Earlier this week the House Homeland Security Committee completed their markup of HR 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 (The PRECISE Act) and reported the amended bill favorably by a party-line vote of 16-13. The Lungren amendment in the nature of a substitute (ANS) that I reported on earlier this week was agreed to on a voice vote as were five amendments to that language.
The Missing Amendments
If one were to just look at the mark-up hearing page for this bill on the Homeland Security Committee web site one could be forgiven for thinking that there had been no disagreements in this markup. The only amendments that are listed on that page are those amendments that were adopted. Three of the approved amendments had Republican authors.
There were 15 other amendments that were dealt with at the hearing; one was withdrawn, one was ruled out of order and the other 13 were voted down along party lines. The sad part is that only one of those amendments, authored by Rep Jackson-Lee (D,TX) has been made publicly available on the Committee web site. For all of the remaining disapproved amendments we have only a brief, teasing summary of the purpose in the Summary of Committee Action.
Some of these amendments looked interesting. Ranking Member Thompson (D,MS) proposed to add a section requiring the identification of sector specific cybersecurity risks. After this was voted down by a party-line vote twice (I’m assuming that there was a minor variation in the language between the two versions) other Democrats on the Committee offered six similar amendments (oaky still an assumption on my part since I haven’t seen any of the actual proposed language) for identifying cybersecurity risks for six different critical infrastructure sectors; including:
• Transportation Systems Sector;
• Chemical Sector;
• Emergency Services Sector;
• Nuclear Reactors, Materials, and Waste Sector;
• Energy Sector; and
• Dams Sector
I suppose that it kind of made sense that these amendments were voted down. It would be hard to justify not requiring some sort of risk mitigation for the identified risks once they were identified. That just doesn’t fit with the requirement that any DHS directed efforts to actually prevent cybersecurity attacks can only be made at the request of the private sector entity who is then free to ignore any costly defense against the identified risk/attacks.
The failure to publish the defeated amendments is a very odd step for this Committee. They have had one of the better records for providing information to the public. It would be interesting to hear Chairman King explain why an exception to that policy was made for this bill.
Lungren Slips in a Ringer
I ran into an interesting thing when I was reviewing the details of the amendments that were offered to the Lungren ANS; the page and line numbers in the amendments did not match up with the page and line numbers in the copy of the ANS that I had downloaded from the Homeland Security Committee web site on April 16th; the version that I reported on in my earlier blog post.
There was one major change in the new version of the bill it removed §243, Cyber threat information sharing with the Federal Government. One other significant change was related to that deletion, the removal of the definition of ‘cybersecurity purpose’ from §249; a term used only in §243. The remaining changes were miscellaneous references to §243.
The removal of §243 guts the information sharing provisions of this bill. It removes the only mandate for the government to provide cyber-threat information to private sector owners of critical infrastructure in any of the bills currently under consideration in Congress. It also removes all protections of information that the private sector might provide to the DHS National Cybersecurity and Communications Integration Center (NCCIC).
With this change in place Subtitle E of this bill becomes a simple reauthorization of the NCCIC with the addition of a new Board of Advisors. It also removes any possibility of the bill being attacked by privacy and internet access activists. The bill gets much easier to pass in both the House and Senate, but doesn’t allow it to accomplish much.
The Approved Amendments
The first of two amendments by Rep. McCaul (R,TX) provides a more detailed description of the ‘cybersecurity operational activity’ authorized to be conducted by DHS. It also provides a definition for ‘countermeasure’ and outlines the Federal preemption status of this bill. All important details, but nothing of specific interest for the control system security community.
The second McCaul amendment does two interesting things at the same time. First it removes §6 which required the Secretary to prepare a report on cybersecurity training for fusion centers. Second it establishes the Cybersecurity Domestic Preparedness Consortium to develop and provide cybersecurity training for State and local first responders. Again a valuable idea, but it will have little or no effect on control system security.
Chairman King submitted an amendment that takes care of a simple housekeeping function, providing references to Title XI of National Security Act of 1947, as amended. This is one of those necessary functions that sometimes get lost in the legislation drafting process. Nothing to see here, keep moving.
Rep. Richmond (D,LA) proposed a very simple amendment it added a single word to the bill (one of my favorite words) ‘Chemical’. Passing this amendment will give the chemical sector a seat on the Board of Advisors of the NCCIC. Since I have been advocating this since the idea of the Board of Advisors was first introduced, I heartily endorse this amendment. Too bad the NCCIC can’t do anything.
Rep. Hahn (D,CA) managed to get a privacy related amendment added to the bill. It would require the DHS Privacy Officer to review the ‘cybersecurity policies, programs, and activities’ of the Department. It really isn’t that big a thing since that is already the job of the PO so this is a symbolic amendment; which is probably why it passed.