CIPA

Congress: Hold DHS Accountable for Protecting the Electric Grid

 

Hold DHS Accountable For Protecting the Electric Grid

Recently, I asked the question: “Is DHS Dropping the Ball on Critical Infrastructure Protection?” On December 23, 2016, the provisions of the Critical Infrastructure Protection Act (CIPA) were passed as section 1913 of the National Defense Authorization Act for Fiscal Year 2017. (Click here for the relevant 4 pages with the public law provisions of “CIPA.”)

Over a year later and all we’ve heard is crickets. So, I wrote to the chair and ranking member of all four committees who were supposed to be the recipients of the DHS reports asking them to look into the status of the work and the reports.

We need these Congressional committees to hold DHS accountable for doing the statutorily mandated work to protect the electric grid. Below my letter is the information you need to contact the leadership of these committees.

 

Click for .PDF Copy of Letter


April 20, 2018

 

U.S. Senate Committee on Homeland Security and Governmental Affairs
Senator Ron Johnson, Chairman
340 Dirksen Senate Office Building
Washington, DC, 20510

Subject: DHS Inaction on the Critical Infrastructure Protection Provisions of
Public Law 114-328, §1913 of the NDAA for FY 2017

 

Dear Senator Johnson,

On December 23, 2016, essential critical infrastructure protection provisions were passed as section 1913 of the National Defense Authorization Act for Fiscal Year 2017. By now, the Department of Homeland Security (DHS) should have taken various actions and submitted at least two reports to Congress, possibly three. Specifically:

  • Section 1913(a)(2): Within 6 monthsof  December 23, 2016 a recommended strategy to protect and prepare the critical infrastructure of the homeland against threats of EMP and GMD should have been submitted to Congress.
  • Section 1913(c): Not later than one yearafter the date of the enactment of this section, the Secretary of Homeland Security shall submit the recommended strategy required under 6 U.S.C. §121(d)(26)(A) [Seems to be similar to the report mentioned above in §1913(a)(2) but a different due date.]
  • Section 1913(d): Not later than 180 daysafter the date of the enactment of this section, DHS was supposed to submit a report to Congress a report describing the progress made in most of the provisions of PL 14-328 §1913.

These reports were supposed to be unclassified (i.e., should be available to the public) and were supposed to be submitted to:

  • U.S. House of Representatives, Committee on Homeland Security
  • U. S. House of Representatives, Permanent Select Committee on Intelligence
  • U.S. Senate Committee on Homeland Security and Governmental Affairs
  • U.S. Senate Select Committee on Intelligence

I can find no publically available evidence that these reports have been completed. I request that the Committee look into the status of these critical reports and actions to insure that DHS is meeting its statutory obligations.

Thank you for your consideration,

 

Michael Mabee


 

Contact Information For Congress:

These reports were supposed to be unclassified (i.e., should be available to the public) and were supposed to be submitted to:

Here are the addresses of the Chair and Ranking Member of each of the relevant committees. Do not hesitate to write your own letter – especially if one of these people is your Representative or Senator! Ask them to hold DHS accountable to protect the electric grid.

Committee on Homeland Security
U.S. House of Representatives
Rep. Bennie G. Thompson, Ranking Member
H2-117 Ford House Office Building
Washington, DC 20515

Committee on Homeland Security
U.S. House of Representatives
Rep. Michael McCaul, Chairman
2001 Rayburn House Office Building
Washington, DC 20515

U.S. House of Representatives
Permanent Select Committee on Intelligence
Rep. Devin Nunes, Chairman
Longworth House Office Building
Suite 1013
Washington, DC 20515

U.S. House of Representatives
Permanent Select Committee on Intelligence
Rep. Adam Schiff, Ranking Member
2372 Rayburn House Office Building
Washington, DC 20515

U.S. Senate Committee on Homeland Security and Governmental Affairs
Senator Ron Johnson, Chairman
340 Dirksen Senate Office Building
Washington, DC, 20510

U.S. Senate Committee on Homeland Security and Governmental Affairs
Senator Claire McCaskill, Ranking Member
340 Dirksen Senate Office Building
Washington, DC, 20510

U.S. Senate Select Committee on Intelligence
Senator Richard Burr, Chairman
211 Hart Senate Office Building
Washington, D.C. 20510

U.S. Senate Select Committee on Intelligence
Senator Mark Warner, Vice Chairman
211 Hart Senate Office Building
Washington, D.C. 20510

 


Is DHS Dropping the Ball on Critical Infrastructure Protection?

 

 

Congress Passed Critical Infrastructure Protection Provisions in 2016

The Critical Infrastructure Protection Act was a bill introduced in Congress in 2013 and 2015 and finally passed in the National Defense Authorization Act for Fiscal Year 2017 (NDAA). Congress said the provisions were designed to “to protect Americans from an electromagnetic pulse (EMP), a threat experts consider one of the most serious risks to our national security.”

DHS Critical Infrastructure ProtectionThere is very little information available about the federal government’s implementation of Critical Infrastructure Protection provisions of the NDAA. There are several reports that the Department of Homeland Security (DHS) is supposed to have filed by now with Congress. I can’t find the reports. It raises questions as to whether the required work is actually being done – and the quality and transparency of any work as well.

On December 23, 2016, the provisions of the Critical Infrastructure Protection Act (CIPA) were passed as section 1913 of the National Defense Authorization Act for Fiscal Year 2017. The NDAA is 970 pages long. (Click here for the relevant 4 pages with the public law provisions of “CIPA.”) The links to the full Act and U.S. Code versions are provided below. (It gets confusing because the government at times likes to cite an Act, and at other times likes to cite to the U.S. Code. – often is does both in the same document. This can make it very hard to follow.)

 

What Has DHS Done on the Critical Infrastructure Protection Provisions?

There has been a great deal of public attention, press articles and increased awareness to the threat of EMP since September of 2017 when it was widely reported that North Korea detonated a hydrogen bomb and threatened the U.S. with an EMP attack. For example Newsweek, CBC News, The Huffington Post, and the Boston Herald, to name only a few, on the EMP threat.

DHS Critical Infrastructure Protection

DHS Advice on Critical Infrastructure Security

What is not at all in the public domain is any information on the federal government’s activities or operations to prepare for an attack on the critical infrastructure. It has been over a year since the critical infrastructure protection provisions were implemented. There are specific timelines for reports and actions in the provisions.

We’ve heard crickets. In fact, the “Energy Sector-Specific Plan” has not been updated since 2015 and makes only 3 cursory references to EMP and GMD events.

These reports required by the NDAA are critical to inform Congress and the public on DHS efforts to protect the United States against threats such as EMP and GMD.

 

What Are the Critical Infrastructure Protection Provisions of Section 1913 of the NDAA?

Here are the main requirements and reports mandated by the section 1913 of the NDAA:

  1. Section 1913(a)(1) adds the terms “EMP” and “GMD” to the definitions section of the Homeland Security Act of 2002 (6 U.S.C. §101 et seq.) [NOTE: This has been done.]
  2. Section 1913(a)(2) adds 6 U.S.C. §121(d)(26)(A) titled: “Information and Analysis and Infrastructure Protection.” This section requires that DHS conduct a to conduct an intelligence-based review and comparison of the risks and consequences of EMP and GMD facing critical infrastructure and submit to Congress within 6 months of  December 23, 2016 a recommended strategy to protect and prepare the critical infrastructure of the homeland against threats of EMP and GMD. This strategy must be updated every 2 years. [NOTE: I have not been able to find this review and strategy. Also, see 5 below.]
  3. Section 1913(a)(3) adds 6 U.S.C. § 195f titled: “EMP and GMD mitigation research and development.” This section requires DHS conduct research and development to mitigate the consequences of threats of EMP and GMD. There are specific requirements about the scope of the research and development. [NOTE: I have not been able to find any information on this.]
  4. Section 1913(a)(4) adds 6 U.S.C. § 321p titled: “National planning and education.” This section requires DHS to include in national planning frameworks the threat of an EMP or GMD event and also to “conduct outreach to educate owners and operators of critical infrastructure, emergency planners, and emergency response providers at all levels of government regarding threats of EMP and GMD.” [NOTE: I have not been able to find any information on this.]
  5. Section 1913(c): “DEADLINE FOR INITIAL RECOMMENDED STRATEGY.—Not later than one year after the date of the enactment of this section, the Secretary of Homeland Security shall submit the recommended strategy required under paragraph (26) of section 201(d) of the Homeland Security Act of 2002 (6 U.S.C. § 121(d)), as added by this section.” [NOTE: I have not been able to find any information on this. Also, see 2 above.]
  6. Section 1913(d): “REPORT.—Not later than 180 days after the date of the enactment of this section, the Secretary of Homeland Security shall submit to Congress a report describing the progress made in, and an estimated date by which the Department of Homeland Security will have completed—
    • including threats of EMP and GMD (as those terms are defined in section 2 of the Homeland Security Act of 2002, as amended by this section) in national planning, as described in section 527 of the Homeland Security Act of 2002, as added by this section;
    • research and development described in section 319 of the Homeland Security Act of 2002, as added by this section;
    • development of the recommended strategy required under paragraph (26) of section 201(d) of the Homeland Security Act of 2002 (6 U.S.C. §121(d)), as added by this section; and
    • beginning to conduct outreach to educate emergency planners and emergency response providers at all levels of government regarding threats of EMP and GMD events.”

[NOTE: I have not been able to find any information on this.]

 

The Initial Deadlines For Reports Have Passed

It looks to me like DHS should have submitted at least two reports to Congress by now, possibly 3. I have not seen them. Specifically:

  • Section 1913(a)(2): Within 6 months of  December 23, 2016 a recommended strategy to protect and prepare the critical infrastructure of the homeland against threats of EMP and GMD should have been submitted to Congress.
  • Section 1913(c): Not later than one year after the date of the enactment of this section, the Secretary of Homeland Security shall submit the recommended strategy required under 6 U.S.C. §121(d)(26)(A) [Seems to be similar to the report mentioned above in PL 14-328 §1913(a)(2).]
  • Section 1913(d): Not later than 180 days after the date of the enactment of this section, DHS was supposed to submit a report to Congress a report describing the progress made in most of the provisions of PL 14-328 §1913.

These reports were supposed to be unclassified (i.e., should be available to the public) and were supposed to be submitted to:

 

Conclusion

If DHS has not done the reports required by section 1913 of the NDAA for Fiscal Year 2017, one would hope that DHS requested and was granted an extension of time by Congress for good cause shown.

If the reports simply have not been done, that would be bad. Really bad. Unless I’m mistaken, isn’t the Department of Homeland Security in charge of homeland security?

 


References:

Public Law version:

U.S. Code version:

For more information from congress:


Critical Infrastructure Protection – Two Decades of Failure

Why has so little critical infrastructure protection passed congress?

 

I just don’t get it.

I mean, I understand why Congress is struggling on health care and tax reform. The reds and the blues have different opinions and different philosophies and apparently nobody wants to compromise. I get that. It’s the same on a lot of issues, and I understand the inability of Congress to make the sausage in terms of its lack of compromising and sharing. Watching the news out of DC, it seems like we are dealing with a bunch of adults behaving like kindergarteners. I can wrap my head around all of that.

Here is what I don’t get: there is strong bipartisan agreement – and has been for decades – that critical infrastructure protection is needed. Yet, so little has been done.

Despite bipartisan efforts, in the last two decades, there have only been a few laws passed that touch on critical infrastructure protection. All three that I can name came seemingly as “afterthoughts” to the yearly National Defense Authorization Acts (NDAAs). The 2001 NDAA established the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack. The 2016 NDAA extended the EMP Commission until June 30, 2017. (Note that the EMP Commission has now unbelievably been disbanded.) Finally, the 2017 NDAA  implemented the “Critical Infrastructure Protection Act” (CIPA). This is the first meaningful legislation that requires the federal government to do something. It requires that the Department of Homeland Security:

  • Develop and report on “a recommended strategy to protect and prepare the critical infrastructure of the homeland against threats of EMP and GMD.”
  • Conduct “research and development to mitigate the consequences of threats of EMP and GMD.”
  • Identify “the critical utilities and national security assets and infrastructure that are at risk from threats of EMP and GMD.”
  • Conduct “an evaluation of emergency planning and response technologies that would address the findings and recommendations of experts, including those of the Commission to Assess the Threat to the United States from Electromagnetic Pulse Attack, which shall include a review of the feasibility of rapidly isolating one or more portions of the electrical grid from the main electrical grid.”
  • Conduct “an analysis of technology options that are available to improve the resiliency of critical infrastructure to threats of EMP and GMD, including an analysis of neutral current blocking devices that may protect high-voltage transmission lines.”
  • Assess “the restoration and recovery capabilities of critical infrastructure under differing levels of damage and disruption from various threats of EMP and GMD, as informed by the objective scientific analysis conducted under paragraph (1).”
  • Conduct “an analysis of the feasibility of a real-time alert system to inform electrical grid operators and other stakeholders within milliseconds of a high-altitude nuclear explosion.”
  • To “include in national planning frameworks the threat of an EMP or GMD event.”
  • Conduct “outreach to educate owners and operators of critical infrastructure, emergency planners, and emergency response providers at all levels of government regarding threats of EMP and GMD.”

Don’t get me wrong – CIPA is awesome and a long time coming. But experts argue that it could be too little too late. The problem is that it will literally take years for CIPA to have a meaningful impact. It is a great start that will protect us years down the road (if the federal agencies and private sector entities do their jobs). But in the meantime, we are vulnerable. And, don’t expect everybody to trip over themselves over the next few years to protect the grid.

 

“The Grid” Strikes Back

What is “the grid”? The grid is over 3000 companies involved in generation, transmission and distribution of electrical power. “The grid” is not one thing. In fact, in the U.S., there are three “grids” which involve thousands of public and private sector utility companies. The federal government does not regulate “the grid” – it is self-regulated. Hmmm. Self-regulation worked out pretty well on Wall Street in 1929, 1987, 2000 and 2008.

So, the federal government can’t tell “the grid” to harden itself. It can make suggestions. The Federal Energy Regulatory Commission (FERC) can make suggestions to the industry’s “lobbyist” The North American Electric Reliability Corporation (NERC). Remember, NERC’s constituents are companies that are either trying to make a profit (private sector utilities) or at least trying not to lose money (public sector utilities). Convincing NERC to adopt rules requiring its constituents to spend money hardening the grid is a tough sell. “The grid” does not want to be regulated. It enjoys the current slow and lumbering bureaucracy.

I’m not saying that FERC is impotent or that NERC is evil (although I would not argue these points). What I am saying is that critical infrastructure protection is an immediate and exigent national security issue. Threats to the electric grid are existential threats to the United States. What we have needed from Congress for two decades are meaningful and immediate actions – actions that have had two decades of bipartisan support and two decades of failure to act.

 

Two Decades of Critical Infrastructure Protection Failure

I have been researching these issues for years. I have found that there are two decades of hearings, reports and failed legislation to protect the power grid from real and acknowledged threats. What are some of the threats?

  • Weather (e.g., Hurricane Maria in Puerto Rico and the U.S.V.I.)
  • Solar Flare or Geomagnetic disturbance (e.g., Quebec blackout of 1989)
  • Cyber-attack (e.g., Ukraine Blackout of 2015)
  • Terrorism (e.g., Metcalf sniper attack in 2013 and 9/11 Lower Manhattan)
  • Earthquake (e.g., 1989 Loma Prieta quake in California)
  • Pandemic (listed by FERC and DOE as a threat to the power grid)
  • EMP weapon (threatened by North Korea – possible from Russia, China and Iran)
  • Human / computer error (there are numerous examples of this)
  • A tree branch (e.g., Great Northeast Blackout of 2003)

Even if you don’t believe that one or more on this list “could ever happen to us,” it is beyond debate that all have either happened or are possible. So we can all agree that there are threats to the power grid.

Critical Infrastructure ProtectionSo what if the worst happened? According to a March 2017 Senate report, up to 90% of the population of the United States could perish. How is this not a matter of exigent national security? How does this not constitute an existential threat the United States?

Yet, Congress over the last two decades has failed to protect us. Instead, we are at the mercy of “the grid” which has larger concerns (money) than our meager lives and deaths.

 

What Congress Must Do

 

What We Can Do

Make no mistake. Your family’s survival is at stake. We can no longer sit passively while Congress sits passively. We need action to protect our families and communities.