recovery. We partner with federal agencies, including the Federal Energy Regulatory Commission (FERC), the Department of Homeland Security (DHS), and the Department of Energy (DOE) to improve sector-wide resilience for cyber threats. The industry also collaborates with the National Institute of Standards and Technology (NIST), the North American Electric Reliability Corporation (NERC), and federal intelligence and law enforcement agencies to strengthen its cybersecurity capabilities.

It is important to remember that the electric power industry is the only industry with mandatory and enforceable cybersecurity standards. As threats to the grid grow and become more sophisticated, the industry is continuing to strengthen its defense against cyber attacks. The industry also is supporting passage of comprehensive cybersecurity legislation that respects the sector’s existing regulatory regime and encourages close coordination among all stakeholders.

EEI shares the President’s goal of protecting critical infrastructure from cyber attacks, and the recent Executive Order represents another step toward improving government-industry coordination. We continue to build solid relationships with government agencies, and the President’s Executive Order will provide helpful clarification on agency roles and authority. However, it does not preclude the need for congressional action to address statutory changes and liability protection that will improve information sharing and access to classified information that the private sector needs to serve as the first line of defense.

Critical infrastructure is deemed as such because it is essential to national security. Each cybersecurity situation requires careful, collaborative assessment and consultation regarding the potential consequences of complex threats, as well as mitigation and preventive measures, with owners, users, and operators of the electric grid. Promoting clearly defined roles and responsibilities, as well as effective processes for ongoing consultation and sharing of information between government and the private sector, is the best approach to improving cybersecurity and protecting the power grid.

The natural gas pipeline industry takes cybersecurity very seriously, and we are working cooperatively with government agencies to protect our computer systems – both business systems and operational control systems – from cyber-attacks.

We believe Washington should be involved in helping to protect the nation’s critical industries from cyber-attacks, but we also believe a voluntary, collaborative system is the key to success.

Cyber threats are constantly changing and evolving. Setting up a prescriptive regulatory system to deal with them would stymie the ability to protect systems, combat attacks in progress and promote the information-sharing necessary to help protect companies and industries.

Instead, we support voluntary programs that encourage partnership, collaboration, sharing of information and technology and preparedness to mitigate and respond to evolving cyber threats.

The Transportation Safety Administration, which oversees cybersecurity on pipelines, agrees with us that the voluntary approach is both effective and preferred. Last year, in a Congressional Research Service report, the TSA said most U.S. pipelines “meet or exceed” industry security guidance. And it asserted that it achieves better security – and a better cooperative and collaborative relationship with its industry partners—with voluntary guidelines.

Interstate natural gas pipelines are vital to the nation’s economy, moving about a quarter of the nation’s energy safely and reliably every day. Still, it is important to put into perspective what a cyber-attack might – or might not – be able to do to a pipeline.

Some have suggested that cyberterrorists could “blow up” a natural gas pipeline by forcing the pressure of the pipeline to increase to a level high enough to cause a catastrophic rupture. The fact is that natural gas pipelines have a number of mechanical safeguards in place – and independent of the computer system – that would kick in to prevent over pressurization of the pipeline.

While the risk of a catastrophic pipeline failure via cyber-attack is remote, pipelines want to do everything they can to avoid cyberthreats. Like other industries, pipeline companies hold sensitive business secrets and confidential documents – ranging from merger and acquisition material to employee data – on their computers. We do not want that information in the hands of others.

Based on the sheer number of attacks in the past few years, it has become apparent that cyberthreats are real, and that business and government need to take steps to mitigate that threat. It is important, though, that we promote a voluntary, collaborative system because that is a system that has proven to work.

We are facing an immense threat from penetration by cyber-terrorists and thieves into our critical infrastructure. Recently we have read how cyber-thieves have infiltrated The New York Times as well as the innards of our largest corporations. We fell into this inadvertently as our entire economy has moved to digital equipment and our advanced cellular network drove us into the internet age. This technology evolution and interconnection has increased efficiency, lowered operations and maintenance costs, and allows an ability to arbitrage a complex set of actions and interactions. My interdisciplinary energy courses spend the first part of our learning about all the grids our industrial society depends upon – water and sewage pipelines, petroleum and natural gas pipelines, railways and airlines and ports, internet (data centers) and cellular, phone lines and cable lines, electric lines, and roadway bridges and signage – now all digital with wired and wireless controls.

I am sorry to say, that as much as we would like to stay technologically ahead of these terrorists – it is “at best” a hit-or-miss game. Some of these cyber groups are large governments while others are global crime cartels. In between are some of the most entrepreneurial talented businesses and pranksters – and they are all focused on thievery or disruption or both. That is the world in which we live, and I am here to say – just like those that predicted some spectacular event (now known as September 11^th) - that some large, dangerous, exceedingly disruptive event tied to our infrastructure will happen, and it could be catastrophic.

Those of us in the distributed and renewable energy field have been advocating aggressive energy efficiency to reduce energy requirements for all facets of the various grids mentioned above. And then on-site energy generation with storage dedicated to run the pipeline pumps, cell towers and datacenters as well as repeaters and switches, signage and transportation support, and even routers and phone systems in buildings including elevators and potentially cooling/heating systems. While many of these systems have diagnostic protocols, they cannot be controlled functionally. Distributed dedicated energy units which in most cases do not need fuel delivery supply chains, add resiliency and redundancy to a very vulnerable grid. In more that half of the grids, these new distributed and super-efficient technologies are cost-effective now and if properly financed, could be cash positive the day they are installed. And in fact, many of our largest corporations adopt just this strategy for their overseas corporate campuses. We have both a moral and national security obligation to prevent this eventual intense disruption – that could not only disable our infrastructure but cause deaths and human harm. The economic harm will also be as grave because these sustain our way of living. There are no silver bullets here because every time we create some new cyber-security innovation, there will be those that will figure ways to circumvent or overpower them.

Currently, a small portion of this infrastructure utilizes diesel generators. As we found out during Katrina, when the electric lines were down, we couldn’t pump the stored diesel fuel, and of course with the flooding, we couldn’t move fuel around. Only a resilient, redundant, and independent energy system will be one of the many paths, we as a nation must implement as soon as possible.

Congress must act to allow existing programs within the federal agencies that provide support for State and local governments, transportation and critical infrastructure to direct a portion of their existing funds for these purposes. Federal bonding and tax credits already passed for infrastructure upgrades must explicitly allow these kinds of upgrades.