Yesterday the House took final action on two cybersecurity bills HR 3523, the Cyber Intelligence Sharing and Protection Act (CISPA) and HR 4257, the Federal Information Security Amendments Act of 2012. HR 4257, which amends the Federal Information Security Management Act (FISMA) of 2002, was passed by a voice vote and HR 3523 passed on a nearly party-line recorded vote.
Since HR 4257 is solely an information system security bill essentially affecting only federal agencies and their contractors, I’ll leave further discussion of that bill to others.
As I noted in my earlier blog, most of the amendments considered yesterday by the House dealt with privacy issues. All of those (with one exception) passed either by voice vote or a unanimous recorded vote (okay 410-3, 414-1, and 413-3 are not technically unanimous). The one exception to that easy passage rule was the Conyers amendment that was not brought to the floor for consideration by its author. The one amendment that dealt with federal agency cybersecurity, the Jackson-Lee amendment, was withdrawn.
The three amendments that I discussed in that blog yesterday that might have a peripheral control system affect were not so cleanly dealt with. Two passed by a voice votes and one failed on a recorded vote; one of only two amendments to actually fail along party-line recorded votes.
The Turner amendment that added language that might allow regulators to consider adding coverage of control systems to regulations developed to implement this bill (don’t hold your breath, any regulations based upon this bill would be almost useless) passed on a voice vote. In an interesting parliamentary move, that amendment was actually extended after the bill was passed to add the phrase “deny access to or” before the word “degrade” wherever it is found in the bill instead of just in the four definitions listed in the amendment.
The Richardson amendment that would added wording that would make clear (in a weasel worded manner) that federal agencies could possibly share threat information with private sector entities failed on a near party-line vote. So there is still nothing in this bill that would actually allow that sort of information sharing; kind of defeats the whole purpose of the bill in my mind.
The Woodall amendment that explicitly stated that there was no requirement for private entities to share information with the federal government passed on a voice vote. I think that this amendment also weakens the bills intent. I understand the privacy implication reasons for this amendment, but it still leaves this ‘information sharing’ bill without any requirements for sharing even the most limited information about actual attacks or imminent threats.
As most pundits have noted the Senate leadership is pushing a more activist security bill that would have actual requirements for security measures included in the language. Of course, Sen. Reid (D,NV) has been promising to bring such a bill to the floor of the Senate for over two years now. The same sort of political infighting (a lot of it intra-party on both sides of the aisle) that has prevented him from keeping multiple promises for action will almost certainly prevent this bill from being considered.
The House has two more cybersecurity bills, HR 2906 and HR 3834 (both bills authorize cybersecurity research), scheduled for floor action today. They are both rather innocuous and will certainly pass today. They have a relatively good chance of passing in the Senate so people can say that they have passed cybersecurity legislation.
The House has one more gutted cybersecurity bill that it is prepared to bring to the floor; HR 3674, the PRECISE Act. It will be interesting to see if that measure actually makes it to consideration in its present form.