Privacy & Information Security Law Blog

The absence of congressional action on cybersecurity legislation has spurred efforts by various entities to exert influence over cybersecurity policy. This client alert focuses on some of those efforts, including the Federal Energy Regulatory Commission’s (“FERC’s”) creation of a new cybersecurity office, North American Electric Reliability Corporation (“NERC”) action on cybersecurity Critical Infrastructure Protection (“CIP”) standards, continuing legislative developments concerning cybersecurity and anticipated White House executive orders on cybersecurity.

Cybersecurity has been one of the highest-profile topics in Washington this year. Yet, despite considering multiple cybersecurity bills, Congress left Washington for the upcoming elections without passing legislation. The chief architect of one such cybersecurity bill, Senator Joe Lieberman (I-CT), has expressed his view that legislation will not likely pass during the lame-duck session following the elections.

The main disagreement over cybersecurity legislation relates to granting the Department of Homeland Security (“DHS”) authority to set mandatory cybersecurity standards for critical infrastructure, accompanying liability protection, and, to a lesser degree, civil liberty concerns associated with public-private cybersecurity threat information exchanges.

With no new legislation forthcoming, officials are exploring cybersecurity policy options under existing authorities.

• FERC Announces New Cybersecurity Office: FERC has announced it is creating a new Office of Energy Infrastructure Security (“OEIS”) focused on potential physical and cybersecurity risks to energy facilities under its jurisdiction. According to FERC, OEIS will develop recommendations, provide assistance, participate in interagency efforts and conduct outreach with the private sector on physical and cybersecurity threats. OEIS will be led by Joseph McClelland, who has been Director of the Office of Electric Reliability since its formation in 2006.
• NERC Activity on Cybersecurity: NERC announced on October 1 that it is moving ahead with developing version 5 of its cybersecurity CIP standards. Balloting on the new version 5 CIP standards will be open until October 12. Read more information on the CIP standards. In addition, on October 3 the director of the NERC Electricity Sector Information Sharing and Analysis Center (“ES-ISAC”) distributed a letter to the electric industry. The letter informs the industry about developments and future actions in furtherance of the ES-ISAC’s role in cyber security, in which it undertakes to ensure grid reliability through improved information sharing and analysis and coordinated sector readiness and triage response. The letter positions ES-ISAC as a “bridge” between peer industry members, and between the U.S. and Canadian governments, and requests industry commitment and participation in collaboration and information sharing in order for ES-ISAC to fulfill this role.
• Senator Rockefeller Fortune 500 CEO Letter: Senator John Rockefeller (D-WV), Chairman of the Senate Committee on Commerce, Science, and Transportation, recently sent a letter to the CEOs of Fortune 500 companies seeking information about company cybersecurity practices as well as those companies’ views on federal legislation related to cybersecurity. Among other things, the letter asks the CEOs about each company’s cybersecurity best practices, how those practices are implemented, the federal government’s involvement in developing those practices and whether the CEOs are concerned about the federal government becoming involved in a cybersecurity standards-setting process. The letter requests responses from the CEOs to the inquiries by October 19. While the letter does not have legal authority requiring action, it is a sign of continued congressional efforts on cybersecurity.
• Cybersecurity Executive Order: The White House has said it is working on an Executive Order (“EO”) patterned on Senator Lieberman’s cybersecurity bill. While a draft has not been publicly released, the EO is said to establish a consultative process, led by DHS, to develop voluntary cybersecurity standards for critical infrastructure. Some have questioned whether, absent congressional action, the president can mandate voluntary cybersecurity standards. However, reports indicate the EO encourages departments and agencies to use existing authority to implement the voluntary cybersecurity standards. The EO also provides guidance to federal government bodies regarding information sharing.
• CIP Presidential Decision Directive: The Administration also reportedly is drafting a separate CIP Presidential Decision Directive (“PDD”) to update the 2003 Homeland Security Presidential Directive-7. A PDD carries significant influence as it is an EO developed through the National Security Council. The draft CIP PDD reportedly focuses on integrating DHS physical and cybersecurity activities, along with updating the National Infrastructure Protection Plan. Officials indicate the draft CIP PDD also addresses challenges faced by the public-private partnerships that were developed to confront national security interests in critical infrastructure and key resources.

Taken together, these developments suggest a piecemeal approach to cybersecurity in lieu of congressional action. Cybersecurity already presents difficult legal and compliance issues. These complexities will continue to be compounded by competing claims of jurisdiction and expertise as players with differing goals and objectives assert roles in cybersecurity policy.

For its part, FERC’s creation of OEIS signals increased Commission action on energy cybersecurity issues. OEIS’s establishment, in and of itself, does not substantively change electric utility compliance obligations. However, this development may indicate FERC intends to respond to presidential and congressional pressure with greater emphasis on cybersecurity or more aggressive investigations of cybersecurity incidents, and perhaps more substantial penalties. The new office may raise concerns within the electric utility industry that OEIS may attempt to strengthen the control of FERC in an arena currently structured for leadership by NERC and industry. Furthermore, while cybersecurity at FERC has been confined to the electric reliability program, OEIS’s application to all FERC-jurisdictional “energy facilities” may suggest the Commission is seeking to expand its influence on cybersecurity practices beyond electricity to natural gas and oil pipeline industries. On the other hand, the industry could consider OEIS to be a benefit if it is able to head off electricity sector cybersecurity regulatory efforts by agencies with less sector-specific experience. Indeed, with appropriate input, OEIS could potentially be an effective voice for industry concerns in any interagency processes.

Going forward, dealing with these and similar issues in other industries will require a multifaceted approach that takes into account the policies, jurisdictional claims and bureaucratic interests of the relevant regulatory and executive agencies, as well as applicable legislative policies and actions, or lack thereof. The team at Hunton & Williams offers diverse experience and knowledge, positioning the firm to assist with all dimensions of cybersecurity concerns in the current technical and political environment.