As the Cybersecurity and Infrastructure Security Agency looks to define new incident reporting regulations for energy companies, Democratic and Republican leaders on the House and Senate energy committees are calling on Secretary of Energy Jennifer Granholm to ensure her department remains the federal government’s designated leader on the issue.
In a letter to Granholm sent Apr. 9, leaders on the Senate Committee on Energy and Natural Resources (Sens. Joe Manchin, D-WV, and John Barrasso, R-WY) and House Committee on Energy and Commerce (Reps. Frank Pallone, D-NJ, and Cathy McMorris Rodgers, R-WA) expressed concerns that recently-passed legislation requiring critical infrastructure entities to report breaches and ransomware payments to CISA within 72 hours could crowd out the department’s role as the designated federal lead.
“Given the increase of cyberattacks on energy infrastructure the ability to consolidate and share that information within the federal government to rapidly respond is vital. However, while the Act spells out CISA’s new obligations, DoE remains the lead agency for energy sector cybersecurity as established by law,” the members wrote. “As cyber threats increase, it is urgent that DoE fulfill its duty as the lead agency. DoE’s energy sector expertise and well-established partnerships with industry are critical in managing risk in today’s threat environment.”
While the Cyber Incident Reporting Act has passed into law, CISA has yet to set down a timeframe for the rulemaking process that will largely shape how the incident reporting regime is set up and how quickly that information may flow to other agencies. As lawmakers have steadily acknowledged and reinforced CISA’s rising prominence across public and private sector cybersecurity, they are also grappling with how to balance that rise with the needs of other federal bodies, like the Department of Energy, that have previously designated as sector specific agencies and charged with leading the government’s response.
While policymakers believe the law is critical to giving the federal government visibility over the volume and impact of cyber attacks on American infrastructure, it is also causing heartburn with other stakeholders in the policy ecosystem. Officials at the FBI have already publicly lamented the lack of language explicitly including them in the law’s reporting regime. CISA officials have said they are committed to sharing incident reports with the FBI and other relevant partners in a timely fashion.
The members of Congress, all of whom sit on committees with oversight responsibilities in the energy sector, are seeking to protect their turf as well. Prior to passage of the incident reporting law, electric utilities and other energy companies were required to report certain incidents to Energy, the Federal Energy Regulatory Commission, state and local governments and the North American Electric Reliability Corporation. The new reporting law and its focus on CISA could end up muddying DoE’s authorities overseeing the energy sector or duplicate reporting.
“As CISA develops a rulemaking for reporting requirements under the Act, we ask you to work to maintain DOE's role as the [sector risk management agency] for the energy sector, as required by law,” the committee leaders wrote. “Further, we ask that you urge the Secretary of Homeland Security and other federal agencies to harmonize existing cyber incident reporting requirements for the energy sector with CISA's forthcoming reporting requirements in order to provide clarity and consistency.”
Padraic O’Reilly, co-founder of CyberSaint, told SC Media that the letter could reflect dissatisfaction from some in Congress around the lack of statements or actions from DoE regarding the upcoming incident reporting regime from CISA.
“I think that the politicians are just saying ‘look DoE, you might come out and say a few things on this and assure people that you’re going to be front and center,’” O’Reilly said in an interview.
But he also said there’s likely a good reason behind why Energy officials haven’t been pounding the table in the same way that FBI and Department of Justice officials were last month. Energy regulators – specifically NERC and FERC – already have one of the most stringent reporting rules in place for cyber incidents, with some reporting deadlines coming an hour and 24 hours after discovering an incident.
“Prior to the passage of the [Cyber Incident Reporting Act] electric utilities and other energy companies were required to report certain cyber incidents to the DoE. They still are,” said O’Reilly. “They’re kind of implying that 'oh it’s all going to go to CISA.' It’s not true; NERC CIP is still the regulatory standard for energy.”