I noted last week Sen. McCain introduced S 3342 and without seeing the bill I expected that it was some sort of compromise between his earlier bill, S 2151, and the Senate bill that has been expected to move forward, S 2105. This weekend the GPO made S 2151 available on-line and it turns out that the new bill is more properly a tweaking of McCain’s earlier bill, falling well short of being a compromise measure.
Changes in the Bill
The new bill adds the following new sections:
§106. Inspector General review.
§205. Clarification of authorities.
§307. No new funding.
Only one section was removed; §408. Cybersecurity strategic research and development plan.
Additionally, a number of new definitions were added to §101. They include:
• Federal information system
• Information security
• Local government
• Significant cyber incident
Finally there were a number of wording changes that fine-tuned the privacy provisions and information sharing requirements of the bill. The details of those changes, and the added provisions, will probably only be of interest to lawyers and politicians.
There really are no significant changes in the bill and it still completely ignores the problem of cybersecurity of industrial control systems.
With both the Senate and the House being on their extended July 4th holiday next week nothing is going to get done any time soon on the cybersecurity legislative front. This bill is dead in the water as the only bill that has any chance of moving forward in the Senate (after inevitable changes) is S 2105. Even that bill has little chance of passing before the election due to privacy concerns and business opposition to new regulations; too many people on both sides of the aisle oppose the bill, so it is unlikely to come to a vote. In most cases this opposition is not just election year posturing so passage even in the lame duck session is unlikely.