Monday, January 30, 2012

New Version of HR 3674, ‘the’ House Cybersecurity Bill

As I noted in my blog post Saturday, there will be a subcommittee markup hearing for HR 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 (PRECISE) Act of 2011. As is usual with markups of bills like this, the hearing will start off with the Chairman, Rep Lungren (R,CA) introducing his revised language for the bill and the subsequent proposed amendments will be made to that new language. So let’s take a look at the new version of his bill.


First off nothing has been removed from the bill at this point (that could change later this week); so everything I wrote about this bill (then a draft of this bill) still pertains to this revised language.

Most of the changes have been technical wording changes that will be mainly of interest to lawyers and judges if this bill ends up being signed by the President. There were, however a couple of new sections that were added at the end of the bill. They include:

§ 4. Report on Support for Regional Cybersecurity Cooperatives;
§ 5. Pilot Program on Cybersecurity Training for Fusion Centers; and
§ 6. Assessment of Sector by Sector Cybersecurity Preparedness.

Please note that §5 provides for training fusion center personnel in IT security practices to protect their information systems, not about cyber security threat assessment. It would have been nice to see a training requirement here for instance that would direct fusion center analysts to ICS-CERT for assistance in evaluating potential control system threats or attacks.

The bulk of the remaining changes can be found in Subtitle E, National Information Sharing Organization (NISO). Most of these changes have apparently been made to ensure that the NISO is not a ‘threat’ to civil liberties or legitimate information sharing activities.

ICS Coverage?

This bill remains at heart an information system protection bill not an ICS protection bill. The new version does include an additional mention of ‘industrial control systems’. In §226(a)(7) the bill would require the Secretary of DHS to:

“establish, in coordination with the Director of the National Institute of Standards and Technology, the heads of other appropriate agencies, and appropriate elements of the private sector, guidelines for making critical infrastructure information systems and industrial control systems [emphasis added]  more secure at a fundamental level, including through automation, interoperability, and privacy-enhancing authentication”.

There continue to be a number of sections of the bill that do not contain the explicit language “critical infrastructure information systems” and these may imply coverage of control systems. These are generally reporting requirements or information sharing requirements and they do not provide any regulatory authority.

For example the new §4 of the bill requires the Secretary to report on:

“the Secretary’s plan to provide support to regional, State, and local grassroots cyber cooperatives designed to decrease cyber disruptions to critical infrastructure, increase cyber workforce training efforts, increase community awareness of cybersecurity, organize community cyber-emergency preparedness efforts, build resiliency of regional, State, and local critical services, and coordinate academic technical and policy research effort”.

There is mention of potential grant program supporting these ‘cyber cooperatives’ (and that term is never defined), but there is no spending authority for such grants. This means that the grant money would have to come out of some existing grant program.

National Information Sharing Organization

The most controversial area of this bill continues to be the establishment of the National Information Sharing Organization which is also the section of the bill that sets up the conflict between this bill and HR 3523 (the bill sponsored by the House Intelligence Committee). Most changes to the NISO sections of this bill address privacy concerns.

For example §244(9) sets for the requirements for the protections of ‘privacy and civil liberties’. The new version of this bill adds subparagraphs (B) and (C) that specify that only ‘cyber threat information’ may be shared within NISO and that all “personally identifiable information not necessary to describe a cyber threat” be removed from information shared by and through NISO.

I noted in my earlier blog on this bill that the private sector board members of NISO did not include anyone from the water, chemical or transportation critical infrastructure key resources (CIKR) sectors. The revised version changes that somewhat in that it adds the water sector to those represented on the Board. The continued lack of chemical or transportation sector representation effective shuts those sectors out of NISO participation.

The new version of this bill also financially guts NISO after FY 2015. Federal funding up until then consists of $20 million each fiscal year (and that comes out of the existing DHS S&T budget, no new money). After FY 2015 the only federal money going to NISO will be the Federal membership fee for NISO. Even that will be limited by §253(b) to no more than “the fee collected from the largest private sector member of the National Information Sharing Organization”.

Since §253(a) prohibits Federal appropriations supporting NISO, that fee will have to come out of the budget of DHS or three other “Federal agencies with significant responsibility for cybersecurity” {§243(b)}. Since none of the four is required to pay the Federal governments ‘fair share’ fee I bet this gets lost in the annual budget shuffle.

There are two new terms specifically defined in the NISO sections of this bill that might increase the applicability of NISO to control system security information sharing (but don’t hold your breath); ‘cyber attack’ and ‘cyber security criminal act’. The inclusive language for ‘cyber attack’ includes the phrase “causes or attempts to cause damage and loss” {§248(f)(1)(B)}. For ‘cyber security criminal act’ the phrase is “efforts to degrade, disrupt or destroy a cybersecurity system or network” {§248(f)(2)(A)}. Neither constitutes a resounding commitment to ICS security information sharing.

Further Amendments

The subcommittee markup hearing that starts on Wednesday (and may become a multi-day hearing) will undoubtedly include many changes to the wording of this bill. Watching the hearing itself will be little help in identifying those changes as the exact wording of the changes is rarely included in the live proceedings. Usually we just get the interpretations of what the various congress critters think the language means.

We will have to wait until the actual amendment language is posted to the House Homeland Security Committee web site. The staff of that Committee usually does a pretty good job of getting that information up quickly. After that we will have the full committee markup (maybe as early as next week). Then we will have to wait for four other committees to act (or more likely fail to act) on the bill.

No comments:

/* Use this with templates/template-twocol.html */