A letter to Senate Majority Leader Reid (D-NV), cosigned by 30 privacy and civil liberties advocacy groups, has raised serious concerns about the lack of privacy protections in regard to personally identifiable  information shared with government under cybersecurity legislation soon to be taken up by the Senate. This issue is yet another hurdle to getting the 60 votes needed for the Senate to proceed to Floor consideration of the bill, and may prove to be a major factor whether cybersecurity legislation is enacted this year.

The Cybersecurity Act of 2012, sponsored by Sens. Lieberman (I-CT) and Collins (R-ME) would give the Department of Homeland Security lead authority to oversee the flow of information, including sharing information provided by the private sector to the National Security Agency. The 30 cosignatories of the letter believe this gives the intelligence community the ability to access and collect individual personal information. Moreover, the bill allows the government to use the information for criminal investigations and prosecution unrelated to cybersecurity, and provides overly broad immunity for those sharing the information.

The bill recently passed by the House, the Cyber Intelligence Sharing and Protection Act of 2012, came under similar criticisms and, even though amendments were added that sought to address those concerns before passage, there is continuing debate whether they went far enough.In addition to privacy concerns, there is a great deal of disagreement whether DHS should be put in charge of the nation's cybersecurity efforts and enforcement. The Lieberman bill would give DHS the authority to conduct risk assessments of “covered critical infrastructure” – sectors which are considered most critical to the nation’s economy and security, such as the electric grid and water systems – and impose mandatory risk-based performance standards enforced through thi^rd party audits. An alternative approach, sponsored by Sen. McCain, focuses on incentivizing voluntary information sharing between the government and the private sector to address the cyber threat, similar to the bill passed by the House last month. Majority Leader Reid hopes to bring the cybersecurity measure to the Floor late May or early June.

In the meantime,  White House officials including DHS and the National Security Council, provided a Senate briefing on cyber attacks on natural gas pipelines. The attacks involved spear phishing using an email attachment to allow a hacker to enter the computer network. The email appeared to be sent from someone known to the recipient. It has also been reported that the pipeline companies were aware of the exploit, notified authorities, and were told to allow the attack to continue so that proper forensics and attribution could be conducted. Caitlin Hayden, a spokeswoman for the White House National Security Council, said senior administration officials met with Senate staffers on Monday to brief them on the cyber threats facing critical infrastructure. Hayden noted that the briefing was "intended to provide staff with an appreciation for the cyber threat facing the nation as the Senate prepares to consider new legislative authorities that could help the United States Government prevent and more quickly respond to cyber intrusions and attacks.The White House has endorsed the Lieberman bill.

The Vermont state legislature has voted to eliminate smart meter opt out fees, forcing state utilities to provide customers an opt out option for free. As part of its plan to roll out about 160,000 smart meters to customers in its territory, Central Vermont Public Service had proposed to charge customers who chose to opt out of having smart meter a $10 fee. The recently-approved legislation allows for customers to "choose not to have a wireless smart meter installed, at no additional monthly or other charge." Customers can ask for the removal of a previously installed wireless smart meter for any reason and must not be charged for the removal. Additionally, the legislation requires utilities to provide prior written notice to customers indicating that the smart meter will use radio or other wireless means for two-way communication between the meter and the company, and informing customers of their rights under the new law. Furthermore, the bill also puts a requirement for studies related to smart meters to be submitted to lawmakers. To that end, the Vermont Department of Public Service is to prepare a report on the cost-savings associated with smart meters, while also addressing any issues of security breaches because of the wireless smart meters, that is due to the legislature by January 1, 2014.

Mark Weatherford, Under Secretary for Cybersecurity at the Department of Homeland Security, offered comments as the morning keynote speaker on the second day of the Industrial Control System Joint Working Group (ICSJWG). Weatherford is the former Chief Security Officer at the North American Electric Reliability Corporation (NERC) and therefore has some knowledge of control system and their security vulnerabilities. Mr. Weatherford stressed a theme of partnerships and information sharing between industry and government, noting that nearly 85% of the critical infrastructures in the US are owned by the private sector. He stated the we need to raise the nation’s cybersecurity IQ, not only with the general public but also with regulators and Congress. He also acknowledged that cybercrime nets more money for criminals than the cocaine, heroin and marijuana industries combined, worldwide. Mr. Weatherford also pointed to the inter-dependencies with the critical infrastructures in the US. Security in the electric sector cannot be accomplished without considering the communications that link electric system devices.

Regarding legislation currently before Congress on this issue, Mr. Weatherford stated that there is a place for government enforcing cybersecurity standards, but the government should not presume that they can write these standards for control systems. Government must still rely on industry for standards and best practices. When asked if vendors should be held accountable for insecure products, Mr. Weatherford responded that industry is making great strides in delivering secure systems, but industry is still accountable for deploying and correctly configuring these systems. If security settings are turned off because they are inconvenient, then the user is to blame, not the vendor.

The Federal Energy Regulatory Commission (FERC) and the North American Reliability Corporation (NERC) have released a comprehensive report that pins the 2011 Southern California blackout on inadequate planning and grid coordination. Last September, millions of people in Southern California, Arizona and Mexico's Baja California were left in darkness after an employee's work on a transmission line at an Arizona substation triggered a massive blackout. The report dives into the causes of this incident, areas effected and the timeline of the system collapse and restoration.
The report’s overall recommendation calls for an improvement of bulk power system operators’ situational awareness through improved communication, data sharing and the use of real-time tools. It lists 27 specific recommendations to that end, each addressing specific findings from the investigating team. The full report can be accessed at http://1.usa.gov/KoSCTy

On May 1, 2012, the Federal Communications Commission held a workshop on wireless collocation featuring panelists, including UTC, who describing the opportunities and challenges of collocating wireless facilities. UTC’s Connie Durcsak brought the utility perspective on wireless collocation, and described various ways that electric and water utilities can provide wireless collocation on existing infrastructure. In particular, she highlighted the activities of the UtiliSite Council, a special membership group within UTC that provides support services to commercial wireless carriers and DAS providers with antenna construction and backhaul.
The Commission also noted that it wants the industry and localities to work together to implement provisions in the Middle Class Tax Relief and Job Creation Act of 2012 (Spectrum Act), which streamline the permitting process for wireless collocation. Specifically, section 6409 of the Spectrum Act provides that no state or locality may deny, and must approve, any request involving an eligible facility (for a modification of an existing wireless tower or base station that does not substantially change the physical dimensions of such tower or base station. Jeff Steinberg, deputy chief of the FCC’s Wireless Bureau’s Spectrum and Competition Policy Division presented a thorough review of the Spectrum Act provisions and said that the Commission strives for industry and local governments to work together to “satisfy both community and industry needs( to ensure that the legislation is implemented” without necessarily “stepping in and trying to set prescriptive rules.” The recorded webcast of the workshop can be viewed on the FCC’s website.

Following reports about a backdoor login account in its entire line of devices, RuggedCom, a Canadian manufacturer of equipment and software for critical industrial control systems has announced it will eliminate this vulnerability.
Security experts have raised concerns about this issue, noting that this security problem had been discovered a year ago. The backdoor, which reportedly cannot be disabled, leaves power utilities, military facilities, and municipal traffic departments using the industrial-strength gear vulnerable and could affect millions of indirect users. K. Reid Wightman, an industrial control systems security expert for Digital Bond, told tech blog Ars Technica, "If users are running non-redundant networks, this is probably going to require taking their process offline…so it's not the sort of thing that most users can patch right away—they're going to have to patch it during their normal manufacturing patching cycle, which might be a year."

By a bipartisan vote of 248 to 168, the House has passed HR 3523, the Cyber Intelligence Sharing and Protection Act (CISPA). The bill now proceeds to the Senate which intends to take up cybersecurity early next month.

CISPA focuses on promoting better information sharing between the private sector and the federal intelligence community, and specifically includes utilities as entities with whom this information should be shared. Unlike some of the other cyber bills that have been proposed, there are no additional layers of regulation and does not put DHS as the federal overseer of critical infrastructure cybersecurity protections.

UTC has long been a proponent of better processes for sharing classified cyber threat information with owner and operators of our nation's energy and water critical infrastructure, and have worked in concert with other industry trade associations and groups in support of this legislation. We do not propose that this is a panacea; but it is an important component of a comprehensive cybersecurity ecosystem. In combination with the NERC-CIP standards and the cooperative public-private partnership framework of the Department of Homeland Security (DHS), UTC is dedicated to supporting a flexible and dynamic framework to protect our systems from cyber threats and vulnerabilities.

The bill had come under criticism from both the White House, which supports additional requirements being imposed on critical infrastructure as well as putting DHS in charge of federal cybersecurity policy, and civil libertarian groups based on privacy concerns.

The margin of passage, including 42 Democrats, is significant in light of the veto threat of the White House should the bill in its current form reach the President's desk.

Several less controversial cybersecurity bills concerning research and development, training, public awareness and securing federal networks and IT were also passed by House.

The action now moves to the Senate where two bills are expected to take center stage: the Lieberman bill, which takes a more regulatory approach and establishes the Department of Homeland Security(DHS) as the lead federal agency on cybersecurity, and the McCain bill, which is similar to the voluntary information sharing approach of the House-passed CISPA.

During a workshop of the Technical Advisory Board for First Responder Interoperabilty at the Federal Communications Commission this week, Matt Schnell, Supervisor of Telecommunications at Nebraska Public Power District (NPPD) explained that utilities and public safety have been able to successfully share a VHF radio system with the state of Nebraska. He explained how NPPD implemented security through a "private path" on the utility side of the network with firewalls on all customer touch points. His main point was that interoperability was a process, as well as a technical issue. "Teamwork has been critical to the success of the shared network," His full remarks, as well as those of the other panelists during the workshop are available via streaming video from the FCC Live website.

The House Homeland Security Committee has approved on a party line vote of 16 – 13 a cybersecurity bill which will join the roster of bills expected to be brought up for Floor consideration in the House next week as part of Cyber Week. Unlike the bill approved by the Subcommittee last month, the bill relegates DHS to a coordination/facilitation/consultation role with other federal agencies and departments on federal cybersecurity matters by retaining the current federal agency or department authority structure. Risk assessments and technical assistance would only be provided upon request of critical infrastructure owners and operations. Moreover, information sharing between the private sector and DHS would remain voluntary, thus reaffirming the DHS public/private partnership framework. 

The final bill designates the National Cybersecurity and Communications Integration Center (NCCIC) as the DHS focal point for information sharing between the federal government, the intelligence community, Department of Defense and the private sector. An Advisory Board, composed of 11 representatives of the private sector, 2 representatives from the privacy and civil liberties community and the chair of the National Council of Information Sharing and Analysis Centers (ISACs), would act as an advocate of the private sector in improving the operations of the NCCIC.

HR 3674 had been criticized for inadequate protections of privacy. To assuage these concerns, an amendment offered by Rep. McCaul was adopted to clarify the legally permissible cybersecurity activities of DHS regarding the collection, interception, retention, and dissemination of communications and system traffic, including compliance with written guidelines and approval of the Attorney General.  Many in the privacy community believe even these added protections do not go far enough.  

In explaining his decision to support the revised version instead of the bill approved by his Subcommittee, Rep. Lungren said that the “support of private sector stakeholders evaporated when they saw what was happening in the Senate”, a reference to the regulatory-approach of the Lieberman bill which Majority Leader Reid intends to bring up in the Senate. However, he went on to say that House Leadership has agreed to bring up the original subcommittee bill if that private sector support can be regained. Rep. Peter King, chair of the Committee, emphasized that in the interests of retaining a seat at the table, and a role for the Committee in the deliberations and the final legislation passed by the House, the bill had to be revised before House Leadership would allow it to be brought to the Floor. 

The Senate intends to turn its attention to cybersecurity in early May.
The revised version of HR 3674 (which is referred to as an Amendment in the Nature of a Substitute) adopted at the mark-up, Section by Section Analysis of bill as brought up for mark-up, amendments adopted at the mark-up, and an archived video of the mark-up session can be found at: http://homeland.house.gov/markup/markup-hr-3674-promoting-and-enhancing-cybersecurity-and-information-sharing-effectiveness

Donald Vasek, UTC's Director of Spectrum Services, was elected Vice President of the Land Mobile Communications Council's Board of Directors (LMCC) at the LMCC's Annual Meeting held on April 18, 2012. Vasek previously also served on the LMCC Board as a Director-at-Large from 2010 to 2011 as well as Secretary/Treasurer from 2001-2010. Additionally, the LMCC formed a TV-band task force to decide how to handle the upcoming transition/clearing of the 470-512 MHz shared TV band, necessitated by the blanket narrowbanding waiver and freeze in that band (see related story). Klaus Bender, UTC's Senior Director of Standards and Engineering, will serve on the task force.