Yesterday the House took final action on two cybersecurity
bills HR 3523, the Cyber Intelligence Sharing and Protection Act (CISPA) and HR
4257, the Federal Information Security Amendments Act of 2012. HR 4257, which
amends the Federal Information Security Management Act (FISMA) of 2002, was
passed by a voice vote and HR 3523 passed on a nearly party-line recorded
vote.
Since HR 4257 is solely an information system security bill
essentially affecting only federal agencies and their contractors, I’ll leave
further discussion of that bill to others.
CISPA Amendments
As I noted in my
earlier blog, most of the amendments considered yesterday by the House
dealt with privacy issues. All of those (with one exception) passed either by
voice vote or a unanimous recorded vote (okay 410-3, 414-1, and 413-3 are not
technically unanimous). The one exception to that easy passage rule was the Conyers
amendment that was not brought to the floor for consideration by its
author. The one amendment that dealt with federal agency cybersecurity, the Jackson-Lee
amendment, was withdrawn.
The three amendments that I discussed in that blog yesterday
that might have a peripheral control system affect were not so cleanly dealt
with. Two passed by a voice votes and one failed on a recorded vote; one of
only two amendments to actually fail along party-line recorded votes.
The Turner
amendment that added language that might allow regulators to consider
adding coverage of control systems to regulations developed to implement this
bill (don’t hold your breath, any regulations based upon this bill would be
almost useless) passed on a voice vote. In an interesting parliamentary move,
that amendment was actually extended after the bill was passed to add the
phrase “deny access to or” before the word “degrade” wherever it is found in
the bill instead of just in the four definitions listed in the amendment.
The Richardson
amendment that would added wording that would make clear (in a weasel
worded manner) that federal agencies could possibly share threat information
with private sector entities failed on a near party-line vote. So there is
still nothing in this bill that would actually allow that sort of information
sharing; kind of defeats the whole purpose of the bill in my mind.
The Woodall
amendment that explicitly stated that there was no requirement for private
entities to share information with the federal government passed on a voice
vote. I think that this amendment also weakens the bills intent. I understand
the privacy implication reasons for this amendment, but it still leaves this
‘information sharing’ bill without any requirements for sharing even the most
limited information about actual attacks or imminent threats.
Moving Forward
As most pundits have noted the Senate leadership is pushing
a more activist security bill that would have actual requirements for security
measures included in the language. Of course, Sen. Reid (D,NV) has been
promising to bring such a bill to the floor of the Senate for over two years
now. The same sort of political infighting (a lot of it intra-party on both
sides of the aisle) that has prevented him from keeping multiple promises for
action will almost certainly prevent this bill from being considered.
The House has two more cybersecurity bills, HR
2906 and HR
3834 (both bills authorize cybersecurity research), scheduled for floor action
today. They are both rather innocuous and will certainly pass today. They have
a relatively good chance of passing in the Senate so people can say that they
have passed cybersecurity legislation.
The House has one more gutted cybersecurity bill that it is
prepared to bring to the floor; HR
3674, the PRECISE Act. It will be interesting to see if that
measure actually makes it to consideration in its present form.
Posts
No comments:
Post a Comment