Okay, I couldn’t help myself. I have gone back and looked at
the amendments to S 754 to date and I have pieced together the following
analysis.
Boxer Amendment
The Senate is currently dealing with what many are referring
to as the ‘Boxer Amendment’. This is actually Senate Amendment # 2716 submitted
by Sen. Burr (R.NC) and Sen. Boxer (D,CA) (Chair and Ranking Member of the
Senate Intelligence Committee). It is substitute language for S 754 that takes
the least controversial of the 21 amendments that the Senate agreed
to consider last July and rolls them into S 754, along with some other
changes that have bipartisan support in Committee.
There is only one section of this substitute language that
specifically applies to control system security issues (kind of); §407. Strategy to protect
critical infrastructure at greatest risk. This section requires the DHS
Secretary to “identify critical infrastructure entities where a cybersecurity incident
could reasonably result in catastrophic regional or national effects on public
health or safety, economic security, or national security” {§407(b)}. It would then
require a report to Congress “describing the extent to which each covered
entity reports significant intrusions of information systems essential to the
operation of critical infrastructure” {§407(c)} to either DHS or a regulating
agency.
Additionally, DHS would be required to “conduct an assessment
and develop a strategy that addresses each of the covered entities, to ensure
that, to the greatest extent feasible, a cyber security incident affecting such
entity would no longer reasonably result in catastrophic regional or national effects
on public health or safety, economic security, or national security” {§407(d)(1)}.
Unreasonably short timelines are required for all of the
required reports to Congress.
Other Control System
Security Amendments
In my July blog post I mentioned that the only one of the 21
amendments agreed to be considered specifically (okay almost specifically)
addressed control system security issues was Whitehouse 2626. Since the Senate
has taken up consideration of the bill this week only one more amendment has
been proposed that address (again, almost specifically) control system security
issues and that is Whitehouse
2713.
It would add a new section to 18 USC, the US criminal
statutes (§1030A. Aggravated damage to a critical infrastructure computer).
This is virtually the same section that was proposed in # 2713 and my comments
in the earlier blog post certainly apply here. The implementation of its intent
seems to me (again I am not a lawyer) to be fatally flawed by its reliance on the
definition of ‘protected computer’ in the existing §1030(e)(2).
Interestingly, the Friday
Daily Digest of the Congressional record lists a ‘Modified Amendment No.
2626’as one of the pending amendments being considered by the Senate. I suspect
that the modification is making it amendment to Amendment 2716 instead of S
754. Unfortunately, neither amendment was included in the unanimous consent
agreement list of those that will be considered today before a vote on S 2716.
Moving Forward
There is one more cloture vote possible today on the full
bill. If that passes (and all cloture votes to date have) then there will be a
final vote on the bill today.
The question then arises if the Senate will just send S 754
to the House or if it will substitute the language from S 754 for HR
1560, the House passed information sharing bill. The later would then
almost certainly see a Conference Committee ironing out the differences between
the two bills. Just sending S 754 to the House would probably result in the
House amending that bill and prolonging the ultimate passage. Either way it is
beginning to look like we are going to see an information sharing bill on the
President’s desk during this session of Congress (which remember does not end
until December of next year.
Posts
No comments:
Post a Comment