“Nobody has adequate authority with respect to both the electric and the gas infrastructure in this country regarding known vulnerabilities,” said Wellinghoff, who is a Democrat. “If I had a cyber threat that was revealed to me in a letter tomorrow, there is little I could do the next day to ensure that that threat was mitigated effectively by the utilities that were targeted.”
Republicans want to ensure legal protections for private firms and industry organizations communicating vulnerabilities with the federal government.
Democrats say that enhanced information-sharing between the public and private sectors would not defend the nation against sophisticated cyber attacks. They want stronger protections for civil liberties and language for monitoring critical infrastructure networks like the electric grid.
Wellinghoff’s explanation of the current restraints on improving cybersecurity paid heed to the different Republican and Democratic approaches on the topic.
“No. 1, I don’t have an effective way to confidentially communicate [cyber threats] to the utilities,” Wellinghoff said. “And No. 2, I have no effective enforcement authority, and I’ve said this for six years now. And I’ve also said I don’t care who has the authority, but Congress should give someone the authority.”
But since a comprehensive Senate bill floundered before the summer recess, executive action might be the only hope for cybersecurity changes this session.
The White House has pushed for critical infrastructure provisions in cybersecurity, which the GOP opposes because it says they will lead to increased regulation. Still, the administration is weighing issuing an executive order to impose cybersecurity measures on such networks.