Yesterday the House passed HR 3359,
the Cybersecurity and Infrastructure Security Agency Act of 2017 by a voice
vote. The bill is Rep. McCaul’s (R,TX) long awaited reorganization of the
DHS National Protection and Programs Division (NPPD).
Commentary
This bill is really nothing more than an exercise in bureaucratic
shuffling. The existing NPPD is now called CISA; an Under Secretary will be
known as the Director and a number of sections in 6 USC are being renumbered.
The most important part of the bill is found in section 4 of the bill; nothing
in the bill confers new authorities or reduces existing authorities existing
the day before this bill is enacted.
There is one subtle change made by this bill in the new
definitions section 2201. There are two cybersecurity related definitions in
this new section; both taken from existing statutes. The bill uses the
IT-limited definition of ‘cybersecurity risk’ from the current 6
USC 148 (moving to §2209)
and the ICS-inclusive definition of ‘cybersecurity threat’ from 6
USC 1501. The definitional disconnect between these two very similar (and
closely intertwined) terms could cause some interesting confusion about the
authority of this ‘new’ agency to address control system security issues.
Moving Forward
The bill moves forward to the Senate where it will pass with
similar bipartisan support if it reaches the floor for consideration. The big
question is whether or not the bill will have the leadership support necessary
to bring it to the floor for consideration. At this point, I am not sure that
it does.
Posts
No comments:
Post a Comment