S 278 Introduced – Cybersecurity Research

Earlier this month Sen. Daines (R,MT) introduced S 278, the Support for Rapid Innovation Act of 2017. The bill would require the DHS Science and Technology Directorate to support the research, development, testing, evaluation, and transition of cybersecurity technologies.

Cybersecurity Research

The bill would add a new §312, Cybersecurity Research and Development, to Title III of the Homeland Security Act of 2002 (6 USC 181 et seq). The new section outlines a number of areas of cybersecurity research, including {§321(b)}:

• Advancing the development and accelerating the deployment of more secure information systems;

• Improving and creating technologies for detecting and preventing attacks or intrusions;

• Improving and creating mitigation and recovery methodologies;

• Assisting the development and supporting infrastructure and tools to support cybersecurity research and development efforts;

• Assisting the development and support of technologies to reduce vulnerabilities in industrial control systems [emphasis added];

• Assisting the development and support cyber forensics and attack attribution capabilities;

• Assisting the development and accelerating the deployment of full information lifecycle security technologies to enhance protection, control, and privacy of information to detect and prevent cybersecurity risks and incidents;

• Assisting the development and accelerating the deployment of information security measures, in addition to perimeter-based protections;

• Assisting the development and accelerating the deployment of technologies to detect improper information access by authorized users;

• Assisting the development and accelerating the deployment of cryptographic technologies to protect information at rest, in transit, and in use;

• Assisting the development and accelerating the deployment of methods to promote greater software assurance;

• Assisting the development and accelerating the deployment of tools to securely and automatically update software and firmware; and

• Assisting in identifying and addressing unidentified or future cybersecurity threats.

The bill also specifies that no additional funding is provided to support these research efforts. It closes by noting that {§2(c)}: “Such requirements shall be carried out using amounts otherwise authorized.”

Moving Forward

Daines is a member of the Senate Homeland Security and Governmental Affairs Committee, the committee to which this bill was assigned for consideration. This means that there is at least the potential that the Committee will consider this bill. If the bill were considered, it is likely that it would be approved since there are no new regulations or spending authorized by the bill. Similarly, if the bill were to make it to the floor of the Senate, it would likely pass. It is too early to tell if there is the necessary political will to advance this bill.

Back on January 10^th the House passed HR 240 by a voice vote with limited debate. HR 240 is a companion bill to S 278 according to the introductory speech (pgs S 657-8) by Daines. There was no committee action on HR 240 in the House Homeland Security Committee.

Commentary

It is a good thing that industrial control systems are specifically mentioned in the bill since the bill relies on the IT limited definition of ‘information system’ both in the bill {new §312(e)(4)} and as a part of the support for the definition of the term ‘incident’ {new §312(e)(4)}. That information system definition is found in 44 USC 35002(8).

Given the funding limitation in this bill and the long list of cybersecurity research activities to be supported, it is extremely unlikely that the bill will result in any new significant cybersecurity research support. But passing the bill would make it look like Congress is doing something; appearances are everything.