• That’s the average figure for PG&E residential bills, according to a new report from the California Earthquake Authority. For SCE and SDG&E customers, wildfire-related charges account for 17% and 14% of monthly costs, respectively. These surcharges cover prevention measures and utility liabilities from past fires…and they could keep piling up without any interventions.

• The ripple effects: California residential rates, among the country’s highest, already rose 37% between 2020 and 2025. Now, the report warns that rising electricity costs threaten the state's electrification goals. After all, higher bills make switching to EVs, heat pumps, and electric water heaters a harder sell. 

• The fix? As part of the solution, the report recommends eliminating utility liability for fires without evidence of negligence (a strict legal standard that’s unique to California). That would require amending the state constitution—a heavy political lift.

• What happened? The $4.5B wind project off Martha's Vineyard began initial operations in February (after federal judges overturned the White House’s construction halt). Days later, GE Vernova’s subsidiary introduced another hurdle: The company threatened to axe its $1.3B turbine supply agreement, citing unpaid balances. 

• Last week, Vineyard Wind filed a lawsuit accusing GE Vernova of improperly terminating their agreements. The project developers said they had the right to withhold roughly $308M over GE's "admittedly poor performance," including a blade that collapsed into the waters off Nantucket in 2024.

• The technology has long proven too pricey to deploy. Now, the AI frenzy could shift the equation: At least five US projects aim to pair carbon capture with data center-linked natural gas plants. Up to $80B could flow into gas-plus-CCS buildouts, BCG estimates. 

• Why it matters: Recently, hyperscalers have leaned harder on gas…even as they cling to climate commitments. Carbon capture could reconcile those two realities. And if it works out here, the concept could spread globally.

• Major caveats: That’s a major “if.” No US natural gas plant currently operates with carbon capture, despite years of ambitions. Upfront costs remain steep, and time is ticking—a federal carbon capture tax credit expires in 2033.

• By the numbers: Annual coal retirements have fallen sharply since 2022, when 13.7 GW went offline. In 2025, just 2.6 GW of the planned 8.5 GW actually shut down. Meanwhile, operators delayed 4.8 GW of retirements and canceled 1.1 GW—and DOE emergency orders kept an additional 3.2 GW online across five plants. 

• As for this year? Operators plan to retire 6.4 GW, roughly 4% of the remaining US fleet. But given the pattern of delays, cancellations, and DOE interventions, that number deserves an asterisk. PS: Want to learn all about the politics behind coal’s “comeback?” Tune into our recent Power Perspectives episode.

In this session, we will explore how utilities can close the gap between inspection and repair by connecting field data, workflows, and follow-up work into a single, streamlined process. Using a real-world example from Modesto Irrigation District (MID), we’ll show how modernizing inspection workflows and automating assignments enables teams to move from reactive response to proactive maintenance.

Panel:

• Eric Kappmeier, Information Technology Supervisor – Operational Applications, Modesto Irrigation District

• Ian Martin, Executive Consultant, 3-GIS

• Keith Hupperts, Sr. Product Manager, 3-GIS

Solar energy system contractors and battery manufacturers have recently expanded their efforts to include battery storage capacity in residential and small commercial solar installations. Some are even teasing the idea of going off the grid. Adding a storage battery to a solar system is not a trivial expense. The typical installed cost of a single Tesla Powerwall 3, with a 13.5 kWh storage capacity, ranges from $12,000 - $16,000. Under cold weather design conditions this battery would power a 3 refrigerant ton (RT) heat pump for approximately 4 hours during a grid failure. Tesla Powerwall 3 battery systems can be configured in up to 4 unit arrays, which could power the 3RT heat pump overnight under design conditions, though at an installed cost of approximately $50,000.

Going off grid, particularly in a northern climate, is a very different proposition. Winter storm Fern blanketed much of the US Northeast with multiple inches of snow and also more than an inch of sleet in some locations. Persistent cold weather allowed the snow and sleet to remain for 10 or more days. In one specific case in Maryland, an 18.5 kW residential solar system “didn’t produce enough output to power a 100-watt light bulb” for 10 days. That solar system is not operating off the utility grid, but it provides an opportunity for an interesting illustration of the requirements of off grid solar system design.

The system owner reported that the solar system, though rated at 18.5 kW, has not ever generated more than 17 kW at peak. On the day of my visit in late March, under conditions of bright sunshine and cold temperatures, the system was generating approximately 14 kW. Power generated in excess of site demand was delivered to and “stored” by the serving utility and redelivered overnight to meet site demand. Had the system not been connected to the grid, storage capacity of approximately 50 – 60 kWh would have been required to store excess daytime system output for use overnight. That would require storage capacity equivalent to 4 Tesla Powerwall 3 units and would have increased system installed cost by approximately 60 – 70%.

However, continued off grid operation over a period of 10 days of very cold weather and continuous snow cover, as was experienced at the site during winter storm Fern, would have required storage capacity of approximately 1,100 kWh, or the equivalent of 83 Tesla Powerwall 3 units, at an installed cost of approximately $1,000,000. System generating capacity would also have to be increased significantly to provide sufficient output in excess of contemporaneous demand to recharge storage rapidly to prepare for potential future adverse weather conditions. The cost of the storage required to power the site through the 10-day solar generation interruption would be approximately 10 times the cost of the solar array.

The situation at this site is a microcosm of the situation for a renewable plus storage grid exposed to the same or similar weather conditions. Source of opportunity power generated by solar, wind or both might be relatively inexpensive, but reliable power from these sources based on battery storage is relatively expensive.

Originally published here.

As regional conflicts continue to expose the fragility of global oil and gas routes, China’s two-decade-long investment in Central Asian infrastructure is finally paying dividends. My latest analysis explores how Kazakhstan, Uzbekistan, and Turkmenistan are moving beyond Moscow’s orbit to become the "clean" exit routes for energy demand over the next decade.

Key Industry Takeaways:

• Infrastructure over Ideology: Beijing hasn't just signed contracts; they have built the physical pipelines (like the Central Asia-China gas line) that create long-term structural dependencies.

• The Russian Decline: With the Caspian Pipeline Consortium (CPC) facing constant geopolitical and technical hurdles, Central Asian producers are aggressively seeking eastern and southern alternatives.

• Western Sidelining: While Western capital remains focused on ESG and short-term returns, state-backed Chinese firms are securing 30-year energy security "insurance policies" through massive grid and pipeline build-outs.

The Question for Energy Professionals: As the "Middle Corridor" gains traction, how should Western energy firms recalibrate their risk assessments for infrastructure projects in former Soviet territories?

Read the full analysis at Forbes: https://www.forbes.com/sites/kensilverstein/2026/04/12/central-asia-the-new-energy-battleground-not-on-your-radar/

Normally right now I would be writing about the geopolitical implications of the war with Iran, and I am sure I will again soon. But I want to interrupt that thought to highlight a stunning advance in artificial intelligence — one that arrived sooner than expected and that will have equally profound geopolitical implications.

Of course, he went on to describe Anthropic’s blog post on their new tool called Claude Mythos, which is part of “Operation Glasswing”. He wrote:

As Anthropic said in a written statement on Tuesday, in just the past month, “Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. Given the rate of A.I. progress, it will not be long before such capabilities proliferate, potentially beyond actors who committed to deploying them safely. The fallout — economics, public safety and national security — could be severe.’’

While I have great respect for Friedman for his writing on foreign affairs, I’ve only seen one piece from him dedicated to a technology topic (AI, of course). I found that underwhelming, to say the least. In that piece, he seemed to be saying that a) AI is going to take over the world (of course! Even the companies with the most to gain from the success of AI are forecasting it! Why would they want to exaggerate what AI is capable of?😊); b) therefore, we need to stop competing with China and join forces with them to make sure these AI supermodels don’t fall into the wrong hands. Even setting aside the fact that technology genies are extremely hard to keep in a bottle, Friedman’s assertion seemed to me

on a par with President Trump’s suggestion during his first term that the US should cooperate with Russia on cybersecurity. That would be like Medieval Europe cooperating with Genghis Khan for defense against invaders from the East.

Nevertheless, I must admit that last Thursday I fell for Friedman’s breathless reporting - hook, line and sinker. Moreover, as I started reading the cybersecurity newsletters, I realized that Friedman was hardly an outlier. Lots of cybersecurity experts seemed to take a similar view to his: Mythos is such a powerful tool that Anthropic is truly doing the world a huge favor by not releasing it publicly (although the fact that they’re making it available to “a limited consortium of roughly 40 technology companies, including Google, Broadcom, Nvidia, Cisco, Palo Alto Networks, Apple, JPMorgan Chase, Amazon and Microsoft” is IMO hard to distinguish from public release. Requiring employees of all those companies to protect access to Mythos isn’t likely to succeed for very long, to say the least).

Fortunately, rather than immediately write my own fawning post on Mythos, I decided to wait for last Friday, when the biweekly meeting of the OWASP SBOM Forum, a group I have been leading since 2022, was scheduled. Many people in that group (and perhaps all 160 of them) know much more about software security than I do; I wanted to hear their opinions. However, I thought it was safe to assume they would mostly agree with what Friedman said: Anthropic is doing the world a huge favor by not unleashing Mythos. What great humanitarians they are!

As it turns out, I was correct that the group would largely agree regarding Mythos, but I was quite wrong in assuming they would agree it was a superweapon that needed to be secreted in some dark dungeon, with just a few well-trained handlers allowed to access it. Instead, the people in the meeting (around twenty) quickly coalesced around the idea that Mythos seems to be a good tool, but it is hardly the unstoppable force of nature that Anthropic makes it out to be – in fact, it’s just one good AI-based vulnerability identification tool among many available today. Here are some of the reasons for this opinion:

1.      Sure, Mythos discovered a lot of vulnerabilities, but it’s inevitable that a lot of them will turn out to be junk, as is the case with many vulnerabilities reported today (even some that are accepted by the CVE program). During the meeting, one of the participants looked up the FreeBSD vulnerability that Anthropic referred to in their blog post; he quickly explained why this isn’t a real vulnerability (don’t ask me to repeat what he said, but I know him well and trust both his ethics and his technical chops).

2.      In fact, this person went on to point out that it’s often a purely subjective decision whether a new CVE counts as a vulnerability at all. Just because a piece of code can be manipulated to produce a result not intended by the developer, this doesn’t mean the result is harmful. However, a lot of less knowledgeable people, Friedman being one of them, assume that every vulnerability needs to be patched or otherwise neutralized. Of course, this leads to huge wasted effort by organizations trying to make themselves safe from cyber attacks.

3.      Anthropic’s blog post referred to some of the vulnerabilities that were found as “high severity”; this usually means they have a CVSS Base Score between 9.0 and 10.0 (the maximum). However, the severity of a vulnerability – i.e., how big the impact would be on an organization if an attacker exploited that vulnerability to attack them – varies widely among organizations, as well as among systems attacked. For example, if an attacker compromises a system that is key to operating a nuclear power plant, that could have a huge impact. However, if the attacker exploits the same vulnerability to compromise a system used to publish menus for the company cafeteria, the impact will obviously be minimal.

4.      Even if an attack would cause a large impact, it may be very unlikely to occur. There are many reasons why this could be the case, including that the vulnerability is difficult to exploit. The CVSS Base Score is intended to measure the impact of successful exploitation of the vulnerability, not the likelihood that it will happen.  Since risk is a combination of likelihood and impact, a high severity vulnerability that has only a small likelihood of occurring poses little risk to the system in which the vulnerability is present.

5.      Of all CVEs ever published, only a small percentage of those (the estimates I’ve seen are between 1 and 6 percent) are every exploited in the wild. Of course, it’s impossible to know up front whether a CVE will ever be exploited, but it is possible to follow over time whether the likelihood that it will be exploited is increasing, decreasing, or staying the same, by looking at factors such as the availability of exploit code. This is the purpose of the CVSS Temporal Score. However, it isn’t a “one and done” score like the Base Score; rather, it is always changing and requires each organization to track exploitation data on its own. Few end user organizations track that information today; instead, they simply look at the Base Score, which is widely available[i].

6.      It seems that a lot of vulnerabilities described in Anthropic’s post are vulnerabilities in open source components of products like Windows, not in the code written by the developer of the product. For example, at least 90% of the code in a product like Windows consists of components that weren’t created by Microsoft (the average software product includes hundreds of components, almost all open source. However, Windows probably contains at a minimum tens of thousands of components). However, just because a component is vulnerable to a CVE doesn’t mean the product it’s included in is also vulnerable; there are many reasons this can be the case, including that the product’s developer fixed the component before incorporating it into their product. In fact, it’s likely that only about one percent of component vulnerabilities (i.e., vulnerabilities listed for the component in a vulnerability database) are exploitable in the product itself.

7.      When you combine the above fact with the fact that only 1-6% of CVEs are ever exploited in the wild, you realize that only between .01 and .06 percent of component vulnerabilities are likely to be exploitable in the product itself (i.e., the likelihood of a component vulnerability being exploitable in the product is .0001 to .0006). This means it’s almost 100% certain that a developer will be wasting its time developing a patch for a vulnerability found in a component included in their product, unless they are certain the vulnerability is in fact exploitable in the product.

Michael Herzog pointed to this (quite technical) blog post by AISLE, a firm that sells “an end-to-end autonomous Cyber Reasoning System that finds, fixes, and verifies vulnerabilities at machine superhuman speed and scale.” Of course, they are in some ways a competitor of Anthropic, so you need to take what they say with a grain of salt. However, their reasoning (to the extent I can understand it) seems to be good, and they document their statements with evidence, including test results.

The post makes these points:

1.      Under the heading, “Can models distinguish real vulnerabilities from false positives?”, the post states, “A tool that flags everything as vulnerable is useless at scale. It drowns reviewers in noise…False positive discrimination is a fundamental capability for any security system.” It also says, “We tested over 25 models across every major lab. The results show something close to inverse scaling: small, cheap models outperform large frontier ones” (meaning models like Mythos that purport to push the boundaries of the tradecraft).

2.      One of Mythos’ most important capabilities is to design exploits for vulnerabilities it discovers. However, some of the exploits that Mythos designed were based on chained vulnerabilities, in which one vulnerability is exploited, followed by one or more other vulnerabilities. The problem with this is that, if any one of the vulnerabilities in the chain isn’t reachable in the software product that’s attacked or if it’s already been patched, the chained exploit usually won’t work. Like drawing a royal flush in poker, an exploit that requires multiple coincidences to work has a low likelihood of succeeding. Thus, it isn’t a real threat.

3.      AI models used for cybersecurity are “jagged”, meaning that different models perform better in different circumstances and when different objectives need to be achieved. While Mythos outperformed other models in two or three tasks, it underperformed in others. Clearly, it is far from being the unstoppable juggernaut that Anthropic makes it out to be.

4.      Some of the tools that outperformed Mythos in accomplishing particular tasks cost much less than Mythos will probably cost if it’s ever released. The prices of Anthropic’s other products are generally on the high end of the software security tool space.

5.      Cost of a tool is important, because AISLE believes that the real value in AI-aided cybersecurity tools isn’t the model that’s behind the tool, but rather the whole system in which the tool is used. For example, AISLE found it’s better to have a lot of cheap and fast models (tools) scanning everything in sight, rather than rely on a single expensive model (presumably like Mythos) and hope it will look for vulnerabilities in the right places.

Reading and hearing all the above made me realize that, while Mythos is clearly a very capable product, it certainly isn’t the all-powerful wizard that Anthropic makes it out to be. This was driven home by a very interesting 2019 article in Slate, which Jon Darakian posted in the chat during the meeting. The first two paragraphs of that article read:

Last week, the nonprofit research group OpenAI revealed that it had developed a new text-generation model that can write coherent, versatile prose given a certain subject matter prompt. However, the organization said, it would not be releasing the full algorithm due to “safety and security concerns.”

Instead, OpenAI decided to release a “much smaller” version of the model and withhold the data sets and training codes that were used to develop it. If your knowledge of the model, called GPT-2, came solely on headlines from the resulting news coverage, you might think that OpenAI had built a weapons-grade chatbot. A headline from Metro U.K. read, “Elon Musk-Founded OpenAI Builds Artificial Intelligence So Powerful That It Must Be Kept Locked Up for the Good of Humanity.” Another from CNET reported, “Musk-Backed AI Group: Our Text Generator Is So Good It’s Scary.” A column from the Guardian was titled, apparently without irony, “AI Can Write Just Like Me. Brace for the Robot Apocalypse.”

The article goes on to point out that OpenAI’s “concern” about releasing GPT-2 was very likely just marketing hype. Of course GPT-2 was released, followed by other versions up to today’s GPT-5.4. However, as of 8:17AM Central Time on April 13, 2026, I can confidently state that no release of Chat GPT has led to the end of civilization as we know it (so far, anyway).

What’s even more interesting is that the founders of Anthropic, Dario and Daniela Amodei, were part of OpenAI in 2019 when that marketing ploy was tried (and apparently succeeded for a time). They left by 2021, bringing about ten other key employees with them. It seems they learned a few marketing lessons at OpenAI, not just technology lessons, although last week they alarmed many people far removed from the small tech ecosystem that was following OpenAI in 2019.

Of course, I’m not saying there’s anything wrong with Anthropic hyping a product. However, people like me and Tom Friedman need to be careful not to get too excited by this hype. In fact, I can confidently state that if you receive any email from me in the future that forecasts a possible AI Apocalypse (or any other apocalypse, including the Zombie Apocalypse), you should delete that email and return to whatever you were doing. And please send me a link to this post after you do that.

Tom Alrich’s Blog, too is a reader-supported publication. You can view new posts for two months after they come out by becoming a free subscriber. You can also access all my 1300 existing posts dating back to 2013, as well as support my work, by becoming a paid subscriber for $30 for one year (and if you feel so inclined, you can donate more than that and/or become a founding subscriber for $100). Whatever you do, please subscribe. 

If you would like to comment on what you have read here, I would love to hear from you. Please comment below or email me at tom@tomalrich.com.

[i] Although many CVE records published in the past two to three years contain no CVSS Base score at all. That’s another problem with CVE.