As I noted last week Rep. Blackburn (R,TN) introduced HR 1468, the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2013 (SECURE IT). This is very similar to HR 4263 and S 2151 that were introduced in the 112th Congress.
This latest version of SECURE IT has been substantially revised from both of the earlier versions. The bill remains essentially a Federal IT security bill with a few odd provisions that will affect the private sector and control systems.
The gross changes from the previous House bill include the following additions:
§ 104. Construction.
§ 205. Clarification of authorities.
§ 307. No new funding.
TITLE V—Data Security and Breach Notification
Title V addition significantly broadens the effect of the bill in that it provides notification requirement for breaches of computer systems that result in the compromise of personally identifiable information from computers in both the government and private sectors.
The following sections were not included from the earlier House bill:
§ 404. Cloud computing services for research.
§ 405. Cybersecurity university-industry task force.
§ 410. Cybersecurity strategic research and development plan.
§ 414. Cybersecurity automation and checklists for Government systems.
§ 415. National Institute of Standards and Technology cybersecurity research and development.
Removing that last section had an impact on control system security in that §415(e)(4) had directed NIST to “carry out research associated with improving security of industrial control systems”.
Important ICS Provision Remains
The most important provision (from an ICS security view point) from HR 4263 still remains virtually unchanged; § 305, Damage to Critical Infrastructure Computers. This would amend 18 USC Chapter 47 by adding ‘‘§ 1030A. Aggravated damage to a critical infrastructure computer. This section would make it a federal crime to knowingly cause or attempt to cause damage to a critical infrastructure computer if it results in substantial impairment of either the computer or “the critical infrastructure associated with the computer”. Violations would be punishable by fines and or imprisonment for 3 to 20 years.
This bill went nowhere in either the House or Senate last session. If it had been introduced earlier it might possibly have been considered by the House yesterday, but it faces an uphill battle because of the number of different committees (six) that would have to consider it because of the number of different areas that it impacts.