Tuesday, October 6, 2015

Homeland Security Committee Marks-Up Multiple Bills

Last Wednesday the House Homeland Security Committee held a markup hearing that dealt with a large number of bills. As I mentioned in an earlier post some of those bills will be of specific interest to readers of this blog. Those include:

HR 3350, the Know the CBRN Terrorism Threats to Transportation Act;
HR 3490, the Strengthening State and Local Cyber Crime Fighting Act;
HR 3503, the Department of Homeland Security Support to Fusion Centers Act of 2015;
HR 3510, the Department of Homeland Security Cybersecurity Strategy Act of 2015;
HR 3573, the DHS Science and Technology Reform and Improvement Act of 2015;
HR 3583, the Promoting Resilience and Efficiency in Preparing for Attacks and Responding to Emergencies (PREPARE) Act;
HR 3586, the Border and Maritime Coordination Improvement Act; and
HR 3584, the Transportation Security Administration Reform and Improvement Act of 2015.

HR 3350 was adopted without amendments on a voice vote.

HR 3490

HR 3490 was amended and adopted by a voice vote. Rep. Ratcliffe (R,TX) proposed substitute language reflecting the changes made to the bill in a Subcommittee markup which was adopted by a voice vote. Two amendments were offered by Rep. Jackson-Lee (D,TX). The first dealt with chain-of-custody training. The second dealt reaffirmed the supremacy of the fourth and fifth amendments with respect to the provisions of this bill. Both amendments were adopted by voice vote.

HR 3503

HR 3503 was amended and adopted by a voice vote. Two amendments were introduced by Rep. Loudermilk (R,GA). The first dealt with a requirement for DHS to conduct an assessment for accessibility and interoperability of the information systems used to share homeland security information between the Department and fusion centers. The second required DHS to enter into a memorandum of understanding about what types of information fusion centers would share with DHS. Both amendments were adopted by voice vote.

HR 3510

HR 3510 was amended and adopted by a voice vote. Rep. Clawson (R,FL) introduced one amendment which dealt with privacy concerns. That amendment was adopted by a voice vote.

HR 3578

HR 3578 was amended and adopted by a voice vote. Eight amendments, including alternative language offered by Rep. Ratcliffe, were offered and all were adopted on voice votes. The alternative language made no substantive changes of particular interest to readers of this blog. Of the remaining seven amendments only one of specific.

That amendment by Rep. Langevin (D,RI) that modifies the new §322 the bill adds to the Homeland Security Act of 2002. That section addressed cybersecurity R&D and this amendment adds a new activity to be addressed by DHS S&T; “support, in coordination with the private sector, the review of source code that underpins critical infrastructure information systems” {new §322(b)(4)}.

HR 3583

This bill was amended and adopted by a voice vote. Of the seven amendments offered and adopted only one would be of specific interest to readers of this blog. It was offered by Rep. Payne (D,NJ), the Ranking Member of the Committee.

The amendment modifies 6 USC 321e(c)(1); adding a new duty to job of Department Chief Medical Officer. That new requirement is specifically requiring the provision of advice on “how to prepare for, protect against, respond to, recover from, and mitigate against the medical effects of terrorist attacks or other high consequent events utilizing chemical, biological, radiological, or nuclear agents or explosives”. This wording still limits that advice to ‘chemical agents’ so it would not include advice on response to industrial chemical incidents unless they were used as part of a terrorist attack.

HR 3586

The bill was amended and adopted by a voice vote. Rep. Miller (R,MI) offered an amendment in the form of a substitute. That substitute language softened much of the language in the bill but did not make any substantive changes of particular interest to readers of this blog. None of the other ten amendments that were adopted on this bill were of specific interest to readers of this blog.

HR 3584

This bill was amended and adopted by a voice vote. None of the eight amendments adopted on this bill substantially affected areas of specific interest to readers of this blog.

Moving Forward

All of these bills are apparently on Chairman McCaul’s (R,TX) agenda for moving to the floor of the House. I expect that there is a good chance that they will all make it to the floor prior to the end of the year and there is a chance that they will all arrive on the same day. With the broad bipartisan support seen in Committee I expect that they will all be considered under suspension of the rules with limited debate and not floor amendments. All of these bills should pass with substantial bipartisan support.

I do not see any of these bills as being a high priority for getting consideration in the Senate. Any of these bills could easily pass and none would have significant opposition; it is just a matter of legislative priorities about which of these might make it to the floor of the Senate.

Commentary

Not surprisingly, none of the suggestions that I have made here in this blog for improving any of these bills were included in the amendments that were adopted. Oh well, that is always the problem with being a voice crying in the wilderness; the few people that do hear you are not necessarily ones that can do anything about it.

There was that one odd amendment by Langevin on HR 3578 that kind of interests me. It does not cover control systems since this new section uses the definition of ‘information systems’ from 44 USC 3502 which interestingly only applies to Federal IT systems.

I’m not sure what Langevin was trying to accomplish with this ‘review of source code’. Okay I suppose that I could guess that he wants someone to check these IT programs for bugs, but reviewing the source code is not probably the most effective method of doing that. And the terminology ‘that underpins critical infrastructure information systems’ was obviously not written by a programmer. Now the vendor should already be conducting a source code review prior to publishing the software, so I am not sure what Langevin is expecting this to accomplish.

The real interesting thing about this amendment is not actually what it does or tries to do, but the fact that it is part of a new trend in legislation over the last month or so where there are bits of cybersecurity language being added to bills that are not overtly cybersecurity bills. In many ways this is probably a more practical way to cybersecurity provisions passed. Large, all-encompassing bills are going to always draw somebodies ire and we will see few of them actually become law. Small targeted provisions (even if poorly written like this one) in a bill that is not going to draw substantial opposition are much more likely to get passed.

The problem is, of course, how to you keep the ineffective or even offensive small cybersecurity provisions out of otherwise good legislation? Amendments like Langevin’s are not posted in advance for public review and I doubt anyone on the Committee (members or staff) are tech savvy enough to understand how ineffective this provision actually is. And once an amendment is adopted in full committee it is unlikely to get removed in the remaining portions of the legislative process.

Small cybersecurity provisions that are written into original legislation are likely to be seen by reviewers like me, but will generally be overlooked by most people. This means that only the most objectionable are likely to draw the kind of opposition that will have them removed from the bill or modified to make them more workable.


This new approach of adding small, limited cybersecurity provisions to other types of legislation is going to start to make things interesting in the legislative process.

No comments:

 
/* Use this with templates/template-twocol.html */