Despite growing concern about cybersecurity both in and outside of Washington, the Senate’s cybersecurity bill died a second time on Nov. 13. The apparent inability of Congress to pass legislation designed to protect critical U.S. infrastructure could lead to President Barack Obama implementing some of the bill’s provisions via executive order. A day after the bill failed to gain 60 votes for passage, a recently declassified report was released that finds the U.S. power grid is vulnerable to attacks that could be more destructive than natural disasters such as Hurricane Sandy.
The bipartisan Cybersecurity Act of 2012, introduced by Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine), and three Democrats, was first blocked by Senate Republicans in August. Under pressure from the U.S. Chamber of Commerce, the bill had already been watered down before the August vote to make minimum security standards voluntary instead. The Chamber continued to put pressure on Senators to block the bill, which would have encouraged owners of critical infrastructure, including water and power utilities, to strengthen network security systems.
The Hill quoted Senate Intelligence Committee Chairwoman Dianne Feinstein (D-Calif.), a co-sponsor of the bill, as saying she has received intelligence warning that cyberattacks are “increasing in number, sophistication and damage.”
Few would argue that there’s nothing to worry about; however, without legislative or executive action, no agency or organization or industry can act alone to take the necessary coordinated steps that could lower the risk of intentional or accidental cyber incidents.
“As tonight’s vote in the Senate illustrates, the current prospects for a cybersecurity bill are limited,” the administration’s chief cyber adviser, Michael Daniel, told Politico in a statement. “Congressional inaction in light of the risks to our nation may require the administration to issue an executive order as a precursor to the updated laws we need.”
The Washington Post reported on Nov. 14 that President Obama had in mid-October “signed a secret directive that effectively enables the military to act more aggressively to thwart cyber attacks on the nation’s web of government and private computer networks.” The paper cited “several U.S. officials who have seen the classified document and are not authorized to speak on the record.” The directive supposedly distinguishes between network defense and cyber-operations and “lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.”
The prospects for legislative action on cybersecurity anytime in the foreseeable future seem poor. Stewart Baker, a partner at the Steptoe & Johnson law firm in Washington and a former assistant secretary for policy at the Department of Homeland Security (DHS) was quoted by Bloomberg as saying, “The only other thing that can produce legislation is a major cybersecurity meltdown.”
A National Academy of Sciences report, “Terrorism and the Electric Power System,” that was completed in 2007 but only declassified this summer, was written with the intention of preventing any such cybersecurity meltdowns.
The report was prepared by a committee from academia, industry, state government agencies, and other organizations assembled by the National Research Council (NRC). Those members began work in the fall of 2004 and finished in the fall of 2007 “with the intention of releasing the report by the end of that year.” However, when they submitted the report to the sponsor—the Science and Technology Directorate of the DHS, for security classification review, as required by the contract—the DHS decided to classify the report. After formal NRC request for security classification review, the full report was approved for public release in August 2012, “reversing the original classification decision, except that several pages of information deemed classified are available to readers who have the necessary security clearance.”
The report covers both problems and possible solutions to those problems. As the report’s Foreword notes, “Major cascading blackouts in the U.S. Southwest in 2011, and in India in 2012, underscore the need for the measures discussed in this report. The nation’s power grid is in urgent need of expansion and upgrading. Incorporating the technologies discussed in the report can greatly reduce the grid’s vulnerability to cascading failures, whether initiated by terrorists, nature, or malfunctions. In fact the report already has helped DHS focus on research aimed at developing a recovery transformer that could be deployed rapidly if many large power transformers were destroyed. Electric utilities and other private sector entities, state and local governments, and others involved with electric power are also likely to find the information in this report very useful.”
Sources: POWERnews, Bloomberg News, Politico, Washington Post, The Hill, Government Security News, National Research Council. This story was first published online Nov. 16.
—Gail Reitenbach, PhD, Managing Editor (@POWERmagazine)