Cybersecurity Remains a Critical Concern

Last Updated: 11/26/2013

Senate Commerce Committee Chairman Jay Rockefeller (D-W.Va.) plans to offer his cybersecurity bill, the Cybersecurity Act of 2013, as an amendment to the Defense authorization bill in November.  The amendment has the support of Senate Majority Leader Harry Reid (D-Nev.) and Senate Armed Services Committee Chairman Carl Levin (D-Mich.), a Rockefeller aide said. 

The measure is far more modest than legislation that Rockefeller and other Senate Democrats backed last year. That bill would have pressured critical infrastructure companies, such as banks and power plants, to meet minimum cybersecurity regulations. 

After opposition killed last year's bill, President Obama issued an executive order instructing the Commerce Department's National Institute of Standards and Technology (NIST) to craft voluntary cybersecurity best-practices for critical infrastructure companies. Rockefeller's amendment would codify the executive order into law. It would also boost cybersecurity education, research and development for cyber threats. 

Rockefeller is taking this action because his bill was passed by the Commerce Committee earlier this year with unanimously support.  However, the bipartisan bill has been stalled ever since and the Senator believes there is too much at stake to not move the bill forward in the Senate.  He will introduce the legislation as an amendment to the Defense Authorization bill and will ask his colleagues to join him in supporting this effort. 

President Obama's Executive Order on cybersecurity establishes a national cybersecurity policy for critical infrastructure across the nation. The Department of Homeland Security (DHS) will lead the implementation process, with a variety of other agencies heavily involved in the process.

This effort will focus on two important areas: information sharing and the development of risk-based standards intended to protect the nation from cyber-related attacks. Under the information sharing provisions, federal agencies will be required to produce unclassified reports of threats to businesses, with procedures for how to share such information to be developed by DHS and the Attorney General. The National Institute of Standards and Technology (NIST) will lead a one-year process to develop a Cybersecurity Framework, a set of voluntary standards and best practices intended to reduce cyber risks across 18 different sectors of the economy, including electricity.

The Department of Energy, the designated agency for the energy sector, will use these guidelines to create a voluntary program for the energy sector. The Order does give Department of Energy the discretion to call for voluntary standards to be converted into mandatory ones if the current framework of cybersecurity standards already developed at the North American Electric Reliability Corporation (NERC) and overseen at the Federal Energy Regulatory Commission (FERC) is deemed to be inadequate. 

Roseville electric and other energy providers including the Northern California Power Agency, American Public Power Association and the Transmission Access Policy Study Group views these provisions as largely unobjectionable to the electric sector. While many of the implementation details have yet to be determined, the Order avoids a "one-size-fits-all" approach, leaving FERC and the electric industry’s ongoing stakeholder effort with the NERC to continue down the path established in the 2005 Energy Policy Act to protect the grid and establish standards.