HR 3243 Introduced - Pipeline Security Act
Last week Rep Cleaver (D,MO) introduced HR 3243, the Pipeline Security Act. The bill would amend 49 USC 114, specifically charging the Transportation Security Administration with responsibility for pipeline cybersecurity. Additionally, the bill would require the establishment, and outline the responsibilities, of a pipeline security section within TSA.
49 USC 114 Amendment
Section 2 of the bill would amend §114 by inserting in subsection (f), Additional Duties and Powers, a new paragraph (16):
“(16) maintain responsibility, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency, as appropriate, relating to securing pipeline transportation and pipeline facilities (as such terms are defined in section 60101 of this title) against cybersecurity threats (as such term is defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (Public Law 114–113; 6 U.S.C. 1501)), an act of terrorism (as such term is defined in section 3077 of title 18), and other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities; and”.
Pipeline Security Section
Section 3 of the bill would add a new §1631 to Title XVI, Cybersecurity and Infrastructure Security, of the Homeland Security Act of 2002 under a new Subtitle D, Pipeline Security. It establishes within TSA a pipeline security section with responsibility to “to carry out pipeline security programs in furtherance of section 114(f)(16) of title 49, United States Code” {new §1631(a)}.
The mission of the new section would be to oversee the security of pipeline transportation and pipeline facilities against cybersecurity threats, an act of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities.
The responsibilities of the section would include {new §1631(d)}:
Developing guidelines for improving the security of pipeline transportation and pipeline facilities against cybersecurity threats, an act of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities.
Updating such guidelines as necessary based on intelligence and risk assessments, but not less frequently than every three years.
Sharing of such guidelines and, as appropriate, intelligence and information regarding such security threats to pipeline transportation and pipeline facilities, as appropriate, with relevant Federal, State, local, Tribal, and territorial entities and public and private sector stakeholders.
Conducting voluntary security assessments based on such guidelines to provide recommendations for the improvement of the security of pipeline transportation and pipeline facilities against cybersecurity threats, an act of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities.
Carrying out a program through which the Administrator identifies and ranks the relative risk of pipelines and inspects pipeline facilities designated by owners and operators of such facilities as critical based on such guidelines.
Preparing notice and comment regulations for publication, if determined necessary by the Administrator.
Subsection (e) of the new section would authorize TSA and CISA to detail personnel between their components to leverage expertise. This is being done to allow TSA to fulfil the cybersecurity expertise staffing requirements in referred to in subsection (c).
Other Provisions
Section 4 of the bill would require TSA to prepare a personnel strategy for enhancing operations within the pipeline security section. This would include an assessment of the resources TSA would need to carry out that strategy.
Section 5 would address the congressional oversight responsibilities for the new pipeline security section. In the House that would be the Homeland Security Committee and in the Senate it would be the Commerce, Science, and Transportation Committee. Annual reports on the activities of the pipeline security section to those committees would be required.
Finally, §6 would require TSA to convene not less than two industry days to engage with relevant pipeline transportation and pipeline facilities stakeholders on matters related to the security of pipeline transportation and pipeline facilities.
Committee Markup
Earlier this week the House Homeland Security Committee conducted a markup hearing where HR 3243 was considered. The bill was amended and ordered reported favorably to the House by unanimous consent.
Rep Watson-Coleman’s (D,NJ) amendment making essentially to modifications to the bill was adopted. Her first concern was to the ‘pipeline security section’ to ‘pipeline security division’ with a number of appropriate supporting word changes throughout the bill. The second actin was to add language to ensure that the head of the new ‘division’ would be in the ‘in the executive service of the Administration’. Both of these changes would serve to elevate the status of the new organization within the TSA.
An amendment from Committee Chair Thompson (D,MS), also adopted by unanimous consent. In a number of places in the new §1631 is added language about guidelines being superseded by ‘directives or regulations’. Additionally, the Thompson amendment substituted the following language for the existing ‘prepare notice and comment regulations if determined necessary’ language in §1631(d)(6):
‘‘(6) Supporting the development and implementation of a security directive or regulation when the Administrator issues such a directive or regulation.’’.
Finally, an amendment by Rep Slotkin (D,MI), also adopted by unanimous consent, inserting a new subsection (c), Cybersecurity Expertise, to §4:
“(c) CYBERSECURITY EXPERTISE.—The strategy shall include an assessment of the cybersecurity expertise determined necessary by the Administrator of the Transportation Security Administration and a plan for developing such expertise within the Administration.”
Moving Forward
The unanimous consent adoption for this bill in Committee would indicate that the bill has strong bipartisan support. That would normally mean that it should move easily to the floor of the House, probably under the suspension of the rules process. Unfortunately, bipartisan support is not all that a bill needs to move forward. In this case there are at least three other committees (the Science, Space, and Technology Committee, the Energy and Commerce Committee, and the Transportation and Infrastructure Committee) that think that they should have oversight responsibilities for cybersecurity in pipelines.
The language in this bill would specifically cut them out of the oversight process. That is why the §1631 language was shoehorned into 6 USC Title XVI (the CISA title) instead of in 49 USC where the TSA §114 is. That means that two Committee Chairs and a number of influential congresscritters are going to work hard to stop this bill from moving forward. This chair infighting has delayed a large number of homeland security related initiatives over the years, chemical facility security being a prime example. At this point I do not see the House leadership moving this bill forward.
Commentary
Thompson’s amendment to the bill tries to make it clear that the Committee intends for TSA to take some sort of regulatory action with regards to pipeline cybersecurity, but it is not sure exactly what sort of regulations that it would like to see. This is an ongoing problem with the cybersecurity regulatory process; Congress knows that regulations are probably going to be required but is unsure who exactly needs to be regulated and what regulations would actually be required. See my blog series of blog posts on the topic of the Philosophy of Cybersecurity Regulation.
The regulation question, however, is going to have to take backseat to the oversight question. It breaks down to this, there are four agencies that could potentially be put in charge of pipeline cybersecurity:
The Pipeline and Hazardous Material Safety Administration (oversight – Transportation and Infrastructure),
TSA (oversight – Homeland Security, and Transportation and Infrastructure),
CISA (oversight – Homeland Security),
Cybersecurity, Energy Security, and Emergency Response – (oversight Energy and Commerce; and Science, Space and Technology)
CISA has primary responsibility for cybersecurity within the federal government, and it only has one regulatory program (CFATS) in place. They would have to develop a regulatory support structure almost from scratch. And they have no expertise in pipeline systems.
DOT’s PHMSA already has a pipeline regulatory program (with inspectors) in place, and it covers energy pipelines and hazardous material pipelines. But they have very little cybersecurity expertise. TSA already has pipeline (both energy and hazmat) security responsibility but has a very limited number of personnel involved and essentially no cybersecurity expertise. CISA has cybersecurity expertise but nothing on pipeline security. DOE’s CESER has cybersecurity expertise and some oversight responsibility for energy pipelines, but no authority over hazardous chemical pipelines.
TSA’s surface transportation program is weak to say the least. They have spent the vast majority of their attention and resources on air transportation security. Moving their surface (including pipeline) security programs back to the appropriate DOT agencies would probably result in more attention to those regulatory programs. In that move PHMSA could be specifically given responsibility for non-energy pipeline cybersecurity.
This could leave the prime responsibility for energy pipeline cybersecurity resting with CESER. If some sort of regulatory responsibility in an energy pipeline security program could be crafted for CISA, then the congressional oversight problem could be generally solved.
But, that is easy to put down in this blog, but working out the committee interactions necessary to make this change would be nearly overwhelming. So, at least until we see an fuel pipeline blown up in a cyberattack, the current lack of regulatory structure is probably going to prevail for quite some time.