119-s2593

[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 2593 Introduced in Senate

    (IS) ]

<DOC>

119th CONGRESS
 1st Session
 S. 2593

 To direct the Secretary of Commerce to submit a report assessing 
vulnerabilities to the electric grid in the United States from certain 
 Internet-connected devices and applications, and for other purposes.

_______________________________________________________________________

 IN THE SENATE OF THE UNITED STATES

 July 31, 2025

 Mr. Scott of Florida introduced the following bill; which was read 
 twice and referred to the Committee on Banking, Housing, and Urban 
 Affairs

_______________________________________________________________________

 A BILL

 To direct the Secretary of Commerce to submit a report assessing 
vulnerabilities to the electric grid in the United States from certain 
 Internet-connected devices and applications, and for other purposes.

 Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

 This Act may be cited as the ``Preventing Remote Operations by 
Threatening Entities on Critical Technology for the Grid Act'' or the 
``PROTECT the Grid Act''.

SEC. 2. FINDINGS; PURPOSES.

    (a) 

=== Findings ===
-Congress finds that--

    (1) the rapid proliferation of high-wattage IoT devices, 
 such as electric vehicle chargers, clothes dryers, smart air 
 conditioners, water heaters, ovens, and similar appliances, has 
 dramatically increased the number of connected devices in 
 households in the United States;

    (2)
        (A) smart appliance applications and software platforms 
 increasingly serve as remote control interfaces; and
        (B) when those applications and software platforms 
 originate from companies operating under the jurisdiction or 
 direction of foreign adversaries they offer a pathway for 
 large-scale, coordinated manipulation of power demand, 
 threatening grid stability;

    (3)
        (A) in certain foreign adversary jurisdictions, 
 particularly the People's Republic of China, private companies 
 are subject to formal political oversight through mechanisms 
 such as, in the case of the People's Republic of China, 
 embedded Chinese Communist Party committees and executive-level 
 Chinese Communist Party leadership; and
        (B) those arrangements blur the lines between commercial 
 activity and state-directed strategic interests;

    (4) further elevating the risk to the United States 
 electric grid is the 2017 Cybersecurity Law of the People's 
 Republic of China (commonly referred to as the ``Chinese 
 Cybersecurity Law''), which mandates that Chinese companies 
 store customer data domestically and grant Chinese state 
 authorities broad access to those data;

    (5) the legal and political structures described in 
 paragraphs

    (3) and

    (4) increase the likelihood that connected 
 home appliances could be leveraged by foreign adversaries to 
 target critical infrastructure in the event of a conflict with 
 the United States;

    (6) companies controlled by foreign adversaries--
        (A) are actively pursuing rapid deployment of high-
 wattage IoT devices that could be used to attack the 
 electric grid in the United States; and
        (B) control more than 25 percent of the major 
 appliance industry in the United States, which provides 
 an established platform for quickly deploying those 
 high-wattage IoT devices;

    (7) through smart applications, companies controlled by 
 foreign adversaries--
        (A) are actively collecting detailed consumer data 
 on millions of people in the United States; and
        (B) have the ability to directly manipulate the 
 demand of high-wattage devices on the electric grid;

    (8) as a result, foreign adversary-controlled applications 
 for high-wattage IoT devices create significant risk of 
 coordinated, deliberate, demand-manipulation attacks on the 
 electric grid in the United States;

    (9) several academic studies from researchers at Princeton 
 University, the Georgia Institute of Technology, and the 
 University of California, Santa Cruz, point to significant 
 risks of manipulation of demand via IoT (commonly referred to 
 as ``MaDIoT'') attacks to manipulate power demand on the 
 electric grid that could result in large-scale blackouts and 
 potential damage to the electric grid;

    (10) it is therefore critical to protect energy 
 infrastructure in the United States by ensuring that smart 
 applications embedded in home appliances are secure and cannot 
 serve as an entry point for foreign adversaries; and

    (11) failing to address the vulnerabilities presented by 
 those smart applications could lead to grid instability, 
 frequency imbalances, cascading system failures, and, 
 ultimately, catastrophic disruptions that jeopardize both 
 public safety and the broader economy of the United States.

    (b) 

=== Purposes ===
-The purposes of this Act are--

    (1) to harmonize and reinforce existing national security 
 initiatives aimed at securing the domestic information and 
 communications technology and services (commonly referred to as 
 ``ICTS'') supply chain against manipulation of demand, 
 especially by the People's Republic of China; and

    (2) to direct the Secretary of Commerce, in consultation 
 with other relevant Federal officials, to submit to Congress a 
 report containing findings and recommendations to ensure that 
 network-connected home appliances in households in the United 
 States do not serve as a conduit for activities by foreign 
 adversaries or jeopardize the stability of the electric grid in 
 the United States.

SEC. 3. DEFINITIONS.

 In this Act:

    (1) Consumer product.--The term ``consumer product'' has 
 the meaning given the term in 

section 3

    (a) of the Consumer 
 Product Safety Act (15 U.S.C. 2052

    (a) ).

    (2) Covered entity.--The term ``covered entity'' means an 
 entity that--
        (A) is subject to the jurisdiction of a foreign 
 adversary;
        (B) is directly or indirectly operating on behalf 
 of a foreign adversary; or
            (C) is owned by, directly or indirectly controlled 
 by, or otherwise subject to the direction or influence 
 of, a foreign adversary.

    (3) Critical infrastructure.--The term ``critical 
 infrastructure'' has the meaning given the term in subsection

    (e) of the Critical Infrastructures Protection Act of 2001 (42 
 U.S.C. 5195c).

    (4) Foreign adversary.--The term ``foreign adversary'' 
 means--
        (A) any covered nation (as defined in 

section 4872

    (f) of title 10, United States Code); and
        (B) the Bolivarian Republic of Venezuela while 
 Nicolas Maduro Moros is in power.

    (5) Foreign adversary-controlled application.--The term 
 ``foreign adversary-controlled application'' means a website, 
 desktop application, mobile application, or augmented or 
 immersive technology application that is operated, directly or 
 indirectly (including through a parent, subsidiary, or 
 affiliate (as those terms are defined in 

section 230.405 of 
 title 17, Code of Federal Regulations (as in effect on the date 
 of enactment of this Act))), by a covered entity.

    (6) High-wattage iot device.--The term ``high-wattage IoT 
 device'' means any Internet-connected appliance or device that 
 is capable of consuming or controlling electrical power at a 
 level exceeding 500 watts, regardless of whether the device is 
 used or designed for use in residential or commercial 
 applications.

    (7) IoT.--The term ``IoT'' means Internet of Things.

    (8) Relevant federal official.--The term ``relevant Federal 
 official'' means--
        (A) any Federal official described in 

section 1

    (a) of Executive Order 13873 (84 Fed. Reg. 22689; relating 
 to securing the information and communications 
 technology and services supply chain) (as in effect on 
 the date of enactment of this Act) (or a designee of 
 the applicable Federal official); and
        (B) the head (or a designee of the head) of any 
 other Federal department or agency that, in the 
 determination of the Secretary of Commerce, is relevant 
 to the purposes of this Act.

SEC. 4. REPORT ON NATIONAL SECURITY RISKS POSED BY FOREIGN ADVERSARY-
 CONTROLLED APPLICATIONS WITH THE CAPABILITY OF 
 CONTROLLING HIGH-WATTAGE IOT DEVICES.

    (a) In General.--Not later than 270 days after the date of 
enactment of this Act, the Secretary of Commerce, in coordination with 
other relevant Federal officials, shall submit to the Committee on 
Commerce, Science, and Transportation of the Senate and the Committee 
on Energy and Commerce of the House of Representatives a report 
assessing the national security risks associated with foreign 
adversary-controlled applications with the ability to attack or 
undermine critical infrastructure in the United States.

    (b) Considerations.--In preparing the report under subsection

    (a) , 
the Secretary of Commerce shall consider, at a minimum--

    (1) the extent of deployment of high-wattage IoT devices 
 across the United States;

    (2) risks relating to foreign adversary-controlled 
 applications, especially those incorporated into consumer 
 products that could be used to attack or otherwise destabilize 
 the electric grid;

    (3) potential impacts of those risks and any other relevant 
 vulnerabilities on national security, including the risks of 
 frequency imbalances, cascading failures, and other disruptions 
 to critical infrastructure; and

    (4) public comments and input from industry experts, 
 domestic producers, importers, consumer groups, and other 
 stakeholders regarding the security of, and the extent of 
 foreign influence over, foreign adversary-controlled 
 applications and high-wattage IoT devices.
            (c) Recommendations.--The report submitted under subsection

    (a) shall include recommendations for mitigation measures to address any 
identified national security risks, which may include--

    (1) an assessment of how Executive Order 13873 (84 Fed. 
 Reg. 22689; relating to securing the information and 
 communications technology and services supply chain) (as in 
 effect on the date of enactment of this Act) may be applied to 
 IoT devices, as such devices apply to the electric grid, to 
 include restrictions or conditions on transactions directly 
 involving foreign adversary-controlled applications in high-
 wattage IoT devices;

    (2) specifically restricting the procurement by the Federal 
 Government of consumer products with a foreign adversary-
 controlled application;

    (3) certification or labeling requirements for high-wattage 
 IoT devices; and

    (4) any other proposal, as determined necessary by the 
 Secretary of Commerce, in consultation with other relevant 
 Federal officials.

SEC. 5. CODIFICATION OF EXECUTIVE ORDER 13873.

    (a) In General.--The provisions of Executive Order 13873 (84 Fed. 
Reg. 22689; relating to securing the information and communications 
technology and services supply chain) (as in effect on the date of 
enactment of this Act) are enacted into law.

    (b) Publication.--In publishing this Act in slip form and in the 
United States Statutes at Large pursuant to 

section 112 of title 1, 
United States Code, the Archivist of the United States shall include 
after the date of approval at the end an appendix setting forth the 
text of the Executive order referred to in subsection

    (a) (as in effect 
on the date of enactment of this Act).
 <all>