July 27, 2017
WASHINGTON, D.C. – U.S. Senator Angus King (I-Maine), a member of the Senate Select Committee on Intelligence, announced today that he successfully secured several provisions in the Committee’s markup of the Fiscal Year 2018 Intelligence Authorization Act. The amendments are a continuation of Senator King’s efforts to increase security for the nation’s energy grid, protect government agencies and U.S. businesses from cyber-attacks, and increase transparency and efficiency within the Intelligence Community budget.
“A primary focus of the Senate Intelligence Committee is to protect the American people at home and abroad and I’m proud to say that this bipartisan bill has many provisions that achieve that goal,” Senator King. “I’m particularly pleased with the inclusion of a measure aimed at protecting our grid from cyber-attacks. Attacks against critical infrastructure in Ukraine and around the world have been warning shots, and we have been too slow to act when the risks are too great to ignore. Bolstering the grid’s cyber defenses and taking a close look at the vulnerabilities in our national infrastructure will go a long way towards protecting and defending ourselves from dangerous cyber-attacks.”
Energy Grid Security: The bill includes the text of S. 79, the Securing Energy Infrastructure Act, which Senator King reintroduced in January with Senator Jim Risch (R-Idaho). The legislation aims to remove vulnerabilities that could allow cyber adversaries to access the U.S. energy grid through holes in digital software systems. Specifically, it would examine ways to replace automated systems with low-tech redundancies, like manual procedures controlled by human operators. This approach seeks to thwart even the most sophisticated cyber-adversaries who, if they are intent on accessing the grid, would have to actually physically touch the equipment, thereby making cyber-attacks much more difficult.
Bug Bounty Programs: The bill includes a provision authored by Senator King that requires the Under Secretary for Intelligence and Analysis to develop a strategic plan for government-wide “bug bounty” programs based on the 2016 “Hack the Pentagon” pilot program and similar private sector programs. Such programs use vetted U.S. hackers to find security vulnerabilities. In fact, the Department of Defense’s 2016 “Hack the Pentagon” program found 138 vulnerabilities in the Pentagon’s networks that were unique and eligible for a bounty.
Vulnerabilities Equities Process (VEP): The VEP is the primary process for deciding whether a government agency must disclose to private companies information about security vulnerabilities in their products, or whether the government may withhold the information for law enforcement or intelligence purposes. The bill includes a provision authored by Sen. King to require all U.S. intelligence agencies to report to Congress on their participation in the VEP, including information about the number of vulnerabilities each agency submits per year, the number of vulnerabilities disclosed to U.S. companies, and the number of vulnerabilities that are subsequently patched by U.S. companies.
Senator King also secured several other provisions; however they remain classified in the bill.
The Intelligence Committee approved the Intelligence Authorization Act for Fiscal Year 2018 by a vote of 14-1. The bill authorizes funding for the U.S. intelligence community and provides numerous legal authorities and requirements, including:
The bill’s next step will be consideration before the full Senate.