Results of Subcommittee Markup of HR 3674

Yesterday the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies met to markup HR 3674, the  Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PrECISE) Act of 2011, as I reported they would last weekend. Several amendments were adopted and the Subcommittee adopted the revised bill by a voice vote, a certain mark of the bipartisan support for the bill. The HR 3674 could move to a full Committee markup as early as next week.

As was expected none of the amendments to Chairman Lungren’s (R,CA) substitute language made any specific mention of industrial control systems, but there were two amendments that might impact security programs for those systems. These amendments affect the sharing of cybersecurity information and providing for civil actions against anyone inappropriately disclosing cybersecurity information provided by the private sector.

Information Sharing

Rep. Long (R,MO) introduced an amendment (which was adopted by unanimous consent) that would extend the information sharing requirements for the Secretary of Homeland Security of §228(b) by adding, among others, “appropriate private sector entities that provide cybersecurity or information security products”. The wording ‘cybersecurity or [emphasis added] information security’ could certainly include control system security products. Of course, the weasel wording of ‘appropriate [emphasis added] private sector entities’ greatly weakens this requirement.

Civil Actions

Rep. Keating (D,MA) introduced an amendment (which was adopted by voice vote) that enhanced the §250 penalties for disclosure of information by government employees, contractors or members of the National Information Sharing Organization (NISO). The §250 language provided criminal penalties (fines, up to one year in jail, and removal from office). The new §251 makes such disclosure actionable in civil court allowing for recovery of actual costs, profits of the discloser, punitive damages, and legal fees. The inclusion of profits of the discloser {§251(a)(1)} and punitive damages {§251(a)(2)} make this a potentially very serious sanction against potential disclosures.

More Reports

A couple of the other amendments will increase the report workload on DHS without significant benefit to the cybersecurity community. A McCaul (R,TX) amendment requires a report on foreign entities that pose the “the greatest cybersecurity threats to the critical infrastructure of the United States”.  Another Long amendment would require an annual status report from the Board of NISO.