HR 2271 – Electric Grid Security

Last week Rep. Latta (R,OH) introduced HR 2271, the Critical Electric Infrastructure Protection Act. In many ways this bill takes the ideas introduced in S 1068 and expands them to cover threats other than just cybersecurity threats. In fact, this new bill does not specifically mention the term ‘cybersecurity threats’.

Definitions

This bill would also amend Part II of the Federal Power Act (16 USC Chapter 12 Subchapter II), adding a new section. Where the earlier bill defined ‘cyber security threats’, this new bill provides predictable definitions for the following terms (new §215A(a)}:

∙ Critical electric infrastructure;

∙ Critical electric infrastructure information;

∙ Defense critical electric infrastructure;

∙ Electromagnetic pulse;

∙ Geomagnetic storm; and

∙ Grid security emergency.

The critical definition for this bill is ‘grid security emergency’. This is defined as either:

A “malicious act using electronic communication or an electromagnetic pulse, or a geomagnetic storm event, that could disrupt the operation of those electronic devices or communications networks, including hardware, software, and data, that are essential to the reli1ability of the bulk-power system or of defense critical electric infrastructure” {new §215A(a)(7)(A)(1)}; or

A “direct physical attack on the bulk-power system or on defense critical electric infrastructure” {new §215A(a)(7)(B)(1)}.

The definition also specifically includes the results of such acts or attacks.

Authority to Act

The new §215A(b) then goes on to provide the Secretary of Energy the authority to take emergency actions “as are necessary in the judgment of the Secretary” {new §215A(b)(1)} to protect the reliability of the bulk power system or defense critical electric infrastructure when the President identifies a grid security emergency in writing. Emergency orders under this provision may apply to {new §215A(b)(4)}:

∙ The Electric Reliability Organization;

∙ A regional entity; or

∙ Any owner, user, or operator of the bulk-power system or of defense critical electric infrastructure within the United States.

Such emergency authority and resulting orders will expire after 30 days. The Secretary, upon notification by the President that the grid security emergency continues, may extend the emergency actions for 30 days at a time. Unlike S 2068, there is no 90 day limit on those extensions.

As part of this emergency authority, the Secretary (and other ‘appropriate Federal agencies’) are required to provide temporary access to classified information related to the grid security emergency to any “key personnel of any entity subject to such emergency measures to enable optimum communication between the entity and the Secretary and other appropriate Federal agencies regarding the grid security emergency” {new §215A(b)(7)}.

Critical Electric Infrastructure Information

Section 215A(d) officially establishes Critical Electric Infrastructure Information (CEII) as controlled unclassified information (CUI, though the term is not actually used in the legislation) that is exempt from disclosure under Federal and State freedom of information laws. It requires the Secretary to establish regulations to provide for the appropriate protection of such information. Under the new rules being developed by the National Archives and Records Administration (NARA) this would move CEII out of the ‘Basic’ CUI classification and into the ‘Specified’ CUI category allowing the Secretary to establish the rules for protecting and sharing the information.

Moving Forward

Rep Latta is a relatively senior member of the Energy and Power Subcommittee of the House Energy and Commerce Committee. Rep. McNerney (D,CA) is a co-sponsor and the second highest ranking Democrat on the same subcommittee. Between the two of them they probably have enough pull to get this bill considered in the Subcommittee. Whether or not it will move forward from there depends on who else they can get on the bandwagon.

This bill would probably pass in both the House and Senate if it ever got to the floor. There is really nothing new here, it just legalizes and requires the establishment of a regulatory structure to allow the emergency actions that would take place in any case under the President’s executive powers under the Constitution.

It does look like this bill is being considered for inclusion in a larger bill. This would be the bill that I briefly discussed this morning as being the topic for tomorrow’s Energy and Power Subcommittee hearing. If that does happen this bill would be left hanging unless something happened to stop that new bill from proceeding.