Thursday, February 6, 2014

House Committee Amends and Adopts HR 3696 – Cybersecurity

Yesterday the House Homeland Security Committee conducted a markup hearing for HR 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013. An amendment in the form of a substitute was offered by Chairman McCaul (R,TX) and fourteen other amendments were offered by other committee members. The revised language and twelve of the amendments were adopted by voice votes. The two remaining amendments were withdrawn.

Major Changes

Most of the major changes made to the bill by yesterday’s committee action were structural instead of policy changes. The original §106 (Assessment of Cybersecurity Workforce) was removed when similar provisions were added in the new §301. The language in that section (Homeland Security Cybersecurity Boots-on-the-Ground Act) comes from the bill already reported by the Committee in HR 3107).

Section 107 was also moved to the new TITLE III (Homeland Security Cybersecurity Workforce) as §302 and §108 was renumbered §106.

A new §205 (Prohibition on Collection Activities to Track Individuals’ Personally Identifiable Information.) was added by the substitute language. Two other new sections were added (National Research Council Study on the Resilience and Reliability of the Nation’s Power Grid; and Cybersecurity Scholars) in the amendment process.

Definition Changes

The bill revises the Definitions section of the Homeland Security Act of 2002 (6 USC 101) and yesterday’s actions modified some of those changes. Three of the originally proposed definitions were removed:

• The term ‘cybersecurity provider’
• The term ‘cybersecurity system’
• The term ‘protected private entity’

One new definition were added:

The term ‘cybersecurity mission’ means activities that encompass the full range of threat reduction, vulnerability reduction, deterrence, incident response, resiliency, and recovery activities to foster the security and stability of cyberspace.

And one definition was revised:

The term ‘private entity’ means any individual or any private or publically-traded company, public or private utility (including a utility that is a unit of a State or local government, or a political subdivision of a State government) [added], organization, or corporation, including an officer, employee, or agent thereof.

None of these changes really mean much to anyone beyond litigators.

Cybersecurity Framework

As I mentioned in the initial blog post about this bill, §201 essentially codifies the cybersecurity framework portion of the President’s cybersecurity executive order (EO 13636). The substitute language made some interesting changes to §201. The new language now amends the Homeland Security Act of 2002 by adding §230 instead of §230B; that is an administrative change only.

The language, however, describing what is essentially the authoring language for the cybersecurity framework was removed from the proposed section §230 while remaining in §201 of the bill. The best I can assume is that this makes some obscure change in the legal status of the provisions of §201(a).

The revised language also adds a new sub-paragraph to §201(a):

“(a)(2) LIMITATION.—Information shared with or provided to the Director of the National Institute of Standards and Technology or the Secretary of Homeland Security for the purpose of the activities under paragraph (1) may not be used by any Federal, State, or local government department or agency to regulate the activity of any private entity.”

This is just another example of where this bill goes out of its way to make sure that the cybersecurity provisions it establishes are completely voluntary in nature.

Inconsequential Changes

The remaining changes to the bill are essentially inconsequential wording changes, some of which are made for purely political reasons.

A good example of an inconsequential change is the wholesale language substitution in Title I where the phrase “such a system or network” where the phrase “an information system or network of information systems” appears a second time in a sentence. This makes the wording sound better but it does not alter the intent of the bill.

Moving Forward

This bill is certainly high on Chairman McCaul’s priority list and the broad support that it has within the Committee certainly indicates that it would have the votes necessary to pass on the floor of the House and the Senate. I expect that we will see the bill on the floor of the House within weeks instead of months. Then the question will be whether or not Sen. Reid (D,NV) will continue to ignore House cybersecurity bills while waiting on the Senate to come up with acceptable language for a comprehensive cybersecurity bill.

Since this bill does not address information breaches in the private sector, I have a feeling that the current pressure for a private sector breach notification bill will hold up Senate consideration of this bill. And that is a shame. This bill may not have any strong cybersecurity mandates, but it is the most comprehensive cybersecurity bill currently before Congress.

No comments:

/* Use this with templates/template-twocol.html */