Energy may lead cyber info sharing

PDD-63 white paper

The Senate Energy and Natural Resources Committee is considering a request to support a governmentwide bill that would protect private-sector cybersecurity information from disclosure, but a draft bill pertaining specifically to the energy sector may be more acceptable to industry and agencies, officials said.

Following a move Oct. 9 by committee Chairman Jeff Bingaman (D-N.M.) to include infrastructure protection language in a bill currently before the committee, Sens. Robert Bennett (R-Utah) and Jon Kyl (R-Ariz.) asked the committee to adopt a measure the senators introduced late last month.

Their bill, the Critical Infrastructure Information Security Act, provides exemptions from the Freedom of Information Act and anti-trust laws to encourage the private sector to share information on cyberspace incidents and vulnerabilities with the government.

In the climate following the Sept. 11 terrorist attacks, the need to share information about vulnerabilities and attacks is more important than ever, Bennett said at a hearing on critical energy infrastructure security Oct. 10. Bennett and Kyl's bill is "somewhat of an orphan, and we are looking for someone to adopt it," he said.

And although almost every committee could assert oversight of this matter, the energy sector, with its record of sharing information between the public and private sectors, is a natural place to start, Kyl said.

"We need to start this someplace or else we'll be talking about this when we leave at the end of the year," he said.

The Energy Department supports the idea of fostering governmentwide information sharing behind the Bennett-Kyl bill, said Lee Sarah Liberman Otis, Energy's general counsel.

But the department is more enthusiastic about a draft substitute of an administration bill developed by the committee's staff to amend the Reclamation Recreation Management Act of 1992, she said.

That draft, in response to the Sept. 11 terrorist attacks, includes sections mirroring the protections afforded by the Bennett-Kyl bill. But because of its sector-specific language and context, DOE believes it will be more readily accepted by agencies and industry, she said.

The draft's sections on disclosure of sensitive information shared with the government and protection from anti-trust laws will enhance the information-sharing partnerships the department already is engaged in, such as with the North American Electric Reliability Council, Otis said.

Energy would also like to work more with Bingaman's staff and the Justice Department on another section of the draft concerning background checks for certain employees in the energy industry because the scope of these checks is still unclear, she said.

While the legislation is moving forward, Bingaman directed DOE officials to do everything they can to encourage the energy sector to form and use information sharing and analysis centers (ISAC) to exchange vulnerability and incident information. The information technology industry formed an ISAC in January.

The Clinton administration called for the formation of the ISACs under Presidential Decision Directive 63 in 1998 and named DOE as the lead for the energy sector. The electric industry formed its ISAC in June, and the oil and gas industry ISAC started in September.