Last week Rep. Taylor (R,VA) introduced H Res 200. This resolution calls for the establishment of a comprehensive cybersecurity policy.
The preamble to this resolution establishes the reasons that a cybersecurity policy is needed. It specifically mentions the large number of mega-data breaches that have recently occurred, including specifically the OMB breach. While no specific mention of control system security is made it does note that “malicious cyber activity has the potential to cause great harm to the national security, economy, and infrastructure of the United States and the health, well-being, and safety of United States citizens”. The inclusion of ‘infrastructure’ as one of the areas that could potentially be harmed certainly seems to indicate that cyber-physical vulnerabilities are considered to be a potential threat.
It concludes by resolving that:
“That it is the sense of the House of Representatives that the United States should develop and adopt a comprehensive cybersecurity policy that clearly defines acts of aggression, acts of war, and other related events in cyberspace, including any commensurate responses to any such act or event in cyberspace.”
Taylor is not a member (nor is his cosponsor Rep. Ruppersberger (D,MD) of the House Foreign Affairs Committee to which this resolution was referred for consideration. This means that it is unlikely that the Committee will take up the resolution.
There is nothing in the resolution that would engender any significant opposition to the bill if it were considered in Committee or brought to the floor of the House.
The failure to specifically mention cyber-physical vulnerabilities in the preamble to the resolution weakens the argument to support the call for a policy that addresses cyber activities that might constitute an act of war. Mention should have been made specifically to the 2015 attack on Georgian electrical utilities as an example of the types of cyber-physical attacks that have been seen in the real world.