Cybersecurity law gives feds new power to protect the grid
Within the $1.1 trillion spending bill signed by President Obama last month is a legal framework for sharing information about digital security threats that upset privacy advocates but which energy industry officials say will help keep the nation's electric grid safe from cyberattacks.
"While the electric power sector already engages in significant information-sharing, and has in place mandatory and enforceable reliability and cybersecurity standards, taking steps to improve the sharing of actionable security information between the government and industry is vital to protecting the electric grid from all possible threats," Edison Electric Institute President Tom Kuhn said in a statement after the legislation was passed.
The new law, known as the Cybersecurity Act of 2015, grants legal protection to private companies and government agencies sharing what they know about digital security risks and potential attacks. Under the law, companies are exempt from antitrust scrutiny and other forms of liability for working together to share threat information.
The law's passage comes at a time of increased attention to potential cyber vulnerabilities in the electric grid. An electrical outage last month in Ukraine is said to be the first attributable to a digital attack, which that country's security authorities have reportedly blamed on Russia. And in the United States, the Associated Press, citing anonymous sources, reported late last month that foreign hackers have apparently penetrated utility operational networks about a dozen times within the past decade.
National Security Agency Director Adm. Michael Rogers told lawmakers last year that China and "one or two" other countries are capable of such digital attacks. Iran also is suspected of being in that camp.
Organizations in the electric power sector have been sharing security information even before passage of the cybersecurity act, said Scott Aaronson, EEI's senior director of national security policy.
"A lot of what this legislation clarifies - not all - but a lot of what this legislation clarifies is already happening between the government and the industry when it comes to cyberthreat indicators," he said.
Those indicators can be anything from vulnerabilities in commonly used software to evidence of ongoing attacks or infections by malicious software, he said.
"It is malware, it is threat signatures, it is bad [Internet protocol] addresses, it is vulnerability information, and it is forensics on known attacks," said Aaronson. "It runs the whole gamut and sort of speaks to the necessity of sharing information - there is a lot of it."
Some of the sharing is done through direct relationships between individual utilities and government agencies, and some is done through the North American Electric Reliability Corp.'s Electricity Information Sharing and Analysis Center, he said.
NERC didn't respond to requests for comment, but its 2014 Cyber Risk Preparedness Assessment emphasized the importance of sharing cybersecurity data with law enforcement and the sharing center.
"These organizations can provide additional resources, context, and coordination during incident response and can improve an entity's effectiveness in responding to and mitigating the impact from an attack," the report said.
The new law has the potential to take "the general counsel's office out of the equation" and enable more real-time sharing, Aaronson said.
"There's the popular line that adversary is attacking us relentlessly, and we're calling meetings," he said. "The second you call a meeting, you're losing."
The law also calls on U.S. national security officials, including the Director of National Intelligence, Attorney General and the Defense and Homeland Security secretaries, to establish frameworks for sharing cybersecurity information between federal agencies and private industry - something Aaronson welcomed.
"We as a sector certainly see traffic on our networks that can be troubling," he said, ". so to the extent that the information or the threats that we see can be communicated to the government to the benefit of everybody, that is a good thing."
Privacy advocates, on the other hand, expressed concerns the law would leave Americans little recourse if their personal information was shared without their permission in the name of cybersecurity.
"Companies face no liability - even when bad things happen - for information that is shared with DHS or potentially other agencies designated by the president (which could include the FBI)," American Civil Liberties Union legislative counsel Neema Singh Guliani wrote last month. "So, consumers have little opportunity for redress in cases where their private information is shared without consent or even notice."
The law does require agencies and companies to take steps to remove any personally identifiable information "not directly related to a cybersecurity threat." Privacy groups, however, argue companies could still claim private information, like IP addresses and suspect email attachments, are related to cybersecurity.
"Americans demand real solutions that will protect them from foreign hackers, not knee-jerk responses that allow companies to fork over huge amounts of their customers' private data with only cursory review," Sen. Ron Wyden, D-Ore., said in a statement opposing the bill.
But those concerns may be less of an issue for the electric power industry, which is more interested in sharing information about threats to its operational systems than about sharing records from billing systems and other databases that would contain confidential customer data.
"Our companies do bill their customers, and so there is credit card data, there is PII on information technology systems and we work very hard to protect that," said Aaronson, using a common abbreviation for personally identifiable information. "We really are looking more on the operational side of the system, and that does not have the same PII concerns that we really have on the IT side."