Last month Rep. Eshoo (D,CA) introduced HR 1420,
the Energy Efficient Government Technology Act. The bill would require the OMB
to establish a strategy for the maintenance, purchase, and use by Federal agencies
of energy-efficient and energy-saving information technologies at or for
federally owned and operated facilities.
This is not one of the bills one would normally expect for
me to cover in this blog; it does not address any cybersecurity issues. It does,
however, point to a problem of congressional understanding of cyber issues that
does have an impact on the legislative process in general and cybersecurity
legislation in particular.
Commentary
The bill would amend the Energy Independence and Security
Act of 2007 by adding a new §530,
Energy-Efficient and Energy-Saving Information Technologies. A key definition
in the bill is for the term ‘information technology’ which is defined as having
“the meaning given that term in section 11101
of title 40, United States Code [link added]” {new §530(a)(2)}. This is one of the most IT-limited
definitions used in the USC and it is further limited to equipment owned by an
agency of the Executive Branch of the Federal Government.
The bill then goes on to require the OMB to develop its strategy
for the use of “energy-efficient and energy-saving information technologies” {new
§530(b)}. Paragraph
(c) then goes on to identify six elements that should be included in that
strategy:
• Advanced metering infrastructure;
• Energy-efficient data center
strategies and methods of increasing asset and infrastructure utilization;
• Advanced power management tools;
• Building information modeling,
including building energy management;
• Secure telework and travel
substitution tools; and
• Mechanisms to ensure that the agency realizes the
energy cost savings brought about through increased efficiency and utilization.
Three of the six elements (1, 3, and 4) deal with
operational technology (otherwise known under the rubric of ‘industrial control
systems’) not information technologies. Now in the scope of this bill, the
confusion between OT and IT is probably of little consequence. There is nothing
in the guidance provided in the bill that would be dealt with differently if applied
to either OT or IT.
Unfortunately, we see the same failure to differentiate
between OT and IT in many pieces of cybersecurity legislation. There the
differences between the two types of technology do make a difference in how
cybersecurity strategies are applied. In IT cybersecurity the emphasis is on
protecting information. In OT cybersecurity the focus is on protecting the
physical processes involved with protection of the information (normally
intellectual property) being a secondary or even tertiary consideration.
Until Congress (and more importantly it’s staffs) are able
to distinguish between the two types of cyber technology, their ability to effectively
legislate cybersecurity matters or either technology will be severely lacking.
But even in this bill, the failure to understand that the massive information
technology complex of the federal government is dependent on a largely
misunderstood operational technology component means that the crafters of this
legislation almost certainly left some important considerations out of this
bill. Energy efficiency is at heart a matter of energy management which rests
on OT not IT.
Posts
No comments:
Post a Comment