S 914 Introduced - Drinking Water and Wastewater Infrastructure Act of 2021

Last week Sen Duckworth (D,IL) introduced S 914, the Drinking Water and Wastewater Infrastructure Act of 2021. The bill reauthorizes drinking water and wastewater treatment programs. While, it does not include any specific cybersecurity programs, it does add addressing cybersecurity concerns to a number of existing programs.

Cybersecurity Mentions

Section 101 amends 42 USC 300j-1(b) adding “(including an emergency situation resulting from a cybersecurity event)” after “emergency situation”; would allow providing technical assistance and grants.

Section 107 adds §1459F, the Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program, to the Safe Drinking Water Act, which includes:

In (b) - “shall award grants to eligible entities for the purpose of increasing resilience to natural hazards, cybersecurity threats [emphasis added], and extreme weather events”,

In (c) - “may only use grant funds received under the resilience and sustainability program to assist in the planning, design, construction, implementation, operation, or maintenance of a program or project that increases resilience to natural hazards, cybersecurity threats [emphasis added], or extreme weather events”

In (c)(6) - “the development and implementation of measures to increase the resilience of the eligible entity to natural hazards, cybersecurity threats [emphasis added], or extreme weather events”,

In (d)(2) - “an identification of the natural hazard risk or potential cybersecurity threat [emphasis added], as applicable, to be addressed by the proposed program or project”,

In (d)(3) - “documentation prepared by a Federal, State, regional, or local government agency of the natural hazard risk, potential cybersecurity threat [emphasis added], or risk for extreme weather events”,

In (d)(4) - “a description of any recent natural hazards, cybersecurity events, or extreme weather events that have affected the community water system of the eligible entity”,

In (d)(5) - “a description of how the proposed program or project would improve the performance of the community water system of the eligible entity under the anticipated natural hazards, cybersecurity threats [emphasis added], or extreme weather events”,

In (d)(6) - “an explanation of how the proposed program or project is expected to enhance the resilience of the community water system of the eligible entity to the anticipated natural hazards, cybersecurity threats, or extreme weather events”.

Section 111 adds §1459H, Advanced Drinking Water Technologies, to the Safe Drinking Water Act,  which includes:

In (a)(1) - “the Administrator shall carry out a study that examines the state of existing and potential future technology, including technology that could address cybersecurity threats [emphasis added], that enhances or could enhance the treatment, monitoring, affordability, efficiency, and safety of drinking water provided by a public water system”, and

In (b)(1)(A)(iii) - “has expressed an interest in the opportunities in the operation of the public water system to employ new or emerging, yet proven, technologies, including technology that could address cybersecurity threats [emphasis added]”,

Section 205 adds §222, Clean Water Infrastructure Resiliency and Sustainability Program, to the Federal Water Pollution Control Act, which includes:

In (b) - “the Administrator shall establish a clean water infrastructure resilience and sustainability program under which the Administrator shall award grants to eligible entities for the purpose of increasing the resilience of publicly owned treatment works to a natural hazard or a cybersecurity threat [emphasis added]”,

In (c) - “shall use the grant funds for planning, designing, or constructing projects (on a system-wide or area-wide basis) that increase the resilience of a publicly owned treatment works to a natural hazard or a cybersecurity threat [emphasis added]”,

In (d)(2) - “an identification of the natural hazard risk or potential cybersecurity threat [emphasis added], as applicable, to be addressed by the proposed project”,

In (d)(3) - “documentation prepared by a Federal, State, regional, or local government agency of the natural hazard risk or potential cybersecurity threat [emphasis added], as applicable, of the area where the proposed project is to be located”,

In (d)(4) - “a description of any recent natural hazard events or cybersecurity threats [emphasis added] that have affected the publicly owned treatment works”,

In (d)(5) - “a description of how the proposed project would improve the performance of the publicly owned treatment works under an anticipated natural hazard or cybersecurity threat [emphasis added]”,

In (d)(6) - “an explanation of how the proposed project is expected to enhance the resilience of the publicly owned treatment works to an anticipated natural hazard or cybersecurity threat [emphasis added]”,

Section 213, Water Data Sharing Pilot Program, which includes:

In (a)(1) - “the Administrator may award grants to eligible entities under subsection (b) to establish systems that improve the sharing of information concerning water quality, water infrastructure needs, and water technology, including cybersecurity technology [emphasis added]”.

Moving Forward

The bill was considered by the Senate Environment and Public Works Committee last Wednesday. Substitute language (not currently publicly available) and adopted (pg 27) by the Committee by a unanimous vote. This clears the bill (once the Committee Report is published) for consideration by the full Senate, where it is likely to be considered under the unanimous consent process, meaning no debate, no amendments and no actual vote. Of course, a single Senator could stop that consideration process, and the reasons for that ‘objection’ could have nothing to do with anything in this bill.

Commentary

This is the type of ‘cybersecurity’ language that I expect to see more frequently in this session of Congress. Instead of standing up any new cybersecurity program, I suspect that there will be more language adding cybersecurity concerns to authorization bills by tacking ‘cybersecurity’ to existing safety and security measures already in place. This will give existing regulatory agencies more authority to address cybersecurity issues. Unfortunately, this will seldom come with increased funding to address those issues.

The one problem with this approach is that there are typically no cybersecurity related definitions included in the authorization statutes for these programs. On one hand, this does give regulators the maximum amount of leeway in how they address the cybersecurity issues, but on the other hand, it does not insure that the full gamut of issues will be addressed.

The major shortcoming in this bill is that, while it addresses information sharing about cybersecurity technology, it does not specifically establish a program for sharing information about cybersecurity threats or system vulnerabilities. There is a Water Information Sharing and Analysis Committee (WaterISAC), but that is a voluntary organization without any specific government support or authority.