As the summer winds to a close, there are several bills in Congress that have implications for the nation’s cybersecurity. Thanks to Hunton & Williams for the update, along with some of my notes.
The Grid Reliability and Infrastructure Defense (“GRID”) Act
In class we will watch the video that made the rounds a few years ago about a power grid smoking and malfunctioning from a test cyberattack. The U.S. Congress has been working on various bills to speed the response to such attacks. The GRID Act was passed by the House on June 9, 2010. This bill would amend the Federal Power Act to grant the Federal Energy Regulatory Commission (“FERC”) authority to issue emergency orders requiring critical infrastructure facility operators to take actions necessary to protect the bulk power system. Prior to FERC issuing such an order, the President would have to issue a written directive to FERC identifying an imminent threat to the nation’s electric grid. FERC would be required to consult with federal agencies or facility operators before issuing an emergency order only “to the extent practicable” in light of the nature of the threat. On Aug 5, the Committee on Energy and Natural Resources ordered The GRID Act to be reported with an amendment in the nature of a substitute favorably.
The American Clean Energy Leadership Act
On the other side is the American Clean Energy Leadership Act. Unlike the GRID Act, The American Clean Energy Leadership Act would grant FERC the authority to issue orders only to electric infrastructure operators, and would not be contingent on a presidential directive. The bill had a chance to pass – until the climate change negotiations broke down in the Senate. This Act would also amend the Federal Power Act to grant FERC authority to issue emergency orders without notice or hearing in order to protect the electric grid from “cybersecurity vulnerabilities,” which are defined as weaknesses or flaws in design or operation that expose the energy grid to cybersecurity threats. The bill would grant the Secretary of Energy similar authority to issue emergency orders in the event of an imminent threat that could disrupt the operation of the nation’s electric grid.
Protecting Cyberspace as a National Asset Act of 2010
This has been referred to as the “Internet Kill Switch” Act. The Senate Homeland Security and Government Affairs Committee passed the Protecting Cyberspace as a National Asset Act of 2010 on June 24, 2010. The bill is massive (197 pages) and requires the Department of Homeland Security (“DHS”) to coordinate its response to cyber emergencies with agencies and regulators that have jurisdiction over critical energy infrastructure. The act aims to leverage the utility expertise of public-private partnerships and the law enforcement and intelligence gathering expertise of DHS to assess threat levels before requiring action that could have operational consequences for the nation’s electric grid. It would also see the creation of a new agency within the Department of Homeland Security, the National Center for Cybersecurity and Communications (NCCC). Any private company reliant on “the Internet, the telephone system, or any other component of the U.S. ‘information infrastructure'” would be “subject to command” by the NCCC, and some would be required to engage in “information sharing” with the agency. There is no companion bill introduced in the House yet. Can it make it? Maybe.
The Cybersecurity Enhancement Act of 2010
The Cybersecurity Enhancement Act of 2010 which has broad bipartisan support, passed the House of Representatives in February. This is one of the more interesting pieces of cybersecurity legislation because it does not create emergency government authority for cybersecurity threats, nor does it specifically address the energy or utility industries. Instead, the act charges the National Institute of Standards and Technology and the National Science Foundation with addressing several issues pertaining to cybersecurity, including: 1) public education and security awareness; 2) interoperability and standards; 3) research and development investment objectives; and 4) cybersecurity workforce development. This could mean jobs for all of the students presently enrolled in our classes. The bill is currently under consideration in the Senate Committee on Commerce, Science and Transportation.
As the class continues through the semester, we will continue to watch for any changes in the status of these bills.