ABC News' Huma Khan reports: The United States is ill-prepared to deal with a cyber attack on the nation’s electric grid, one of the biggest national security threats facing the country today, lawmakers warned.
“The sobering reality is this vulnerability, if left unaddressed, could have grave, societal-altering consequences,” Rep. Trent Franks, R-Ariz., testified before the House Energy and Commerce Subcommittee today. “We face a menace that may represent the gravest short term threat to the peace and security of the human family in the world today.”
Experiments by federal agencies in recent years have shown that cyber spies have intruded the U.S. electric system, and that it's increasingly susceptible to attacks by hackers and foreign governments.
The weakness in the system, some lawmakers argue, can also be exploited by terrorist groups like al Qaeda, which are advancing their technological capabilities.
“We know there are many many PhDs inside al Qaeda, whether we like it or not,” said Rep. Ed Markey, D-Mass., a senior member of the House Energy and Commerce Committee. “They are very technically sophisticated.”
Administration officials today admitted that nuclear reactors specifically are less secure than in the past, and smart grids – new digital electricity networks that are being promoted around the country – are more exposed than traditional systems. Because the new internet-protocol based systems utilize commercial software over the internet, they make the system more vulnerable. Coordination between agencies is also lacking, some say.
“Yes, threats are greater. Undoubtedly,” said Joseph H. McClelland, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission. “When it comes to national security… the process is too slow, it’s too open and it’s too unpredictable.”
Several bills have been introduced in Congress to tackle the issue, but none has made it to the president’s desk.
The GRID Act, introduced a year ago, aims to give FERC the authority to issue rules and procedures to protect the nation’s grid without prior notice or hearings. It would also expand the Energy secretary’s powers over such matters and require the Defense secretary to prepare a plan identifying emergency measures and procedures that would need to be taken in the case of a cyber attack. The president would have the authority to order and authorize immediate emergency measures without Congressional approval.
The “pay-as-you-go” legislation wouldn’t cost taxpayers any money over the next ten years, according to the Congressional Budget Office.
Another related bill, the SHIELD Act, would make it a crime for a person to knowingly disseminate classified information related to U.S. intelligence activities.
Earlier this month, the White House released a more comprehensive cybersecurity plan calling for industries vulnerable to cyber attacks, like electricity, to create plans that would make their computer systems more secure.
“Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life — have suffered repeated cyber intrusions, and cyber crime has increased dramatically over the last decade,” the report stated. “Our nation is at risk. The cybersecurity vulnerabilities in our government and critical infrastructure are a risk to national security, public safety, and economic prosperity.”
Industry leaders say there should be more federal standards that protect against such threats, but have pushed back against increased government involvement in the electric sector, especially in the corporate arena.
“Government authority to deal with cyber emergencies is needed,” stated a written testimony by Gerry Cauley, president and chief executive of North American Electric Reliability Corp. But “additional authority to address grid security vulnerabilities is not necessary.”
Others questioned whether FERC is equipped to handle the new responsibilities it would be given under the GRID Act.
"We question whether FERC has the technical or intelligence-handling expertise to exercise such a broad new authority," Barry Lawson, associate director at the National Rural Electric Cooperative Association, told lawmakers. "Operationally, this new authority could result in the establishment of potentially conflicting or different cybersecurity standards in the U.S. and Canada."
The renewed warning by lawmakers comes the day Wall Street Journal reported that the Pentagon would declare computer sabotage from another country an act of war. The story cited the Pentagon’s cyber strategy report, which is due to be released in a few weeks.
When asked about the story today, Pentagon spokesman Col. Dave Lapan said, “A response to a cyber incident or attack on the U.S. would not necessarily be a cyber response … All appropriate actions would be on the table if we are attacked in cyber.”