House focuses on cybersecurity R&D in energy spending bill

The House Appropriations Committee approved a series of cybersecurity-related research and development initiatives designed to tighten up protection to the electric grid and other energy systems as part of its annual spending bill for Energy and Water Development.

The bill, which passed committee on June 10, sets aside $150 million for Cybersecurity, Energy Security and Emergency response services, $30 million higher than 2019-levels of spending. The measure is being teed up as one of four appropriations to be voted on by the full House in the first "minibus" of fiscal year 2020 funding bills.

A sizable chunk of those dollars would be dedicated to studying new methods and applications for protecting the country's energy grid from cyberattacks, something the committee said it "places a high priority" on in an accompanying report.

The legislation provides $10 million for R&D concepts to simplify and isolate automated systems and remove software vulnerabilities that could allow hackers to gain unauthorized access and $5 million for DarkNet, which studies ways to transition critical infrastructure systems off of the internet. Another $4 million would go to research grants for universities to develop secure electric power systems that are "flexible, modular, self-healing and autonomous."

The president's budget request for fiscal 2020 highlighted the importance of early-stage research to improve security around the electric grid, while the Department of Energy's cybersecurity plan issued in 2018 reflects a similar emphasis on R&D, saying it depends on public-private partnerships and its national laboratories to "out-innovate" adversaries in cyberspace.

Appropriators inserted language encouraging further work on grid modernization and resilience along with $10 million above the department's request for "targeted investments" to improve resilience of the grid and other energy infrastructure. It also required the Department of Energy to report on the feasibility and value of new testing capabilities to examine how susceptible the energy sector might be to electromagnetic pulse attacks or geomagnetic disturbances.

However, the committee criticized the department's broader approach to R&D policy, saying it focuses entirely on early-stage activities at the expense of medium and later-stage activities like deployment and demonstration and directing officials to use a more balanced approach.

"The Committee rejects this short-sighted and limited approach, which will ensure that technology advancements will remain in early-stage form and are unlikely to integrate the results of this early-stage research into the nation's energy system," the committee wrote.

They also took Energy officials to task for proposing to cut cybersecurity funding within the Office of the Chief Information Officer by $18.6 million, despite the office absorbing responsibility for all activities related to the CyberOne Initiative, which funds the department's Identity, Credential and Access Management program as well as the Joint Cybersecurity Coordination Center.

"At a time when cyber threats to the Department's facilities, sites, and national laboratories are increasing, this proposed decrease is very concerning," the committee wrote.