The power goes out. Is a storm or downed line to blame for the power outage? No—an attack by a malicious hacker is the cause.
Your local power grid may not seem like a likely target for cyber hackers, but cybersecurity threats are an all-too-real risk for many buildings and electric grids connected to the Internet. According to a U.S. Department of Homeland Security report, although “the energy sector only represents 5-6 percent of U.S. GDP, the energy industry is subject to roughly 32 percent of all cyberattacks.”
In response to this vulnerability, the Senate recently passed a comprehensive energy reform bill that, among a number of other things, would establish a mechanism for dealing with cybersecurity threats to the electric grid. The bill, the Energy Policy Modernization Act of 2016, would designate the U.S. Department of Energy as the agency responsible for protecting the grid from cybersecurity threats.
This bill would also expand the Secretary of Energy’s authority under the Fixing America’s Surface Transportation (FAST) Act, which took effect in December 2015. The FAST Act established the Secretary’s power to address power grid security emergencies. The Senate’s bill, however, would clarify and extend this authority to include cybersecurity threats.
Under the Senate bill, the President would determine when a hacker’s attack on an electrical grid necessitates “immediate action.” After that determination, the Secretary of Energy would have the authority to intervene, ordering power companies to protect the power system as well as directing them how to do so. These emergency orders from the Secretary would be able to be given without prior notice and could remain in effect for up to 30 days, although in some circumstances they could be amended to last for as long as 90 days. To preempt financial concerns from energy companies and their shareholders, the bill contains provisions allowing companies to recoup the costs for actions ordered by the Secretary.
Another piece of the bill focuses on fortifying the country’s power supply by researching and developing technologies “to identify and mitigate vulnerabilities.” It would direct the Department to conduct a research program to combat cybersecurity threats, authorizing $65 million in funds each year through 2025 for the Department to carry out this research and testing. An additional $15 million per year would be authorized for testing vulnerabilities in the energy sector supply chain to cyberattacks.
The bill also highlights a category of “critical electric infrastructure information.” Information in this category pertains to key parts of the nation’s power supply that, were they destroyed or disrupted, “would negatively affect national security, economic security, public health or safety, or any combination of those matters.” Under the bill, the Department of Energy would have the authority to designate which information fits into this category. Once designated, that information would be exempt from disclosure requirements, such as those in the Freedom of Information Act.
Recent events have highlighted vulnerabilities in the power supply system, paving the way for the bill’s cyber measures. One headline-grabbing incident occurred in March, when the Southern District of New York indicted a group of Iranian hackers for repeatedly hacking into a small dam in New York in 2013, targeting numerous major financial companies and gaining control over water levels. That episode ultimately caused little damage, aside from inconveniencing customers, but it demonstrated the potential threat nonetheless.
Reactions to the Senate bill so far have been mixed. The Heritage Foundation denounced the bill, opposing its cybersecurity measures in particular, for its use of taxpayer funds and increased federal authority over cybersecurity, “which should be led by the private sector.” The U.S. Chamber of Commerce, meanwhile, strongly supported the bill, going as far as notifying Senate members of its plan to include the vote in the Chamber’s annual How They Voted scorecard.
The House of Representatives passed an amended version of the bill in May. Before the bill can become law, however, a conference committee will need to reconcile it with the differences with the House of Representatives’ version. The House had previously passed an energy bill last December, but it included some controversial provisions for natural gas exports that lead President Obama to threaten a veto.
President Obama has voiced support for the Senate bill, however, and Secretary of Energy Ernest Moniz said the bill contains “many very, very positive elements.” Still, resolving the differences between the Senate and House versions of the bill is no small task. An energy bill conference has not been held since 2005, and Senate Democrats will face intense scrutiny from environmental groups opposed to measures in the House bill not related to cybersecurity.