This week the Senate is scheduled to take up HR 2810, the FY
2018 National Defense Authorization Act (NDAA). In addition to the amendments
introduced before the summer recess, Senators began proposing new
amendments to HR 2810 last week. Those amendments included three that may be of
interest to readers of this blog:
SA 794. Ms. WARREN - report on
significant security risks of the national electric grid (pg
S5008);
SA 824. Mr. THUNE - cybersecurity
training program in the army senior reserve officers’ training corps (pg
S5006); and
SA 849. Mr. KAINE - Cyber
Scholarship Opportunities (pgs
S 5072-3)
Electric Grid Study
The electric grid security study would be conducted by DOD
(in coordination with the Director of National Intelligence and the Secretary
of Energy) and would specifically look at:
• Identification of significant
security risks to defense critical electric infrastructure posed by significant
malicious cyber-enabled activities;
• An assessment of the potential
effect of the security risks identified pursuant to paragraph (1) on the
readiness of the Armed Forces; and
• An assessment of the strategic benefits derived
from, and the challenges associated with, isolating military infrastructure
from the national electric grid and the use of microgrids by the Armed Forces.
DOD is also expected to include in the report
recommendations to:
• Eliminate or mitigate the
security risks identified pursuant above; and
• Address the effect of those
security risks on the readiness of the Armed Forces identified above.
A one of the key terms in this amendment that is
specifically defined is ‘significant malicious cyberenabled activities’. In
addition to the expected malware attacks and service disruption attacks it
specifically includes more purely IT-centric attacks to:
• Deny access to or degrade, disrupt,
or destroy an information and communications technology system or network; or
• Exfiltrate, degrade, corrupt,
destroy, or release information from such a system or network without
authorization.
Including these IT type attacks greatly expands the
potential scope of this study. To somewhat limit that, the second IT-centric
attack is restricted to those attacks that are conducted for the purposes of:
• Conducting influence operations;
or
• Causing a significant
misappropriation of funds, economic resources, trade secrets, personal
identifications, or financial information for commercial or competitive
advantage or private financial gain
Moving Forward
The cloture motion for HR 2810 was filed on Thursday and the
vote on cloture is scheduled for 5:30 pm (EDT) today. If the leadership has
worked out a deal on the amendment process (and it looks like it may have) then
the 60-votes will be available to start the that process. I expect that we will
see some additional amendments offered this week before a potential final vote
on Thursday.
Since the bill will be amended in the Senate (the only
question is when) a conference committee will be necessary to work out the
differences in the bill. The passage of continuing resolution in HR 601 last
week will make it easier for that conference to meet and work out the
differences in the two versions of the bill. We might actually see a final vote
on the bill before the end of the fiscal year (but do not hold your breath).
Posts
No comments:
Post a Comment