There has been a flurry of activity in Congress on the issue of cyber security in recent weeks. Some bills have failed, some executive motions have arisen in their wake, and what remains as the dust settles is the fundamental question of how jurisdiction on cyber security policy and oversight should be defined between states and the federal government.
The latest developments as of this writing are as follows:
- The Cyber Security Act, co-sponsored by Republican Susan Collins and independent Joe Lieberman, was blocked by a GOP filibuster in the U.S. Senate. The bill would have established a set of optional network security standards for companies involved in providing critical infrastructure, such as electricity and water. Those that complied would have been exempted from lawsuits. A number of Republicans, led by Sen. John McCain (R-Ariz.), argued the bill would impose excessive regulation on private enterprise, which resulted in the filibuster.
- Sen. McCain’s own bill (S. 3342) is still alive and will likely be picked up when Congress returns from summer recess. In its primary tenet, the bill would require national intelligence agencies to share information on cyber threats with energy companies and other businesses.
- A separate bill, S. 1342, championed by Senate Energy and Natural Resources Committee Chairman Jeff Bingaman (D-NM) seeks to expand the cyber security authorities of FERC.
- Meanwhile, an executive order has been authored by Rep. Edward Markey (D-Mass.) urging President Obama to take action by executive order to respond to the lack of Congress to create comprehensive cyber security legislation. It also appears that Markey is lobbying for extending greater authority to FERC on cyber security.
This legislative maneuvering amounts to a classic jurisdictional turf war between U.S. states and the federal government, but this time it pertains to the white-hot topic of cyber security oversight of our nation’s critical infrastructure assets. In summer sessions of NARUC, attendees repeated previously stated beliefs that states are fully capable of dealing with cyber security, and further, state regulators have domain over utility distribution networks, where cyber security standards would likely be focused. Advocates of putting all of this into the hands of federal regulators (either FERC or the Department of Homeland Security) say cyber security is too pervasive a topic for states to handle and there needs to be a unified, comprehensive approach.
I suspect this will be a focus when Congress returns, but it is such an important and broad topic that it’s unlikely we’ll see resolution this year.