Regulatory Red-Teaming
Regulatory Red-Teaming
How to anticipate the market response and plug your regulatory loop holes.
🤠 Howdy to 2,413 climate buddies 🌳
Climate is not a technology problem but a story problem.
Delphi Zero is a consultancy and newsletter about the narrative potential of climate.
📧 If you are opening this essay in your email inbox, I recommend to click on the title of this piece to enjoy the full-length version in the browser.
Today, we’ll see what energy regulators can learn from cyber security 👺
Regulatory Red-Teaming
By Art Lapinsch
Earlier this week, a friend sent me a news article titled “Methane emissions from gas flaring being hidden from satellite monitors.”
That doesn’t sound good.
tl;dr: Gas companies have found a clever way to circumvent methane-reduction regulations. And that’s bad news.
This essay explores how regulators can use a cyber security principle to regain the upper hand in this Regulatory Cat-and-Mouse-Game.
Regulatory Law: A Cat-and-Mouse-Game
Why do we regulate?
It’s because we assume that without preemptive rules, some games would get out of hand.
Regulation (ex-ante = before the game starts): Regulation is used when you assume that cheating (i.e. market failures) is the norm. Regulators (i.e. the rule makers) try to anticipate the most likely offenses and establish rules to prevent such conduct. In the case of football, it would be FIFA or UEFA 📘
Competition Law (ex-post = during or after the game): Competition Law is used when you assume that cheating is the exception. Judiciaries (i.e. judges; arbiters; etc.) watch the game and interfere when they spot an infraction of the rules. In the case of football, this would be the referee 👮♀️
The job of a regulator is to tackle existing and anticipated problems by introducing rules (i.e. policies; laws):
An example of a hypothetical policymaking sequence looks like this:
1 🎯 Policy Objective: Reduce Greenhouse Gas (GHG) emissions from transportation by 95%.
2 ⚖️ Policy Instrument: Prohibit selling combustion engine vehicles in Belgium starting in 2027.
3 📉 Policy Outcome: Emissions drop by X% between 2027 – 2032.
4 🔎 Policy Evaluation: GHG emission reductions between 2027 – 2032 did not meet the policy objective.
5 🔄 Rinse & Repeat: Expand prohibitions into different types of vehicles (e.g., marine vessels, commercial airplanes, etc.).
At the end of the day, it’s like a cat-and-mouse-game on a societal scale.
😺 Cat = Regulator (i.e. ACER - Agency for the Cooperation of Energy Regulators)
🐭 Mouse = Regulated Subject (i.e. power producers [electricity; gas]; TSOs/DSOs; energy retailers)
The goal of the cat is to prevent the mice from going loco 🧀
But as with many other fields, the job of a regulator is tough. Most of the time, you’re a few steps behind and have to catch up with the realities of the market.
That’s only one of many other problems: Lack of funding; competing political interests; regulated subjects with strong commercial incentives and deep pockets → lobbying; public pressure/discourse; time pressure; etc.
Being the cat ain’t easy 😿
Regulatory Failure: When the Cat’s Away, the Mice Will Play
To see what happens when the cat’s away, we can look at the earlier example of methane flaring.
Methane Flaring 101
Methane (i.e. CH4; natural gas) is really bad for the environment 😶🌫️
It has a 72x heat absorption rate compared to CO2.
It stays ~10 years in the atmosphere compared to 200+ years for CO2.
It’s important but mostly it’s urgent. The goal should be to reduce Methane emissions as quickly as possible.
Before we continue, you need to learn about “flaring” 👇
Anthropogenic methane emissions primarily come from agriculture and energy …
Most emissions stem from three actions — leaking, flaring, and venting — that account for ~25% of all methane released by human-caused activities.
💨 Leaking (“fugitive emissions”) occurs primarily from natural gas escaping due to poor maintenance and broken equipment.
🔥 Flaring occurs when unsafe pressures build up during extraction, so gas is released and ignited to turn methane into carbon dioxide. Research suggests flaring has ~91% efficiency — but near-continuous flaring at many drill sites means this quickly adds up.
🏭 Venting is the intentional release of natural gas without ignition, generally due to faulty flaring equipment and unlit flares, but sometimes intentionally if operators lack the infrastructure to sell or equipment to flare it.
(source: CTVC)
Methane Flaring Regulation
So, now that you know, let’s have a look at what the regulator tried to:
Policy Objective: Reduce Routine Flaring by 2030.
Policy Instrument: One of the policies was the non-legally-binding Zero Routine Flaring Initiative of the World Bank. Introduced in 2015, it tried to incentivize governments and oil/gas companies (a) to reduce Routine Flaring by 2030 and (b) to self-report on the progress.
Sounds good and all, but as you’d expect, oil/gas companies found a loop hole.
As the Guardian writes “the only method of detecting flaring globally is by using satellite-mounted tools called Visible Infrared Imaging Radiometer Suite of detectors (VIIRS), which find flares by comparing heat signatures with bright spots of light visible from space.”
Methane Flaring Loop Hole
Now, the mouse might think: As long as my flaring activities are “invisible”, the cat doesn’t know what I’m doing.
And so, the “Enclosed Combustor” was born. Think of it as a cone-shaped hat on top of a flaring flame, with the sole purpose of hiding the heat signature of your flaring activity from VIIRS detectors.
We went from flaring methane with an open flame (2016) to burning it with a concealed flame (2018).
The regulator can’t observe the heat signatures via the VIIRS system and relies on the self-reporting of the oil/gas companies.
Did they report correctly or were they tempted to under-report? What do you think? 🙄
Methane Flaring Regulation 2.0
Policy Outcome: Emergence of “Enclosed Combustor” hardware across the US and EU.
Policy Evaluation: The regulator needs to do something about the failed policy
Rinse & Repeat: See below 👇
What I can gather from that Guardian article is that “a source with knowledge of upcoming EU methane legislation said it ‘covers all flares, not just those detectable by satellite’.”
The cat is catching up while the mice had a party 🧀
How can the cat avoid the Mouse-Fest all together?
One of the answers might be “Red-Teaming” 👇
Regulatory Red-Teaming: Becoming the Mouse
As a reminder, regulators try to prevent market failures.
Prevention means “before harm occurs” and not “after the everything has been pillaged.”
Red Teaming 101
The concept of a “Red Team” stems from the Cold War Era.
It was an attempt of the US Government (“Blue Team”) to anticipate and prepare for the possible actions of its antagonist - the Soviet Union (“Red Team”).
Among other things, an internal Red Team would do the following:
🪖 Simulation & War Gaming: Test adversary actions/responses in a contained scenario.
🔐 Pen(etration) Testing: Attempt to exploit vulnerabilities of the Blue Team (i.e. exploits in the code base).
🤺 Alternative Analysis: Take the opposing position in arguments/assumptions to uncover blind spots.
The objective of this exercise is to stress-test your own position.
Could this be useful in regulatory law? I sure think so.
Regulatory Red-Teaming: Becoming the Mouse
Disclaimer: Regulatory matters are infinitely more complex than I could understand. This is not a critique but an attempt check if there are areas of improvement. IF you are a policy pro and want to correct my false assumptions, please reach out to me. I’m here to learn and would love to talk.
In the EU, the creation of a policy includes round tables, expert consultations, and dedicated expert groups.
BUT I don’t know whether any of these groups have a Red-Team Mandate 🔴
IF NOT, THEN the following guidelines could be considered:
🎯 Clear Objective: Conduct Red-Team Activities to stress-test the policy objective.
Simulation: Think of creative ways to circumvent/subvert the policy.
Pen Testing of the Legal Acts: Search for sections of the policy, which give room for interpretation and are misaligned with the policy objective.
Alternative Analysis: Play Devil’s Advocate and see whether the core assumptions of the policy objective are incorrect, inefficient (e.g. renewable hydrogen-blending // p.22-23), or ineffective.
🦅 Independence: Red-Team should be staffed from external experts, which are not free from the internal incentives/politics/etc. of the regulator (e.g. European Commission; Parliament/Council; Regulatory entities; etc.)
🧠 Expertise: Ideally, the Red-Team is staffed by former mice who have been on the other side of the table.
You have to become the mouse to beat the mouse 🐁
Conclusion: Red-Team Yourself 👺
This essay was specifically about anticipating regulatory failure but generally about what it takes to be prepared.
Red-Teaming is a technique that has been used by security professionals for many decades to anticipate and prepare.
The good news: All of us can benefit from it.
Use it in your own organization (e.g. company; research facility; government; etc.) to uncover your blank spots and increase your chances of success.
Good luck in playing your own Cat-and-Mouse-Game 🪤
🙏 Thanks, Anastasis for sending me that Guardian article.
Thanks, Ben, Sara, and Gniewko for spitballing this piece.
Get in touch via Linkedin if you want to chat about ideas, projects, or a potential collaboration✌️