A letter to Senate Majority Leader Reid (D-NV), cosigned by 30 privacy and civil liberties advocacy groups, has raised serious concerns about the lack of privacy protections in regard to personally identifiable  information shared with government under cybersecurity legislation soon to be taken up by the Senate. This issue is yet another hurdle to getting the 60 votes needed for the Senate to proceed to Floor consideration of the bill, and may prove to be a major factor whether cybersecurity legislation is enacted this year.

The Cybersecurity Act of 2012, sponsored by Sens. Lieberman (I-CT) and Collins (R-ME) would give the Department of Homeland Security lead authority to oversee the flow of information, including sharing information provided by the private sector to the National Security Agency. The 30 cosignatories of the letter believe this gives the intelligence community the ability to access and collect individual personal information. Moreover, the bill allows the government to use the information for criminal investigations and prosecution unrelated to cybersecurity, and provides overly broad immunity for those sharing the information.

The bill recently passed by the House, the Cyber Intelligence Sharing and Protection Act of 2012, came under similar criticisms and, even though amendments were added that sought to address those concerns before passage, there is continuing debate whether they went far enough.In addition to privacy concerns, there is a great deal of disagreement whether DHS should be put in charge of the nation's cybersecurity efforts and enforcement. The Lieberman bill would give DHS the authority to conduct risk assessments of “covered critical infrastructure” – sectors which are considered most critical to the nation’s economy and security, such as the electric grid and water systems – and impose mandatory risk-based performance standards enforced through thi^rd party audits. An alternative approach, sponsored by Sen. McCain, focuses on incentivizing voluntary information sharing between the government and the private sector to address the cyber threat, similar to the bill passed by the House last month. Majority Leader Reid hopes to bring the cybersecurity measure to the Floor late May or early June.

In the meantime,  White House officials including DHS and the National Security Council, provided a Senate briefing on cyber attacks on natural gas pipelines. The attacks involved spear phishing using an email attachment to allow a hacker to enter the computer network. The email appeared to be sent from someone known to the recipient. It has also been reported that the pipeline companies were aware of the exploit, notified authorities, and were told to allow the attack to continue so that proper forensics and attribution could be conducted. Caitlin Hayden, a spokeswoman for the White House National Security Council, said senior administration officials met with Senate staffers on Monday to brief them on the cyber threats facing critical infrastructure. Hayden noted that the briefing was "intended to provide staff with an appreciation for the cyber threat facing the nation as the Senate prepares to consider new legislative authorities that could help the United States Government prevent and more quickly respond to cyber intrusions and attacks.The White House has endorsed the Lieberman bill.

By a bipartisan vote of 248 to 168, the House has passed HR 3523, the Cyber Intelligence Sharing and Protection Act (CISPA). The bill now proceeds to the Senate which intends to take up cybersecurity early next month.

CISPA focuses on promoting better information sharing between the private sector and the federal intelligence community, and specifically includes utilities as entities with whom this information should be shared. Unlike some of the other cyber bills that have been proposed, there are no additional layers of regulation and does not put DHS as the federal overseer of critical infrastructure cybersecurity protections.

UTC has long been a proponent of better processes for sharing classified cyber threat information with owner and operators of our nation's energy and water critical infrastructure, and have worked in concert with other industry trade associations and groups in support of this legislation. We do not propose that this is a panacea; but it is an important component of a comprehensive cybersecurity ecosystem. In combination with the NERC-CIP standards and the cooperative public-private partnership framework of the Department of Homeland Security (DHS), UTC is dedicated to supporting a flexible and dynamic framework to protect our systems from cyber threats and vulnerabilities.

The bill had come under criticism from both the White House, which supports additional requirements being imposed on critical infrastructure as well as putting DHS in charge of federal cybersecurity policy, and civil libertarian groups based on privacy concerns.

The margin of passage, including 42 Democrats, is significant in light of the veto threat of the White House should the bill in its current form reach the President's desk.

Several less controversial cybersecurity bills concerning research and development, training, public awareness and securing federal networks and IT were also passed by House.

The action now moves to the Senate where two bills are expected to take center stage: the Lieberman bill, which takes a more regulatory approach and establishes the Department of Homeland Security(DHS) as the lead federal agency on cybersecurity, and the McCain bill, which is similar to the voluntary information sharing approach of the House-passed CISPA.

The House Homeland Security Committee has approved on a party line vote of 16 – 13 a cybersecurity bill which will join the roster of bills expected to be brought up for Floor consideration in the House next week as part of Cyber Week. Unlike the bill approved by the Subcommittee last month, the bill relegates DHS to a coordination/facilitation/consultation role with other federal agencies and departments on federal cybersecurity matters by retaining the current federal agency or department authority structure. Risk assessments and technical assistance would only be provided upon request of critical infrastructure owners and operations. Moreover, information sharing between the private sector and DHS would remain voluntary, thus reaffirming the DHS public/private partnership framework. 

The final bill designates the National Cybersecurity and Communications Integration Center (NCCIC) as the DHS focal point for information sharing between the federal government, the intelligence community, Department of Defense and the private sector. An Advisory Board, composed of 11 representatives of the private sector, 2 representatives from the privacy and civil liberties community and the chair of the National Council of Information Sharing and Analysis Centers (ISACs), would act as an advocate of the private sector in improving the operations of the NCCIC.

HR 3674 had been criticized for inadequate protections of privacy. To assuage these concerns, an amendment offered by Rep. McCaul was adopted to clarify the legally permissible cybersecurity activities of DHS regarding the collection, interception, retention, and dissemination of communications and system traffic, including compliance with written guidelines and approval of the Attorney General.  Many in the privacy community believe even these added protections do not go far enough.  

In explaining his decision to support the revised version instead of the bill approved by his Subcommittee, Rep. Lungren said that the “support of private sector stakeholders evaporated when they saw what was happening in the Senate”, a reference to the regulatory-approach of the Lieberman bill which Majority Leader Reid intends to bring up in the Senate. However, he went on to say that House Leadership has agreed to bring up the original subcommittee bill if that private sector support can be regained. Rep. Peter King, chair of the Committee, emphasized that in the interests of retaining a seat at the table, and a role for the Committee in the deliberations and the final legislation passed by the House, the bill had to be revised before House Leadership would allow it to be brought to the Floor. 

The Senate intends to turn its attention to cybersecurity in early May.
The revised version of HR 3674 (which is referred to as an Amendment in the Nature of a Substitute) adopted at the mark-up, Section by Section Analysis of bill as brought up for mark-up, amendments adopted at the mark-up, and an archived video of the mark-up session can be found at: http://homeland.house.gov/markup/markup-hr-3674-promoting-and-enhancing-cybersecurity-and-information-sharing-effectiveness

A little discussed provision of the legislation is Section 6412, which instructs the Federal Communications Commission (FCC) to provide a report, within 9 months, on the status of the 11 GHz, 18 GHz and 23 GHz bands. According to a story in 'Comm Law Blog', Congress is specifically interested in the “rejection” rate of FCC applications for commercial services in these bands. The bands are used for broadband backhaul services over relatively short path lengths. However, the bands are not only used by commercial wireless providers, they are used for critical infrastructure as well. The wording describes the term `rejection rate' to mean the number and percent of applications (whether made to the Commission or to a third-party coordinator) for common carrier use of spectrum that were not granted because of lack of availability of such spectrum or interference concerns of existing licensees.

The fear is that the FCC will allocate this band for auction as a more efficient means of spectrum licensing, forgetting the utility and critical infrastructure systems that also use the channels. UTC will be watching this issue as it progresses through the FCC. For more details, see the blog post at http://www.commlawblog.com/2012/02/articles/unlicensed-operations-and-emer/congress-seeks-info-on-11-18-and-23-ghz-fixed-microwave/

UTC has issued the following statement about the Payroll Tax Report that was approved by Congress last week:

"We applaud Congress on approving this report. For years, UTC has advocated that utilities need access to sufficient spectrum to support their mission critical operations and to meet the overarching national policy objectives of energy independence and security. Congress' action today makes it possible for utilities to access the high quality spectrum that they urgently need."

For more information, please read the entire Press Release on UTC's website. Please contact UTC staff if you have any questions about the implications of this legislation for your utility. You can also read UTC's analysis of the spectrum provisions in this bill here.

Additionally, UTC experts have been quoted in the following industry media:

TR Daily Article (subscribers-only)

Urgent Communications

Congressional legislation that was passed last week would permit use of 700 MHz public safety spectrum for non-public safety services and would open up the 5350-5470 MHz band and guard bands for unlicensed operations, creating opportunities for utilities and CII to access additional spectrum. In addition, it would reallocate and auction the 470-512 MHz public safety frequencies and investigate the use of the 11, 18, and 23 GHz fixed microwave bands for commercial services – raising questions about the future of these bands for private wireless generally. Read more »

Spectrum provisions, including those pertaining to access to the 700 MHz public safety broadband network by non-public safety entities, have been included as part of larger congressional legislation that would extend the 2% reduction in payroll taxes, extend unemployment benefits and prevent a 27% decrease in medicare reimbursements to doctors (the “doc” fix). The legislation is expected to be passed by Congress today, and would clear the way for public safety to share the 700 MHz public safety broadband network (PSBN) with utilities and other critical infrastructure industries. UTC is continuing to work with Congressional staff to enhance the abilities of utilities to participate in the creation of the PSBN and ensure that the synergies between the communications needs of public safety and utilities are most effectively leveraged in the final legislative compromise. The House and Senate are aiming to have a final conference report ready for an up-or-down vote by the end of this week. Congress is currently scheduled to begin its week-long President’s Day recess beginning this Friday, although congressional leaders have threatened to cancel that recess if a compromise is not reached by week’s end. The deadline for passage of the conference report is February 29^th when the current payroll tax reduction expires. 

UPDATE: 11:41 AM - The House has approved the payroll tax conference report, 293-132. The conference report now moved to the Senate, where it will also be voted on shortly.

12:45 PM - The Senate approved the conference report 60-36. The bill moves on for President Obama's signature.

On February 1, the House Homeland Security Subcommittee on Cybersecurity approved by voice vote an amended version of HR 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act of 2011. In keeping with the House Cybersecurity Task Force Report released last year, the bill focuses on improving and incentivizing information sharing between the government and the critical infrastructure on cyber threats and incidents. PRECISE would establish DHS as lead federal agency for the coordination of federal and critical infrastructure cybersecurity efforts, the development of a national cybersecurity strategy, and the formulation of voluntary cybersecurity guidelines. Read more »

The Jumpstarting Opportunity with Broadband Spectrum (JOBS) Act, passed by the House Energy and Commerce Subcommittee on Communications last week, has been rolled into a House Republican bill unveiled today to extend the payroll tax cut and unemployment benefits into 2012. The JOBS Act, introduced by Rep. Greg Walden (R-OR), includes provisions for non-public safety entities to access the 700 MHz public safety broadband network - a key issue for utilities. The legislation allocates the spectrum to public safety agencies, but would require first responders to give back another the 14 MHz of narrowband spectrum they are currently using. It would set aside about $6.5 billion for that network. House and Senate committee staff are already working to iron out differences between the JOBS Act and S. 911, passed by the Senate Commerce Committee last July. Those differences concern the governance structure, amount of funding for network construction, maintenance and operations and the public safety narrowband spectrum reallocation. A Senate staffer noted that the House and Senate are close to agreement. UTC is working with committee staff to ensure that utilities are provided an opportunity to partner with public safety in the network buildout and operations.

The House Subcommittee on Communications of the House Energy and Commerce Committee held a mark-up of spectrum legislation introduced by Rep. Walden (R-OR) which includes provisions for non-public safety entities to access the 700 MHz public safety broadband network - a key issue for utilities. The bill, entitled the "Jumpstarting Opportunity with Broadband Spectrum Act of 2011" or the "JOBS Act of 2011," provides that each State may negotiate with private sector entities to construct, manage, maintain and operate the network. Furthermore, the private sector partners could be allowed under contract to access the network to provide services that are not "public safety services," as well as to share infrastructure (including antennas and towers) with public safety entities. In addition, the bill provides that the Administrator of the National Public Safety Communications Plan may contract with non-public safety entities to permit access in order to promote interoperability between those non-public safety entities and public safety entities during emergencies.
Thus, there are effectively two options for utilities and other non-public safety entities to access the 700 MHz public safety broadband network (i.e. through partnership or contract), but there are conditions. Read more »