Last week Sen Duckworth (D,IL) introduced S 914,
the Drinking Water and Wastewater Infrastructure Act of 2021. The bill
reauthorizes drinking water and wastewater treatment programs. While, it does
not include any specific cybersecurity programs, it does add addressing cybersecurity
concerns to a number of existing programs.
Cybersecurity Mentions
Section 101 amends 42
USC 300j-1(b) adding
“(including an emergency situation resulting from a cybersecurity event)” after
“emergency situation”; would allow providing technical assistance and grants.
Section 107 adds §1459F,
the Midsize and Large Drinking Water System Infrastructure Resilience and
Sustainability Program, to the Safe Drinking Water Act, which includes:
In
(b) - “shall award grants to eligible entities for the purpose of
increasing resilience to natural hazards, cybersecurity threats
[emphasis added], and extreme weather events”,
In
(c) - “may only use grant funds received under the resilience and
sustainability program to assist in the planning, design, construction,
implementation, operation, or maintenance of a program or project that
increases resilience to natural hazards, cybersecurity threats
[emphasis added], or extreme weather events”
In
(c)(6) - “the development and implementation of measures to increase the
resilience of the eligible entity to natural hazards, cybersecurity
threats [emphasis added], or extreme weather events”,
In
(d)(2) - “an identification of the natural hazard risk or potential cybersecurity
threat [emphasis added], as applicable, to be addressed by the proposed
program or project”,
In
(d)(3) - “documentation prepared by a Federal, State, regional, or local
government agency of the natural hazard risk, potential cybersecurity
threat [emphasis added], or risk for extreme weather events”,
In
(d)(4) - “a description of any recent natural hazards, cybersecurity
events, or extreme weather events that have affected the community
water system of the eligible entity”,
In
(d)(5) - “a description of how the proposed program or project would
improve the performance of the community water system of the eligible entity
under the anticipated natural hazards, cybersecurity threats
[emphasis added], or extreme weather events”,
In
(d)(6) - “an explanation of how the proposed program or project is expected
to enhance the resilience of the community water system of the eligible entity
to the anticipated natural hazards, cybersecurity threats, or extreme weather
events”.
Section 111 adds §1459H, Advanced Drinking Water
Technologies, to the Safe Drinking Water Act, which includes:
In
(a)(1) - “the Administrator shall carry out a study that examines the state
of existing and potential future technology, including technology that
could address cybersecurity threats [emphasis added], that enhances or
could enhance the treatment, monitoring, affordability, efficiency, and safety
of drinking water provided by a public water system”, and
In
(b)(1)(A)(iii) - “has expressed an interest in the opportunities in the
operation of the public water system to employ new or emerging, yet proven,
technologies, including technology that could address cybersecurity
threats [emphasis added]”,
Section 205 adds §222, Clean Water Infrastructure Resiliency
and Sustainability Program, to the Federal Water Pollution Control Act, which
includes:
In
(b) - “the Administrator shall establish a clean water infrastructure
resilience and sustainability program under which the Administrator shall award
grants to eligible entities for the purpose of increasing the resilience of
publicly owned treatment works to a natural hazard or a cybersecurity
threat [emphasis added]”,
In
(c) - “shall use the grant funds for planning, designing, or constructing
projects (on a system-wide or area-wide basis) that increase the resilience of
a publicly owned treatment works to a natural hazard or a cybersecurity
threat [emphasis added]”,
In
(d)(2) - “an identification of the natural hazard risk or potential
cybersecurity threat [emphasis added], as applicable, to be addressed
by the proposed project”,
In
(d)(3) - “documentation prepared by a Federal, State, regional, or local
government agency of the natural hazard risk or potential cybersecurity
threat [emphasis added], as applicable, of the area where the proposed
project is to be located”,
In
(d)(4) - “a description of any recent natural hazard events or cybersecurity
threats [emphasis added] that have affected the publicly owned
treatment works”,
In
(d)(5) - “a description of how the proposed project would improve the performance
of the publicly owned treatment works under an anticipated natural hazard or cybersecurity
threat [emphasis added]”,
In
(d)(6) - “an explanation of how the proposed project is expected to enhance
the resilience of the publicly owned treatment works to an anticipated natural
hazard or cybersecurity threat [emphasis added]”,
Section 213, Water Data Sharing Pilot Program, which
includes:
In
(a)(1) - “the Administrator may award grants to eligible entities under
subsection (b) to establish systems that improve the sharing of information
concerning water quality, water infrastructure needs, and water technology,
including cybersecurity technology [emphasis added]”.
Moving Forward
The bill was
considered by the Senate Environment and Public Works Committee last
Wednesday. Substitute language (not currently publicly available) and adopted
(pg 27) by the Committee by a unanimous vote. This clears the bill (once the
Committee Report is published) for consideration by the full Senate, where it
is likely to be considered under the unanimous consent process, meaning no
debate, no amendments and no actual vote. Of course, a single Senator could
stop that consideration process, and the reasons for that ‘objection’ could
have nothing to do with anything in this bill.
Commentary
This is the type of ‘cybersecurity’ language that I expect
to see more frequently in this session of Congress. Instead of standing up any
new cybersecurity program, I suspect that there will be more language adding cybersecurity
concerns to authorization bills by tacking ‘cybersecurity’ to existing safety
and security measures already in place. This will give existing regulatory
agencies more authority to address cybersecurity issues. Unfortunately, this
will seldom come with increased funding to address those issues.
The one problem with this approach is that there are
typically no cybersecurity related definitions included in the authorization
statutes for these programs. On one hand, this does give regulators the maximum
amount of leeway in how they address the cybersecurity issues, but on the other
hand, it does not insure that the full gamut of issues will be addressed.
The major shortcoming in this bill is that, while it addresses
information sharing about cybersecurity technology, it does not specifically establish
a program for sharing information about cybersecurity threats or system vulnerabilities.
There is a Water Information Sharing and Analysis Committee (WaterISAC), but that is a voluntary
organization without any specific government support or authority.