Monday, April 6, 2020

NERC moves to push back the CIP-013 compliance date



If you’re looking for my pandemic posts, I’ve created a new blog for them. If you’re looking for my cyber/NERC CIP posts, you’re come to the right place.


NERC announced today that they’ve petitioned FERC to move back the compliance date for CIP-013-1, CIP-005-6 and CIP-010-3 to October 1. Moreover, they said that, due to the uncertainty regarding the length of the outbreak and the recovery, they “will continue to evaluate the circumstances to determine whether additional implementation delays may be warranted and submit any appropriate filings with FERC at that time.”

Of course, this is what I advocated, and I’m glad to see it happen. It’s needed for the obvious reason, but it’s also needed because I really don’t think many, if not most, NERC entities have really come to grips with what a good supply chain cyber security risk management plan should include. I’ve said many times that, given how little guidance the standard itself gives, it would be fairly easy to produce a pretty minimal plan that doesn’t really do very much, but would be strictly speaking compliant.

However, if you do this, you’re shortchanging yourself. Supply chain security and ransomware are the two greatest cyber threats worldwide now (and one could argue for either one to be the number one threat). Since you presumably have been given a few shekels to comply with CIP-013, why not at the same time do your organization (and the BES) a big favor and really consider what your supply chain security risks are, and how to mitigate them? As we all know, nothing brings in funding for cyber security better than the prospect of big fines. Don’t let this opportunity go to waste!


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!



Dr. Fauci, you need to resign. Today!


  
Dr. Fauci, I’ll be brief. I said last Thursday that you need to admit you’ve been fairly ineffective in changing the course of America’s disastrous response to the novel coronavirus (and if you don’t agree with that assessment, see the numbers below). But I didn’t think there was any point in your resigning at that point, since I thought that, by stating publicly last Tuesday that the maximum number of deaths in the US from the pandemic would be 240,000 - without stating boldly that this would require a total lockdown of the country immediately - you had put your stamp of approval on Trump’s current course. When the total inevitably passed that (which it did yesterday. My numbers below show that, if we instituted a total lockdown today, the total deaths from the pandemic would be 258,000), Trump would just claim that he was relying on your numbers, because you didn’t make clear the big assumption behind them. If you resigned last Thursday, how could you possibly justify doing so, given what you’d just told the nation on Tuesday?

But the whole reason that Americans want you there is that they believe Trump will in general listen to what you say, even when it’s not what he wants to hear. However, the fact that he doesn’t listen to you – and won’t in the future – became clearly evident in the press conference yesterday, when Trump again touted hydroxychloroquine as a cure for COVID-19. As you have said repeatedly, there is still no sold medical evidence that is the case, although trials are ongoing. And when members of the press asked if you agreed with him (you were there next to Trump), he wouldn’t let you answer – although he very truthfully pointed out that you had already answered the question many times. Evidently, he’s glad to have you answer questions, but only if you give the answer he wants.

How can you possibly keep working for Trump after this? You need to resign today, so that you can talk freely with the American people about the real dangers. And what are they? Here are some of the numbers from below. These are based on simple projections of current trends (which BTW have been going down, but at this point the only effect of those drops is to postpone Doomsday by a week or so).

Date on which 500,000 deaths will be set in stone*: April 12
Date on which 1 million total pandemic deaths will be set in stone: April 18
Number of deaths set in stone on April 30: 3,603,124
Date on which the number of new deaths on that day will probably exceed the toll of Sept. 11: April 9 (yes, this Thursday!)
Number of deaths per day on April 30: 80,264



All numbers below are based on yesterday’s reported figures of total confirmed cases, total deaths and total recoveries, published on Worldometers as of about 7 PM EDT April 5. I’m happy to send my spreadsheet that calculates all of these to anyone who wants to check the calculations, although they follow the assumptions described below.

I. Numbers based on total cases, actual and projected
Total US confirmed cases: 336,851
Increase in cases since previous day: 25,214 (vs. 34,030 increase yesterday)
Percent increase in cases since yesterday: 8% (vs. 12% yesterday)
Percent increase in cases since 3 days previous: 37% (vs. 45% yesterday)

“Set in stone” US deaths* over course of pandemic:  258,640 (based on 4% case mortality rate)
*This number assumes a) Total cases grow by 30% into the future (= yesterday’s 3-day growth rate in cases); b) We impose a massive lockdown, with prohibition of all non-essential travel, today; c) New cases drop to zero in 28 days, because of the lockdown, but they continue to grow at the current projected rate up to the 28th day; d) testing is widely available by the 28-day mark; and e) case mortality rate = 4%. To consider a 6% mortality rate, multiply each projection by 1.5. For 8%, double it. For comparison, Italy’s case mortality rate is currently 11.75%.

Projected as of April 13 (7 days from today):
These numbers answer the question: What would happen if we wait seven days to totally lock down the US, based on the assumptions below (which frankly are themselves wildly optimistic).
Total expected cases*: 801,329 (vs. 846,320 projected yesterday)
Total expected deaths set in stone* over course of pandemic: 589,040 (vs. 1,076,775 projected yesterday)
* The expected cases and deaths set in stone numbers assume a) Total cases grow by 30% into the future (= yesterday’s 3-day growth rate in cases); b) We impose a massive lockdown, with prohibition of all non-essential travel, on April 13; c) New cases drop to zero in 28 days, because of the lockdown, but they continue to grow at the current projected rate up to the 28th day; d) Testing is widely available by the 28-day mark; and e) case mortality rate = 4%. To consider a 6% mortality rate, multiply each projection by 1.5. For 8%, double it. For comparison, Italy’s case mortality rate is currently 12.25%.

Projected as of April 20 (14 days from today):
These numbers answer the question: What would happen if we wait 14 days to totally lock down the US, based on the assumptions below (which frankly are themselves very optimistic)?
Total expected cases*: 1,625,701 (vs. 1,997,510 projected yesterday)
Total deaths set in stone* over course of pandemic: 1,248,242 (vs. 2,585,407 projected yesterday)
* The expected cases and deaths set in stone numbers assume a) Total cases grow by 30% into the future (= yesterday’s 3-day growth rate in cases); b) We impose a massive lockdown, with prohibition of all non-essential travel, on April 20; c) New cases drop to zero in 28 days, because of the lockdown, but they continue to grow at the current projected rate up to the 28th day;; d) Testing is widely available by the 28-day mark; and e) case mortality rate = 4%. To consider a 6% mortality rate, multiply each projection by 1.5. For 8%, double it. For comparison, Italy’s case mortality rate is currently 11.75%.

Date on which 500,000 deaths will be set in stone: April 12
Date on which 1 million total pandemic deaths will be set in stone: April 18
Number of deaths set in stone on April 30: 3,603,124


II. Numbers based on total deaths, reported and projected
None of these numbers are changed, since they’re not based on the total case projections.
Total US deaths as of yesterday: 9,620
Increase in deaths since previous day: 1,625 (vs. 1,048 yesterday)
Percent increase in deaths since previous day: 19% (vs. 14% yesterday)
Projected* number of actual deaths on 4/13 alone: 4,134
Projected* number of actual deaths on 4/20 alone: 16,003
* Projected deaths = previous day’s new deaths number, grown by that day’s 3-day percentage growth rate. Note this is calculated completely differently from the deaths set in stone, which refers to projected deaths over the entire pandemic, and is calculated by multiplying expected cases by the mortality rate

Date on which the number of new deaths on that day will probably exceed the toll of Sept. 11: April 9 (yes, this Thursday!)
Number of deaths on that day on April 30: 80,264


III. Reported case mortality rate so far in the pandemic in the US:
These numbers are also unaffected by the error I made.
Total Recoveries in US as of yesterday: 17,977
Total Deaths as of yesterday: 9,620
Deaths so far as percentage of closed cases (=deaths + recoveries): 35% Let’s be clear. This means that, of all the coronavirus cases that have been closed so far in the US, 35% of them have resulted in death (compare that to the 4% mortality rate I’ve been using to calculate total pandemic deaths, based on total cases). Of course, this number will come down as time goes on and more cases are closed in which the victim recovered. But it’s only come down by about 4 percentage points since Worldometers started publishing the recovery rate on March 26, and on about half the days, it’s gone up. I’d say it’s much more likely my 4% mortality rate will turn out to be too low, after the pandemic’s over and all of the bodies have been counted, than it will be too high.




Sunday, April 5, 2020

It turns out I’ve been wildly optimistic!


  
I apologize, but I just discovered this morning that I’d made a simple error in calculating the 3-day percent increase in total cases. Because of that error, my projections of total cases and total pandemic deaths, which are based on that 3-day percent change, were far lower than they should have been.

I have used the corrected numbers in this post, but to help you understand the magnitude of my underestimates (which is huge), I’m including, after each number that depends on the erroneous projection of total cases, what I would have stated before I noticed the error.

This doesn’t apply to my projections of total daily deaths, which are based on the 3-day percent change in reported daily deaths, not the 3-day change in reported total cases.


All numbers are based on yesterday’s reported figures of total confirmed cases, total deaths and total recoveries, published on Worldometers as of about 8 PM EDT April 4.

I. Numbers based on total cases, actual and projected
Total US confirmed cases: 311,637
Increase in cases since previous day: 34,030 (vs. 32,165 increase yesterday)
Percent increase in cases since yesterday: 12% (vs. 13% yesterday)
Percent increase in cases since 3 days previous: 45% (vs. 47% yesterday) I was greatly underestimating this number. Since I always use this number for my projection of total cases, my projections of everything except daily deaths were greatly underestimated.

“Set in stone” US deaths* over course of pandemic:  403,356 (based on 4% case mortality rate) This compares to 107,163, which was based on my erroneous calculation.
*This number assumes a) Total cases grow by 30% into the future (= yesterday’s 3-day growth rate in cases); b) We impose a massive lockdown, with prohibition of all non-essential travel, today; c) New cases drop to zero in 28 days, because of the lockdown; d) testing is widely available by the 28-day mark; and e) case mortality rate = 4%. To consider a 6% mortality rate, multiply each projection by 1.5. For 8%, double it. For comparison, Italy’s case mortality rate is currently 11.75%.

Projected as of April 12 (7 days from today):
These numbers answer the question: What would happen if we wait seven days to totally lock down the US, based on the assumptions below (which frankly are themselves wildly optimistic).
Total expected cases*: 846,320 This compares to 568,645 based on the erroneous projections.
Total expected deaths set in stone* over course of pandemic: 1,076,775 This compares to 354,040 based on the erroneous projections.
* The expected cases and deaths set in stone numbers assume a) Total cases grow by 30% into the future (= yesterday’s 3-day growth rate in cases); b) We impose a massive lockdown, with prohibition of all non-essential travel, on April 12; c) New cases drop to zero in 28 days, because of the lockdown; d) Testing is widely available by the 28-day mark; and e) case mortality rate = 4%. To consider a 6% mortality rate, multiply each projection by 1.5. For 8%, double it. For comparison, Italy’s case mortality rate is currently 12.25%.

Projected as of April 19 (14 days from today):
These numbers answer the question: What would happen if we wait 14 days to totally lock down the US, based on the assumptions below (which frankly are themselves wildly optimistic).
Total expected cases*: 1,997,510 This compares to 1,029,598, based on the erroneous projections.
Total deaths set in stone* over course of pandemic: 2,585,407 This compares to 645,833, based on the erroneous projections.
* The expected cases and deaths set in stone numbers assume a) Total cases grow by 30% into the future (= yesterday’s 3-day growth rate in cases); b) We impose a massive lockdown, with prohibition of all non-essential travel, on April 19; c) New cases drop to zero in 28 days, because of the lockdown; d) Testing is widely available by the 28-day mark; and e) case mortality rate = 4%. To consider a 6% mortality rate, multiply each projection by 1.5. For 8%, double it. For comparison, Italy’s case mortality rate is currently 11.75%.

Date on which 200,000 total pandemic deaths will be set in stone: March 31  This compares to April 12 based on erroneous projections. In other words, we passed this milestone five days ago, meaning we passed the top range of the White House’s projection of total pandemic deaths (240,000) the very day that projection was made public.
Date on which 500,000 deaths will be set in stone: April 6 This compares to April 16, based on the erroneous projections.
Date on which 1 million total pandemic deaths will be set in stone: April 12 This compares to May 2, based on the erroneous projections.


II. Numbers based on total deaths, reported and projected
None of these numbers are changed, since they’re not based on the total case projections.
Total US deaths as of yesterday: 8,454
Increase in deaths since previous day: 1,048 (vs. 1,308 yesterday)
Percent increase in deaths since previous day: 14% (vs. 21% yesterday)
Projected* number of actual deaths on 4/12 alone: 5,876
Projected* number of actual deaths on 4/17 alone: 12,817
* Projected deaths = previous day’s new deaths number, grown by that day’s 3-day percentage growth rate. Note this is calculated completely differently from the deaths set in stone, which refers to projected deaths over the entire pandemic, and is calculated by multiplying expected cases by the mortality rate

Date on which the number of new deaths on that day will exceed the toll of Sept. 11: April 11


III. Reported case mortality rate so far in the pandemic in the US:
These numbers are also unaffected by the error I made.
Total Recoveries in US as of yesterday (4/2): 14,828
Total Deaths as of yesterday: 8,454
Deaths so far as percentage of closed cases (=deaths + recoveries): 36% Let’s be clear. This means that, of all the coronavirus cases that have been closed so far in the US, 36% of them have resulted in death (compare that to the 4% mortality rate I’ve been using to calculate total pandemic deaths, based on total cases). Of course, this number will come down as time goes on and more cases are closed in which the victim recovered. But it’s only come down by about 4 percentage points since Worldometers started publishing the recovery rate on March 26, and on about half the days, it’s gone up. I’d say it’s much more likely my 4% mortality rate will turn out to be too low, after the pandemic’s over and all of the bodies have been counted, than it will be too high.
Note that, as opposed to total reported cases and total deaths, there is no downward trend in this number.


I hope you’ll look over these numbers and consider what they mean. For me, the bottom line is the “set in stone” numbers for total pandemic deaths. They mean that, even if we instituted a total lockdown today (and the other assumptions that you can read for yourself), we will have over 400,000 total deaths during the pandemic. If we wait 7 days to do that, we’ll have over 1 million. If we wait 14 days, we’ll have over 2.5 million. What are we waiting for?


Saturday, April 4, 2020

“The cure is worse than the disease”


  
Yesterday’s numbers (from Worldometers, as of about 8 PM EDT April 2)
Total US confirmed cases: 277,607
Increase in cases since previous day: 32,165 (vs. 30,085 increase yesterday)
Percent increase in cases since yesterday: 13% (vs. 14% yesterday)
Percent increase in cases since 3 days previous: 29% (vs. 30% yesterday)

Total US deaths as of yesterday: 7,406
Increase in deaths since previous day: 1,308 (vs. 985 yesterday)
Percent increase in deaths since previous day: 28% (vs. 19% yesterday)
“Set in stone” US deaths* over course of pandemic:  125,287 (based on 4% case mortality rate)
*This number assumes a) Total cases grow by 30% into the future (= yesterday’s 3-day growth rate in cases); b) We impose a massive lockdown, with prohibition of all non-essential travel, today; c) New cases drop to zero in 28 days, because of the lockdown; d) testing is widely available by the 28-day mark; and e) case mortality rate = 4%. To consider a 6% mortality rate, multiply each projection by 1.5. For 8%, double it. For comparison, Italy’s case mortality rate is currently 11.75%.

Projected as of April 11 (7 days from today):
Total expected* cases: 526,888
Total expected* deaths set in stone** over course of pandemic: 258,708
Projected** number of actual deaths on 4/11 alone: 5,938
* The expected cases and deaths set in stone numbers assume a) Total cases grow by 30% into the future (= yesterday’s 3-day growth rate in cases); b) We impose a massive lockdown, with prohibition of all non-essential travel, on April 11; c) New cases drop to zero in 28 days, because of the lockdown; d) Testing is widely available by the 28-day mark; and e) case mortality rate = 4%. To consider a 6% mortality rate, multiply each projection by 1.5. For 8%, double it. For comparison, Italy’s case mortality rate is currently 12.25%.
** Projected deaths = previous day’s new deaths number, grown by that day’s 3-day percentage growth rate. Note this is calculated completely differently from the deaths set in stone, which refers to projected deaths over the entire pandemic, and is calculated by multiplying expected cases by the mortality rate.

Projected as of April 17 (14 days from today):
Total expected* cases: 876,794
Total deaths set in stone** over course of pandemic: 392,416
Projected*** number of actual deaths on 4/17 alone: 19,669
* The expected cases and deaths set in stone numbers assume a) Total cases grow by 30% into the future (= yesterday’s 3-day growth rate in cases); b) We impose a massive lockdown, with prohibition of all non-essential travel, on April 17; c) New cases drop to zero in 28 days, because of the lockdown; d) Testing is widely available by the 28-day mark; and e) case mortality rate = 4%. To consider a 6% mortality rate, multiply each projection by 1.5. For 8%, double it. For comparison, Italy’s case mortality rate is currently 11.75%.
** Projected deaths = previous day’s new deaths number, grown by that day’s 3-day percentage growth rate. Note this is calculated completely differently from the deaths set in stone, which refers to projected deaths over the entire pandemic, and is calculated by multiplying expected cases by the mortality rate

Reported case mortality rate so far in the pandemic in the US:
Total Recoveries in US as of yesterday (4/2): 12,283
Total Deaths as of yesterday: 7,406
Deaths so far as percentage of closed cases (=deaths + recoveries): 38% Let’s be clear. This means that, of all the coronavirus cases that have been closed so far in the US, 38% of them have resulted in death. Compare that to the 4% mortality rate I’ve been using to calculate total pandemic deaths, based on cases. Of course, this number will come down as time goes on and more cases are closed in which the victim recovered. But it’s only come down by about 4 percentage points since Worldometers started publishing the recovery rate on March 26, and on about half the days (like yesterday), it’s gone up. I’d say it’s much more likely my 4% mortality rate will turn out to be too low, after the pandemic’s over and all of the bodies have been counted, than it will be too high.

Date on which the number of new deaths on that day will exceed the toll of Sept. 11: April 7
Date on which 200,000 total pandemic deaths will be set in stone: April 10
Date on which 500,000 deaths will be set in stone: April 20
Date on which 1 million deaths will be set in stone: April 29

I have had a long, complicated relationship with the Wall Street Journal’s editorial page. When I graduated from college in 19__ (excuse me, I seem to have forgotten the year I graduated. I’ll research that and let you know it in the next six months to a year. Be sure to remind me if I forget), I was coming off my years as an undergraduate economics major at the University of Chicago (including two courses with Milton Friedman).

At that time, the biggest problem was inflation, and the WSJ (following Friedman, of course) was firm in holding that the strategy of trying to hold it down by limiting price increases (started by Nixon, and pursued by Ford and Carter. These were the days when there was bipartisan agreement. Everybody agreed that it was best to pursue the current downhill path; the only problem was we weren’t going downhill fast enough) was doomed to just make the problem worse, without dealing with the direct cause of the problem: an unsustainable rate of increase in the money supply. I certainly believed that was the right analysis, although on most general political issues I disagreed with Friedman (especially in his Newsweek articles in the 1980’s, which went well beyond anything that could be deduced through economic analysis) and the Journal.

Lately, I’ve liked a lot of the Journal’s editorials, especially those opposing tariffs, rubbing China’s nose in their shameful treatment of the Uighurs, etc. However, in general I’ve found a lot of their editorials in recent years seem to take a fairly selective view of the facts (although their reporting has not. I’ve always loved the reporting). This is of course a sin that most editorial pages are guilty of from time to time, and at least they still allow very good opposing opinions to appear in op-eds, especially those of the economist Alan Blinder and the former Chicago mayor and presidential Chief of Staff Rahm Emmanuel.

However, failing to account for all the facts is a recipe for absolute disaster today. We’re seeing the consequences of that in the utter failure of this administration to prepare seriously for the pandemic, even though public health professionals rated the US as best prepared of all countries in the world for a pandemic last year. However, we absolutely need to see the facts clearly now, and take actions that will mitigate the damage, not escalate it.

A couple weeks ago, the Journal was joined by some writers in the New York Times, and many others on both sides of the political divide (and certainly President Trump!), in reciting the mantra that “the cure can’t be worse than the disease.” Meaning: Sure, there would be some benefit to shutting down the entire economy to try to stop the coronavirus cold, but that would lead to so much economic destruction that there would be even more deaths by suicide, etc. (which is of course hugely overblown. Even in the Great Depression, there weren’t many suicides – and the stories about stock brokers jumping out of high rises in 1929 were an urban legend. People will commit suicide in an economic downturn when they see no hope of recovery. If they think the government is working hard to make things better – which they clearly did after Roosevelt came into office in 1933 – they will hang on).

However, I thought events (including the huge and rapidly growing daily increases in total deaths from the virus – 1,000 two days ago, 1500 today, and onwards and upwards!) had already overtaken this view – it certainly has at the Times. But it seems the WSJ isn’t backing off of this idea, as demonstrated in their editorial “The Shutdown Crash Arrives” in today’s paper.

That editorial mainly took issue with the Trump administration for now pursuing a policy that amounts to “Hey Mr. Governor, if you think it might be good, you should think about pursuing a shelter-in-place strategy. But if you don’t think it’s the right thing for your people, far be it from us to tell you what to do.” They think even that policy is too restrictive, and they clearly want the Administration to set a plan to start easing very soon.

The administration’s policy is misguided – I certainly agree with that. But it should be far more restrictive, not the opposite. The fundamental fact is – and many knowledgeable people have said this – that the economy won’t restart until the virus is totally under control, meaning a) almost everyone who has it is under quarantine (along with all of the people they interacted with during the time they were contagious); and b) everyone else is tested regularly to catch new infections early, before those people start spreading it to others. Nobody is going to want to return to work in an office or factory, or patronize a restaurant or store, until they’re sure they won’t catch the virus from the person next to them, period. If we had massive testing available and we could literally test everybody in the country (multiple times, since the tests have reliability problems), and if we had facilities available to quarantine people separately (so they don’t spread it to all of their family members while they’re quarantined with them, as they learned the hard way in Wuhan), we could probably end the total lockdown after a month (which is what I assume in my estimates of total cases over the pandemic), and start to open up then.

But the problem is we definitely don’t have either of these things now, and given the back-and-forth manner in which this administration moves – and the wonderful habit they have of attacking everybody who tries to cooperate with them (for example, 3M and GM, let alone just about any Democratic state governor) – there’s no assurance at all that we’d be ready to start loosening in 28 days, even if we locked down the entire country today.

That is probably why Bill Gates (whose foundation has been doing great work worldwide preparing developing countries for pandemics) said yesterday that there should be a ten-week total shutdown. I’m not sure that we have to commit to doing it for ten weeks up front, but we should definitely first try 4-6 weeks. Assuming we have ubiquitous testing at that time (a stretch, to be sure!), we could then start taking controlled steps to loosen up. But the problem is if we loosen too quickly, the virus will pop back up in another month (remember, there were 100 reported cases in the US at the beginning of March. There were 277,000 yesterday. That can easily happen again and again) and we’ll have to lock down again.

Now, the Journal’s editors know all this – lots of people have been saying we need to lock down, and virtually every country with a growing problem has done this to some degree (my wife is in Vietnam now and the government has locked the whole place down, even though there are only about 200 reported cases and no deaths – although my wife believes they’re suppressing the numbers). Why are they saying this? Do they really believe workers will feel safe venturing out to work soon?

Of course they don’t, and here’s the interesting part: They say they’re very concerned about the workers who can’t work from home - unlike the editors and me and probably you. They want them to be back to work, so they can start earning paychecks again. Implicitly they’re saying “These people will be willing to bear some risk of contracting the virus, just so they can have food on the table.” But why do they have to work to have food on the table? Why don’t we just give them the money they need to survive until the economy is ready to reopen?

Of course, the answer will be “We’re already doing some of that, but there are limits to how long we can do this.” But what does it cost to give people the money they need to survive? Oh, people at the Fed and the Treasury have to go online to a bunch of businesses and individuals. With a few keystrokes, they can give them any amount of money they want.

Then the answer will be “Oh, but that will surely come back later to haunt us as inflation overwhelms us.” Well guess what – we’re overwhelmed now. We’re being offered the false choice between letting people literally starve soon, and forcing them to go back to work, when we know a lot of them will get sick and we’ll be back in lockdown in another month. There really is no option.

What would Milton Friedman say about this? The same thing he always railed about when discussing the 1930’s: The Crash of 1929 could have been a non-event (just like the huge stock market crash of 1987 – the “flash crash” – was), if president Hoover and the Fed had realized that the thing to do in a financial downturn was to create and distribute as much money as needed to get the economy moving again, and also to support people and businesses so that they would still around to power the economy when it came out of its coma. This is ultimately what Roosevelt did, when he ordered signed Executive Order 6102, which forbid hoarding gold. This freed the Fed to greatly increase money in circulation.

We need to do whatever it takes to support people while the economy is shut down. If we don’t do a total shutdown, so that we finally get control of the virus, we’ll be cycling in and out of surges in cases and deaths, until a vaccine is developed and manufactured in quantity enough to vaccinate everybody (probably two years, maybe longer).

Or we could also do nothing useful, which is the course we’re on now. To show you what we’re in for if we choose that route, here are the number of daily deaths I’m projecting for the rest of April. Enjoy reading them!

1918
1793
2381
3491
3263
4333
6354
5938
7885
11,564
10,807
14,351
21,047
19,669
26,119
38,306
35,798
47,537
69,717
65,153
86,518
126,885
118,579
157,463
230,931
215,814
286,583 – That’s April 30. In May, it starts to get really bad.




Friday, April 3, 2020

Kevin agrees with me!



If you’re looking for my pandemic posts, I’ve created a new blog. If you’re looking for my cyber/NERC CIP posts, you’re come to the right place.

Kevin Perry, former chief CIP auditor of SPP Regional Entity, emailed me this morning to agree with my post yesterday, which argued that you shouldn’t worry about having to self-report noncompliance if you decide to change your CIP-013 plan after the compliance date. He said:

I agree (thought you would never hear me say that).

I look at it this way...  threats and risks evolve. Vendors and providers are added or changed.  After-action reviews provide insight as to what worked well and what could have worked better.  Your plan should evolve as the landscape and experience evolve.  No auditor should ever expect CIP-013 perfection out of the gate.

However, I don’t agree with Kevin when he says I thought I’d never hear him say he agreed with me. He agreed with me once in I believe 2014, but then he realized he misunderstood what I said and said he actually disagreed. J

In any case, it is nice to see him agree. And I agree with him when he says no auditor should ever expect CIP-013 perfection out of the gate. On the other hand, he didn’t say no auditor ever will expect perfection. On the other other hand, I think most auditors would currently be stymied if you asked them what CIP-013 perfection was in the first place. Which is one reason why I hope NERC extends the CIP-013 compliance date. There needs to be some training on topics like what a good supply chain cyber security risk management plan should contain, rather than have each Region and even auditor going their separate ways. 


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!



There are 3 windows into pandemic deaths. Two are absolutely horrifying. And I’m reluctant to even tell you about the third.


  
Yesterday’s numbers (from Worldometers, as of about 8 PM EDT April 2)
Total US confirmed cases: 245,442
Increase in cases since previous day: 30,085 (vs. 26,710 increase yesterday)
Percent increase in cases since yesterday: 14% (vs. 14% yesterday)
Percent increase in cases since 3 days previous: 30% (vs. 31% yesterday)

Total US deaths as of yesterday: 6,098
Increase in deaths since previous day: 98 (vs. 1,054 yesterday)
Percent increase in deaths since previous day: 19% (vs. 26% yesterday)
“Set in stone” US deaths* over course of pandemic:  118,755 (based on 4% case mortality rate)
*This number assumes a) Total cases grow by 30% into the future (= yesterday’s 3-day growth rate in cases); b) We impose a massive lockdown, with prohibition of all non-essential travel, today; c) New cases drop to zero in 28 days, because of the lockdown; d) testing is widely available by the 28-day mark; and e) case mortality rate = 4%. To consider a 6% mortality rate, multiply each projection by 1.5. For 8%, double it. For comparison, Italy’s case mortality rate is currently 11.75%.

Projected as of April 10 (7 days from today):
Total expected* cases: 473,139
Total expected* deaths set in stone** over course of pandemic: 228,733
Projected** number of actual deaths on 4/10 alone: 3,885
* The expected cases and deaths set in stone numbers assume a) Total cases grow by 30% into the future (= yesterday’s 3-day growth rate in cases); b) We impose a massive lockdown, with prohibition of all non-essential travel, on April 10; c) New cases drop to zero in 28 days, because of the lockdown; d) Testing is widely available by the 28-day mark; and e) case mortality rate = 4%. To consider a 6% mortality rate, multiply each projection by 1.5. For 8%, double it. For comparison, Italy’s case mortality rate is currently 11.75%.
** Projected deaths = previous day’s new deaths number, grown by that day’s 3-day percentage growth rate. Note this is calculated completely differently from the deaths set in stone, which refers to projected deaths over the entire pandemic, and is calculated by multiplying expected cases by the mortality rate.

Projected as of April 17 (14 days from today):
Total expected* cases: 911,309
Total deaths set in stone** over course of pandemic: 554,406
Projected*** number of actual deaths on 4/17 alone: 25,701 This is down 9,000 from the number yesterday, because the 3-day growth rate dropped from yesterday to today. Hopefully, it will continue to drop, but that depends on how serious the Federal government is about enforcing social distancing. Currently, they leave a lot to be desired in this regard.
* The expected cases and deaths set in stone numbers assume a) Total cases grow by 30% into the future (= yesterday’s 3-day growth rate in cases); b) We impose a massive lockdown, with prohibition of all non-essential travel, on April 17; c) New cases drop to zero in 28 days, because of the lockdown; d) Testing is widely available by the 28-day mark; and e) case mortality rate = 4%. To consider a 6% mortality rate, multiply each projection by 1.5. For 8%, double it. For comparison, Italy’s case mortality rate is currently 11.75%.
** Projected deaths = previous day’s new deaths number, grown by that day’s 3-day percentage growth rate. Note this is calculated completely differently from the deaths set in stone, which refers to projected deaths over the entire pandemic, and is calculated by multiplying expected cases by the mortality rate

Reported case mortality rate so far in the pandemic in the US:
Total Recoveries in US as of yesterday (4/2): 10,411
Total Deaths as of yesterday: 6,098
Deaths so far as percentage of closed cases (=deaths + recoveries): 37% Let’s be clear. This means that, of all the coronavirus cases that have been closed so far in the US, 37% of them have resulted in death. Compare that to the 4% mortality rate I’ve been using to calculate total pandemic deaths, based on cases. Of course, this number will come down as time goes on and more cases are closed in which the victim recovered. But it’s only come down by about 4 percentage points since Worldometers started publishing the recovery rate on March 26, and on about half the days, it’s gone up. I’d say it’s much more likely my 4% mortality rate will turn out to be too low, after the pandemic’s over and all of the bodies have been counted, than it will be too high.

Date on which 200,000 deaths will be set in stone: April 9
Date on which 500,000 deaths will be set in stone: April 19
Date on which 1 million deaths will be set in stone: April 28

I’ve come to realize that this blog is about death. Most, if not all, of the news stories and opinion pieces I’ve read on the pandemic talk mainly about cases in their projections. When they talk about deaths, they quote the official sources, who tend to look completely on the optimistic side of things. For example, the White House press conference on Tuesday gave a range of 100,000 to 240,000 for total deaths, which will be out of reach within two weeks (the lower end is already out of reach).

And these estimates are based on implicit assumptions that are almost exactly like mine: a) there will be a massive nationwide lockdown by next week, including prohibition of all non-essential travel; b) it will be 100% successful, and new cases will drop to zero 28 days later; and c) testing will be freely available 28 days later, since the virus will come roaring back if that’s not the case. These are the same assumptions I use when I compute my “set in stone” estimates for total pandemic deaths. Unfortunately, I see no movement at all to enforce a total lockdown and travel ban on the Federal level, and it’s very doubtful even now that testing will be available in 28 days, in the numbers necessary to restart the economy (I would think many businesses will want employees to be tested every day, before they’ll let them in the workplace. The same with all medical workers, grocery store workers, etc. We could easily need more tests every day than we have available at all, even a month from now).

More importantly, my set in stone estimates of total pandemic deaths are based simply on the reported case numbers, grown by the most recent 3-day growth rate. Yet there’s widespread agreement among epidemiologists that the actual number of cases in the US today is at least ten times the reported number (and the Prime Minister of Australia said the same thing yesterday about his country, although their reported cases are still far below ours). So what the total cases number reflects now isn’t total cases at all: it’s simply the availability of tests. As tests become more and more available, total cases will grow faster and faster, and my set in stone numbers will grow even faster than they are.

My set in stone estimates are also based on the estimated case mortality rate; I’m using 4% for that now, but there are lots of reasons to think that’s too low. More on this below. So as of this moment, my set in stone numbers can’t be trusted as a long-term estimate of total deaths. This is the first of the three “windows” mentioned in the title.

What can be trusted? The second window is most reflective of actual cases, and that is total reported deaths. The virus can kill anybody, regardless of whether there case has been reported or not. So the daily deaths numbers are in fact a reflection of actual cases, not reported ones.

Up until this week, I didn’t try to project this number, since there were so few data points and initially the numbers were so low. However, we now have a month of data points, and the numbers are high enough that they won’t jump around as much. What do these numbers show? In contrast to the reported case numbers, which were growing at around a 100% three-day rate a few weeks ago but are now growing at about 30% and hopefully will continue to fall (because of social distancing, of course), the daily new death numbers don’t seem to have a long-term trend, and are in general growing around 100% every three days (yesterday it was 92%).

And will the growth rate in new deaths decline in the near term? There’s no particular reason to believe that; indeed it would probably be expected to go up, since there are so many more uncounted than counted cases out there. As time goes on, there will be many more previously uncounted cases dying than counted ones (remember, an uncounted case usually doesn’t get counted until the victim feels bad and goes to the hospital).

I’m projecting these numbers out at the current three-day growth rate. You can see some of these projections above:

  1. One-day deaths on April 10 will be 3,885. This will be the second day on which total COVID-19 deaths will exceed deaths on September 11.
  2. One-day deaths on April 17 will be 25,701. This is down by about 9,000 from the number I reported yesterday for April 16, because the growth rate fell from 105% to 92%. Even then, of course, this is more than eight times the September 11 toll.
I’ll give you a couple more numbers that are further out, although of course the accuracy gets less and less as you go out. On April 24, there will be 163,253 new deaths recorded. And on May 3, total one day deaths are over one million.

So this is the second window. What about the third? I’ll discuss that soon. I need to go back to my day job now, plus I want to give you time to absorb the numbers I just put down, especially the idea that in May we’ll start to have deaths in the millions every day.

I’ll leave you with one thought: The only way to prevent death numbers like this is massive and total social distancing and a total halt to non-essential transportation. At first, Italy, Spain and the UK all tried halfway measures like the ones we have in place now, and they realized they weren’t going to work. And Sweden, which just a week ago was touted by the New York Times as a country that had seemed to find a way to control the virus without going the total lockdown route, acknowledged they’d made a mistake and instituted a total lockdown a few days ago.

What’s the difference between those countries and us? They have governments that can look at the evidence, admit they made a mistake, and change course. Because of this, when the pandemic’s over, our total deaths will make theirs pale by comparison (both in absolute terms and as a percentage of the population), even if we instituted a total lockdown today.



Thursday, April 2, 2020

Can you change your CIP-013 plan after July 1?



If you’re looking for my pandemic posts, I’ve created a new blog for you. If you’re looking for my cyber/NERC CIP posts, you’ve come to the right place.

People who have been dealing with the NERC CIP standards for a while usually get all sweaty and nervous when the compliance date for a new standard is coming due. Obviously, they’re worried they might not get everything done that they need to by the compliance date, but there’s a much bigger concern I’m sure everyone thinks about: What if the compliance program we put together misses the point in some way (or all ways)? Will we run for months or years with a non-compliant program, racking up new violations every day?

And with CIP-002 through -011, that’s a very big concern. Suppose you had put together what you thought was a good plan to comply with say CIP-007-5 R2 (patch management) and you implemented that plan on the compliance date, which was July 1, 2016. But a year later, you realized you should have been patching device drivers all along (perhaps when you read this post, which I know led to anguished discussions in at least a few NERC entities).

Will fixing the problem be simply a matter of making some changes to your procedures? Unfortunately not. You’re most likely going to have to self report violations of CIP 7 R2, starting on the compliance date and continuing for the year or so it took you to realize this problem. Of course, one hopes that you won’t get hit with a fine for this, since of course device drivers are never mentioned in the standard. But no NERC entity would ever feel good about self reporting any violation, even if you won a trip to Disney World for doing so.

My guess is many NERC entities may feel that the situation is the same with your CIP-013 supply chain cyber risk management plan: You had better get it right by the compliance date, because making any change thereafter will mean you’ve been out of compliance up to that point.

Well, I have good news: That’s not the case with CIP-013. Remember, CIP-013-1 R1 requires you to develop a supply chain cyber risk management plan (and it implicitly requires you to develop a good plan, not just write “CIP-013 Plan” on the top of a sheet of paper and hand it to the auditor), and gives you a few – but just a few! - pointers on what to include (of course, the plan must include the six items in R1.2, although those certainly aren’t the sum total of what should be in your plan).

Unless you just don’t even put a good effort into figuring out what should be in a good plan (and I recommend attending the NERC RSTC Supply Chain Working Group webinars, which you’ll also be able to listen to in recorded format later), you shouldn’t be assessed any violation for say not including X in your plan, unless X is specifically required in R1.1 or R1.2.

Let’s say you make substantial changes to your plan six months after the compliance date. You should document why you made these changes, but in general your story should be “We had a good plan on the compliance date, and we have a better plan now.” How could the auditors possibly have a problem with that?

Of course, I’m sure there are some long-time CIP types who will laugh cynically when they hear that question and respond “I’ll tell you how: We got a potential violation for Y, even though Y was never in the standard.” I’d have to agree with you, having recently told the story of a NERC entity who was audited for CIP-014 (which also requires the entity to develop a plan, but provides close to no guidance on what should be in it) and was given a PNC for not including anti-tank barriers in their plan to protect the substation. The last time I looked at CIP-014, it didn’t require anti-tank barriers. This will without a doubt be thrown out, but it is a huge drain on time and energy for the compliance people and the lawyers as they fight this. I certainly hope NERC doesn’t allow the same situation to happen with CIP-013 auditing, and there are many reasons to believe it won’t – although I’ll say that much more readily when I hear that NERC has put together a program to train auditors on auditing CIP-013, since it’s so different from the other CIP standards.

In other words, even if the CIP-013 compliance date remains at July 1, you should feel comfortable doing your best to develop a good plan, given the resources and time you have to do that. And you might even plan now on revising the plan say six months after you put it into effect (along with the revising you’ll do every 15 months to comply with R3). As the man said, CIP-013 is very different from the other CIP standards.

And now, a word from our sponsor
The team at Tom Alrich LLC is proud to have been the primary sponsor of Tom Alrich’s blog since we started up in early 2018. We’ve very much enjoyed working with Mr. Alrich, while of course we do have our occasional differences of opinion with him. We want you to know that we are working closely with Tom to offer your NERC entity a full set of services for developing or revising your CIP-013 plan, no matter where you are on the road to CIP-013 compliance.

For example, we are starting to work with entities that have already developed what they think is a good plan, but would like to hear Mr. Alrich’s ideas for making it better. Others aren’t that far along, and want to have some good guidance as they put their plan together. Whatever your needs, drop Tom an email, so you can set up a time to discuss – remotely, of course! – your unique situation.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.