A letter to Senate Majority Leader Reid (D-NV), cosigned by 30 privacy and civil liberties advocacy groups, has raised serious concerns about the lack of privacy protections in regard to personally identifiable  information shared with government under cybersecurity legislation soon to be taken up by the Senate. This issue is yet another hurdle to getting the 60 votes needed for the Senate to proceed to Floor consideration of the bill, and may prove to be a major factor whether cybersecurity legislation is enacted this year.

The Cybersecurity Act of 2012, sponsored by Sens. Lieberman (I-CT) and Collins (R-ME) would give the Department of Homeland Security lead authority to oversee the flow of information, including sharing information provided by the private sector to the National Security Agency. The 30 cosignatories of the letter believe this gives the intelligence community the ability to access and collect individual personal information. Moreover, the bill allows the government to use the information for criminal investigations and prosecution unrelated to cybersecurity, and provides overly broad immunity for those sharing the information.

The bill recently passed by the House, the Cyber Intelligence Sharing and Protection Act of 2012, came under similar criticisms and, even though amendments were added that sought to address those concerns before passage, there is continuing debate whether they went far enough.In addition to privacy concerns, there is a great deal of disagreement whether DHS should be put in charge of the nation's cybersecurity efforts and enforcement. The Lieberman bill would give DHS the authority to conduct risk assessments of “covered critical infrastructure” – sectors which are considered most critical to the nation’s economy and security, such as the electric grid and water systems – and impose mandatory risk-based performance standards enforced through thi^rd party audits. An alternative approach, sponsored by Sen. McCain, focuses on incentivizing voluntary information sharing between the government and the private sector to address the cyber threat, similar to the bill passed by the House last month. Majority Leader Reid hopes to bring the cybersecurity measure to the Floor late May or early June.

In the meantime,  White House officials including DHS and the National Security Council, provided a Senate briefing on cyber attacks on natural gas pipelines. The attacks involved spear phishing using an email attachment to allow a hacker to enter the computer network. The email appeared to be sent from someone known to the recipient. It has also been reported that the pipeline companies were aware of the exploit, notified authorities, and were told to allow the attack to continue so that proper forensics and attribution could be conducted. Caitlin Hayden, a spokeswoman for the White House National Security Council, said senior administration officials met with Senate staffers on Monday to brief them on the cyber threats facing critical infrastructure. Hayden noted that the briefing was "intended to provide staff with an appreciation for the cyber threat facing the nation as the Senate prepares to consider new legislative authorities that could help the United States Government prevent and more quickly respond to cyber intrusions and attacks.The White House has endorsed the Lieberman bill.

By a bipartisan vote of 248 to 168, the House has passed HR 3523, the Cyber Intelligence Sharing and Protection Act (CISPA). The bill now proceeds to the Senate which intends to take up cybersecurity early next month.

CISPA focuses on promoting better information sharing between the private sector and the federal intelligence community, and specifically includes utilities as entities with whom this information should be shared. Unlike some of the other cyber bills that have been proposed, there are no additional layers of regulation and does not put DHS as the federal overseer of critical infrastructure cybersecurity protections.

UTC has long been a proponent of better processes for sharing classified cyber threat information with owner and operators of our nation's energy and water critical infrastructure, and have worked in concert with other industry trade associations and groups in support of this legislation. We do not propose that this is a panacea; but it is an important component of a comprehensive cybersecurity ecosystem. In combination with the NERC-CIP standards and the cooperative public-private partnership framework of the Department of Homeland Security (DHS), UTC is dedicated to supporting a flexible and dynamic framework to protect our systems from cyber threats and vulnerabilities.

The bill had come under criticism from both the White House, which supports additional requirements being imposed on critical infrastructure as well as putting DHS in charge of federal cybersecurity policy, and civil libertarian groups based on privacy concerns.

The margin of passage, including 42 Democrats, is significant in light of the veto threat of the White House should the bill in its current form reach the President's desk.

Several less controversial cybersecurity bills concerning research and development, training, public awareness and securing federal networks and IT were also passed by House.

The action now moves to the Senate where two bills are expected to take center stage: the Lieberman bill, which takes a more regulatory approach and establishes the Department of Homeland Security(DHS) as the lead federal agency on cybersecurity, and the McCain bill, which is similar to the voluntary information sharing approach of the House-passed CISPA.

The House Homeland Security Committee has approved on a party line vote of 16 – 13 a cybersecurity bill which will join the roster of bills expected to be brought up for Floor consideration in the House next week as part of Cyber Week. Unlike the bill approved by the Subcommittee last month, the bill relegates DHS to a coordination/facilitation/consultation role with other federal agencies and departments on federal cybersecurity matters by retaining the current federal agency or department authority structure. Risk assessments and technical assistance would only be provided upon request of critical infrastructure owners and operations. Moreover, information sharing between the private sector and DHS would remain voluntary, thus reaffirming the DHS public/private partnership framework. 

The final bill designates the National Cybersecurity and Communications Integration Center (NCCIC) as the DHS focal point for information sharing between the federal government, the intelligence community, Department of Defense and the private sector. An Advisory Board, composed of 11 representatives of the private sector, 2 representatives from the privacy and civil liberties community and the chair of the National Council of Information Sharing and Analysis Centers (ISACs), would act as an advocate of the private sector in improving the operations of the NCCIC.

HR 3674 had been criticized for inadequate protections of privacy. To assuage these concerns, an amendment offered by Rep. McCaul was adopted to clarify the legally permissible cybersecurity activities of DHS regarding the collection, interception, retention, and dissemination of communications and system traffic, including compliance with written guidelines and approval of the Attorney General.  Many in the privacy community believe even these added protections do not go far enough.  

In explaining his decision to support the revised version instead of the bill approved by his Subcommittee, Rep. Lungren said that the “support of private sector stakeholders evaporated when they saw what was happening in the Senate”, a reference to the regulatory-approach of the Lieberman bill which Majority Leader Reid intends to bring up in the Senate. However, he went on to say that House Leadership has agreed to bring up the original subcommittee bill if that private sector support can be regained. Rep. Peter King, chair of the Committee, emphasized that in the interests of retaining a seat at the table, and a role for the Committee in the deliberations and the final legislation passed by the House, the bill had to be revised before House Leadership would allow it to be brought to the Floor. 

The Senate intends to turn its attention to cybersecurity in early May.
The revised version of HR 3674 (which is referred to as an Amendment in the Nature of a Substitute) adopted at the mark-up, Section by Section Analysis of bill as brought up for mark-up, amendments adopted at the mark-up, and an archived video of the mark-up session can be found at: http://homeland.house.gov/markup/markup-hr-3674-promoting-and-enhancing-cybersecurity-and-information-sharing-effectiveness

On February 1, the House Homeland Security Subcommittee on Cybersecurity approved by voice vote an amended version of HR 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act of 2011. In keeping with the House Cybersecurity Task Force Report released last year, the bill focuses on improving and incentivizing information sharing between the government and the critical infrastructure on cyber threats and incidents. PRECISE would establish DHS as lead federal agency for the coordination of federal and critical infrastructure cybersecurity efforts, the development of a national cybersecurity strategy, and the formulation of voluntary cybersecurity guidelines. Read more »

In collaboration with the White House, the Department of Homeland Security (DHS) and electric company senior executives, the Department of Energy (DOE) formally launched a new initiative to develop a more comprehensive and consistent approach to protecting the nation's electric grid. Called the Electric Sector Cybersecurity Risk Management Maturity Project, DOE is seeking to leverage private industry and public sector expertise to develop an adaptable and scaleable model for measuring current capabilities and analyzing gaps in cyber defenses. The model will be based on a cybersecurity risk management process guideline developed with public and industry input and finalized in October 2011.

In a statement accompanying the project launch, White House Cyber Security Coordinator Howard Schmidt commented, "This effort will be focused on performance-based strategies and concrete steps to measure progress of cyber security in the electric sector. It is important to understand the sector's strengths and remaining gaps across the grid to inform investment planning and research and development, and enhance our public-private partnership efforts."

A series of workshops with industry representatives is planned for the next several months to draft the maturity model. A pilot program to test the model's effectiveness and validate results is planned for late spring/early summer with about a dozen electric utilities and grid operators participating. Based on the results of the pilot program, a final risk management maturity model is expected to be made available to the entire electric sector late summer. Read more »

The Jumpstarting Opportunity with Broadband Spectrum (JOBS) Act, passed by the House Energy and Commerce Subcommittee on Communications last week, has been rolled into a House Republican bill unveiled today to extend the payroll tax cut and unemployment benefits into 2012. The JOBS Act, introduced by Rep. Greg Walden (R-OR), includes provisions for non-public safety entities to access the 700 MHz public safety broadband network - a key issue for utilities. The legislation allocates the spectrum to public safety agencies, but would require first responders to give back another the 14 MHz of narrowband spectrum they are currently using. It would set aside about $6.5 billion for that network. House and Senate committee staff are already working to iron out differences between the JOBS Act and S. 911, passed by the Senate Commerce Committee last July. Those differences concern the governance structure, amount of funding for network construction, maintenance and operations and the public safety narrowband spectrum reallocation. A Senate staffer noted that the House and Senate are close to agreement. UTC is working with committee staff to ensure that utilities are provided an opportunity to partner with public safety in the network buildout and operations.

The House Subcommittee on Communications of the House Energy and Commerce Committee held a mark-up of spectrum legislation introduced by Rep. Walden (R-OR) which includes provisions for non-public safety entities to access the 700 MHz public safety broadband network - a key issue for utilities. The bill, entitled the "Jumpstarting Opportunity with Broadband Spectrum Act of 2011" or the "JOBS Act of 2011," provides that each State may negotiate with private sector entities to construct, manage, maintain and operate the network. Furthermore, the private sector partners could be allowed under contract to access the network to provide services that are not "public safety services," as well as to share infrastructure (including antennas and towers) with public safety entities. In addition, the bill provides that the Administrator of the National Public Safety Communications Plan may contract with non-public safety entities to permit access in order to promote interoperability between those non-public safety entities and public safety entities during emergencies.
Thus, there are effectively two options for utilities and other non-public safety entities to access the 700 MHz public safety broadband network (i.e. through partnership or contract), but there are conditions. Read more »

Rep. Greg Walden, chair of the Subcommittee on Communications of the House Energy and Commerce Committee, has announced that the subcommittee will hold a mark-up of spectrum legislation on Thursday, December 1.  The bill, named the Jumpstarting Opportunity with Broadband Spectrum (JOBS) Act of 2011, will include spectrum to be auctioned for commercial wireless services, as well as the creation of a Public Safety Broadband Network (PSBN) in the 700 MHz band. Read more »

The commission seeking greater authority over the cybersecurity of the nation’s electric grid has security problems of its own. A recently released audit of Federal Energy Regulatory Commission’s (FERC) unclassified cybersecurity program by the Inspector General (IG) of the Department of Energy (DOE) has revealed much room for improvement. While acknowledging that the commission has improved since DOE’s FY2010 evaluation, the audit cited continued weaknesses related to timely remediation of software vulnerabilities, and failure to implement FERC’s own Vulnerability Management Program (VMP) as the reasons for its findings. 

The audit stated that “specifically, we noted that 32 of 70 vulnerabilities we identified were rated "high risk" by the vendor and/or the National Vulnerability Database sponsored by the Department of Homeland Security's National Cyber Security Division.” Nine of the issues identified impacted a  significant number of the 45 servers and/or 236 workstations tested, and were primarily associated with third-party productivity and internet applications.  “All of the "high risk" vulnerabilities identified were more than 30 days old, including 18 that were missing patches more than 1 year old. Furthermore, we identified several instances where the Commission was using software that was no longer supported by the vendor.”

While FERC budgeted approximately $3.8 million during fiscal 2011 to secure its information technology assets, FERC cited “budget and resource constraints” as the reason for not following its own VMP. In addition, FERC said that some patches were not instituted because of adverse operational impacts. 

It had been widely expected that the $1.2 trillion package produced by the Joint Select Committee on Deficit Reduction (Super Committee) would have included spectrum auctions and funded the creation of a 700 MHz public safety broadband network (PSBN). But on Tuesday, with the committee's formal announcment that an agreement could not be reached, hopes to use that package as a vehicle for the spectrum legislation were dashed.  This is the second time that spectrum legislation has failed to pass as part of a larger package; the first was the debt ceiling bill passed earlier this year. 

Several legislative vehicles are now being considered, including an omnibus apppropriations bill to fund the government for the remainder of FY12, or individual appropriations bills.  In the meantime, standalone bills will be proceeding under "regular order" in both the Senate and the House.

In the House, the Energy and Commerce Committee has been working on a revision of the Republican draft released in July.  With the failure of the Super Committee, the committee may resume consideration of the bill, with possible mark-up in December.  

In the Senate, S. 911 was passed by the Commerce Committee but has yet to be scheduled for a Floor vote. 

Throughout the deliberations of the Super Committee and now going forward, UTC has continued to carry its message to key congressional staff and Members about the public policy, operational, and monetary benefits that utilities bring to the table as partners in the construction and operations of the PSBN. Our main focus has been to ensure that utilities can share the 700 MHz spectrum and access the network notwithstanding Section 337 of the Communications Act and that State or regional partnership agreements between public safety and utilities, including terms related to traffic management, be given federal recognition.

The creation of the PSBN is on the priority list of both Sen. Rockefeller, chair of the Commerce Committee, and Rep. Upton, chair of the Energy and Commerce Committee.  Final enactment, whether as part of a larger package or as standalone legislation, is anticipated in the near term.