Thursday, March 5, 2015

Bills Introduced – 03-04-15

Yesterday there were 146 bills introduced in the House and Senate. Two of those bills may be of specific interest to readers of this blog:

HR 1290 To provide for a study by the Transportation Research Board of the National Academies on the impact of diverting certain freight rail traffic to avoid urban areas, and for other purposes. Rep. Ellison, Keith [D-MN-5]


S 650 A bill to extend the positive train control system implementation deadline, and for other purposes. Sen. Blunt, Roy [R-MO]

Wednesday, March 4, 2015

Senate Homeland Security Committee Adopts S 546

As I predicted earlier today, the Senate Homeland Security and Government Affairs Committee took up S 546, the RESPONSE Act of 2015. The Committee ordered the bill to be reported favorably on a voice vote. There were no amendments.

Since my earlier posting the GPO has provided a link to the language for S 546 and I have been able to confirm that it is almost perfectly identical to HR 1043. The only difference that I could find was the addition of the words “as appropriate” in §318(d)(6); hardly an earth shaking change.


It really does look like this bill, barring something really strange, or its House counterpart will likely make to the floor in each house and then to the President. It is almost certainly only a matter of timing.

ISCD Updates CFATS Fact Sheet – 03-04-15

This afternoon the folks at DHS Infrastructure Security Compliance Division (ISCD) published an updated copy of the CFATS Fact Sheet. The Fact Sheet shows the current status of the Site Security Plans in the program. It continues to show an increasing number of facilities with authorized and approved site security plans.



Just as consistently it shows a decreasing number of facilities that are covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program. There are a number of legitimate reasons that a facility could be removed from the program, but ISCD continues its policy of not explicating the reasons for the 700+ facilities that have been removed from the program in the last year.


The third leg of the SSP compliance program, the compliance inspection results, also continues to be ignored in the CFATS Fact Sheet. The compliance inspection program determines if the facility is actually living up to its obligations outlined in the authorized and approve site security plan. This is the only real measure of whether or not a facility is secured against potential terrorist attack.

HR 1043 Introduced – RESPONSE Act

As I mentioned earlier, Rep. Kind (D,WI) introduced HR 1043, the RESPONSE Act of 2015. The bill would add a new subcommittee to FEMA’s National Advisory Council; the Railroad Emergency Services Preparedness, Operational Needs, and Safety Evaluation (RESPONSE) Subcommittee.

The bill would set a time limit for the existence of the Subcommittee {new §318(d)(9)}. It would be formed within 90 days of passage of the bill and would terminate four years after that enactment. The FEMA Administrator would be authorized to extend the termination date in one year intervals if he determines that additional reports are needed from the Subcommittee.

Membership

While the NAC is made up mainly of people from outside of the Federal government {6 USC 318(c)) this bill would require that this new subcommittee would also include representatives from the following federal agencies {new §318(d)(2)}:

● FEMA
● Office of Emergency Communications of the Department of Homeland Security
● Office of Railroad, Pipeline and Hazardous Materials Investigations of the National Transportation Safety Board
● Federal Railroad Administration
● Transportation Security Administration
● Coast Guard
● Office of Solid Waste and Emergency Response 22 of the Environmental Protection Agency
● Pipeline and Hazardous Materials Safety Administration
● Federal Motor Carrier Safety Administration

Subcommittee Focus

The RESPONSE Subcommittee will be required to look at, and make recommendations about, the following topics related to improving emergency responder training and resource allocation for hazardous materials incidents involving railroads {new §318(d)(6)}:

● Quality and application of training for local emergency first responders related to rail hazardous materials incidents;
● Effectiveness of funding levels related to training local emergency responders for rail hazardous materials incidents;
● Strategy for integration of commodity flow studies, mapping, and access platforms for local emergency responders and how to increase the rate of access to the individual responder in existing or emerging communications technology;
● The need for emergency response plans for rail, similar to existing law related to maritime and stationary facility emergency response plans for hazardous materials;
● The need for a rail hazardous materials incident database;
● Increasing access to relevant, useful, and timely information for the local emergency responder for training purposes and in the event of a rail hazardous materials incident; and
● Determination of the most appropriate agencies and offices for the implementation of the recommendations

Companion Bill S 546


A similar bill has been introduced in the Senate, S 546. I’m assuming that it is a companion bill, but a copy has not yet been published. The Senate Homeland Security and Governmental Affairs Committee is taking up the bill in their business meeting today. This is slightly unusual in that Sen. Heitkamp (D,ND) and her 5 cosponsors are all Democrats, but is would certainly seem to indicate that there is bipartisan support for this legislation, at least in the Senate.

HR 1022 Introduced – Countering Violent Extremism

As I mentioned earlier Rep. Walker (R,NC) introduced HR 1022, the Countering Violent Extremism [CVE] Grants Act. This bill would amend 6 USC 609 by adding a new authorized use for Urban Area Security Grants and State Homeland Security Grants.

Section 2 of the bill lays out the justification for the expansion of the use of the two grant programs. It notes recent high profile attacks conducted by homegrown terrorists in Europe, Canada and the US. It concludes that there are too “few initiatives exist to help communities understand the threat, prevent domestic radicalization, counter the narrative of extremists, and provide pathways to deradicalization (sic) for individuals who have become radicalized so they do not resort to violence” {§2(a)(5)}.

To help provide funding for programs that address this issue the bill would amend the list of allowable uses for the two largest DHS grant programs by adding to §609(a) a new allowable use for those funds; ‘countering violent extremism’. Allowable uses under this heading would include {new §609(a)(6)}:

● Training programs;
● The development, implementation, or expansion of programs to engage communities that may be targeted by violent extremist radicalization; and
● The development and implementation of projects to partner with local communities to prevent radicalization to violence.

While this is a clear expansion of the allowable uses for these grants, it does not actually expand the amount of money available for these grant programs. That means it effectively reduces the funds for the other allowable uses for the grant programs to fund these new uses. This is a classic example of robbing Peter to pay Paul.


Since ‘countering violent extremism’ is the current counter-terrorism buzz word and no new funding is being provided this bill would probably pass in the House if it is brought to a floor vote. As is the problem with most passable bills it will be getting the attention of the Homeland Security Committee leadership that will be trick. Walker is a fairly junior member of the Committee, but he does have an influential co-sponsor, Chairman McCaul (R,TX). I expect that we will see this bill move fairly quickly thru the Committee and to the floor of the House.

Tuesday, March 3, 2015

ICS-CERT Publishes MICROSYS Advisory

This afternoon the DHS ICS-CERT published an advisory for a stack-based buffer overflow vulnerability in the MICROSYS PROMOTIC application. The vulnerability was discovered by an anonymous researcher and it was coordinated through the HP Zero Day Initiative. MICROSYS produced a new version that mitigates the vulnerability though there is no indication that the anonymous researcher was given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability if the demonstration application is running. A successful exploit could lead to a denial of service situation or provide data leakage.


The MICROSYS description of the new version does not contain any discussion of the vulnerability or its fix.

House Accepts Senate Version of HR 240

Earlier today the House accepted the Senate version of HR 240 in an unusual bipartisan vote of 257-167; only 75 Republicans voted for the bill as did every voting Democrat. Before today’s debate on the bill could start the conservative Republicans lost a procedural move to stop the consideration of the bill by a vote of 140-278.

The bill will go to the President who has indicated that he will sign the bill, so the Homeland Security funding issue has been resolved for this fiscal year. It will be interesting to see if the FY 2016 budget and spending bill suffer the same sort of problems.


There will almost certainly be repercussions within the Republican caucus for the leadership’s failure to get cohesive action on a major bill of this sort. It is probably too early to see any changes in the leadership, but unless something happens to change things the likelihood of those changes happening is going to increase.
 
/* Use this with templates/template-twocol.html */