Tuesday, November 3, 2015

HR 3878 Introduced – Port Cybersecurity

Yesterday Rep. Torres (D,CA) introduced HR 3878, the Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015. The bill would require DHS to undertake a number of activities to increase the cybersecurity of port operations in the United States.

Information Sharing

The bill contains three separate cybersecurity information sharing provisions targeted at different levels of operations. The first is a directive to the Secretary to “enhance participation by the Maritime Information Sharing and Analysis Center (an independent, nonprofit entity sponsored and managed by the Maritime Security Council [link added]) in the National Cybersecurity and Communications Integration Center” {§2(1)}. The second would require the National Maritime Security Advisory Committee to “report and make recommendations to the Secretary on matters relating to methods to enhance cybersecurity situational awareness and information sharing between and with maritime security stakeholders” {§2(2)}. Finally each Captain of the Port to establish a working group within the local Area Maritime Security Advisory Committee to “facilitate the sharing of information about and development of plans to address port-specific cybersecurity vulnerabilities” {§3}.

Security Plans

Section 4 of the bill would require that all area and facility security plans approved after the enactment of this bill would “address cyber threats and vulnerabilities and include mitigation measures to prevent, manage, and respond to such threats and vulnerabilities”.

Moving Forward

Torres is a junior Democrat on the Border and Maritime Security Subcommittee of the House Homeland Security Committee. Normally this would not be expected to be a position of much influence in the Committee. In any case, the bill is already scheduled for a markup before the full Committee tomorrow, so it is obvious that this bill has the attention of the Committee leadership.

The bill was also assigned to the Transportation and Infrastructure Committee so we will have to wait and see if the two Committee Chairs can work out a way for it to move to the floor of the House.

If the bill does make it to the floor it is unlikely to attract any serious opposition from industry. The bill would probably be considered under suspension of the rules with minimal debate and no amendments.

Commentary

The information sharing provisions of this bill are largely symbolic as there are no specific requirements for private sector facilities to report cybersecurity incidents. Additionally, any intelligence reports produced from such incidents would almost certainly be classified (that is the nature of intelligence agencies) and there are no provisions in the bill to provide classified information access to facility security managers.

I am very pleased that the bill tries to address the need for cybersecurity to be addressed in area security plans and facility security plans under the MTSA. Unfortunately the wording in the bill is weak since it does not actually amend the underlying statute or require a change to the regulations. Amendments should have been made to 46 USC 70103(b) and §70103(c) requiring security plans to address cybersecurity issues. That way appropriate changes could be made to 33 CFR 103.505 and §105.405.


I was disappointed to see that the cybersecurity provisions for security plans only applied to new security plans. I suspect that the intent was also to include the periodic (every 5 years) revisions of the security plans. Even so this could leave an area or facility without cybersecurity coverage for almost five years. Again, if changes had been made to §70103, then a reasonable effective date could have been provided in the regulatory change.

No comments:

 
/* Use this with templates/template-twocol.html */