Changes to HR 3523 - CISPA

Earlier this week I noted that the Intelligence Committee report on HR 3523 had been filed and that it was available for action before the full House. On Friday both the House Rules Committee and the Majority Leader’s web sites noted that HR 3523 will probably be considered by the House starting on Thursday under a rule. The rule hearing has yet to be scheduled, but will probably be held on Tuesday night.

The House Rules Committee site provides a link to a House Rules Committee Print of HR 3523. The site notes that:

“Rules Committee Print 112-20, showing the text of the bill as reported with additional changes recommended by the Chair and Ranking Minority Member of the Permanent Select Committee on Intelligence”

Since the markup hearing for the bill was not webcast and the Intelligence Committee did not provide any details on the web site about the amendments that were adopted in the hearing we had been waiting on the Committee report to see what language would be considered by the House. Now we need to look at the version further amended by the two leaders of the Committee (more appropriately by the Committee Staff with the approval of the two leaders). I’ll try to do both here.

Committee Intent

One of the important purposes of committee reports is that it provides Congress with a chance to provide written evidence of their intent in writing the laws. Appellate Courts frequently use Congressional intent in deciding what laws actually mean or were intended to mean.

In this case the Intelligence Committee report provides a pretty succinct summary of why this bill was developed:

“The Committee determined that these issues are best resolved in the first instance by providing clear, positive authority to permit the monitoring—by the private sector—of privately-owned and operated networks and systems for the purpose of detecting cybersecurity threats and to permit the voluntary sharing of information about those threats and vulnerabilities with others, including entities within the private sector and with the federal government.”

Now there are certainly those who object to the phrase ‘positive authority to permit monitoring’, even if it is being given to the private sector rather than the government. That sums up the opposition that this bill faces and may end up killing the bill when it gets to the Senate. But that has little to do control system security.

This is another bill that never specifically mentions control systems. The closest that the committee report comes to addressing control systems issues (and it’s not very close at all) is when it talks about protecting R&D:

“The Committee believes that immediate and serious action is necessary to staunch the bleeding of American corporate research and development information and to better protect our national security.”

Not much to pin our hopes on for sharing information about control system threats, but it’s the best we have.

Changes to the Bill

Looking at the original bill, the revised text in the Committee Report, and the House Rules Committee Print there have been a number of changes made to this bill. Interestingly most of them have been made in the latest version as Rogers (R,MI) and Ruppersberger (D,MD) try to craft a version of HR 3523 that will mitigate the privacy and access controversy that could kill the bill.

One small, but important, change is the addition of two words early in the bill. In §1104(a) that is being added to the National Security Act of 1947 the words “and utilities” in the general heading section, leaving it to read:

“The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and utilities [emphasis added] and to encourage the sharing of such intelligence.” {§1104(a)(1)}

Similar supporting changes are made throughout the newest version of the bill. All of these changes were made in the Rules Committee version. It allows the bill’s provisions to cover some utilities that are neither truly private sector or purely government agencies.

Most of the changes made to the bill are designed to restrict sharing of information to some extent. They were obviously added to respond to a number of criticisms that have been making the rounds of the social networking sites. The changes include the addition of:

§1104(a)(5) – Restriction on Disclosure of Cyber Threat Intelligence.

§1104(b)(2) – Sharing with the Federal Government.

§1104(c) – Federal Government Use of Information.

§1104(d) – Federal Government Liability for Violations of Restrictions on the Disclosure, Use, and Protection of Voluntarily Shared Information.

§1104(g)(2) - Limitation on Military and Intelligence Community Involvement in Private and Public Sector Cybersecurity Efforts.

§1104(g)(3) - Information Sharing Relationships.

NOTE: All of the above changes only showed up in the Rules Committee Print.

Unfortunately for the audience of this blog none of the changes is worded in a manner that would ensure that the information sharing requirements (and that is a loosely used word with respect to this bill) would apply to control system threat information. Of course, neither is there any indication that the US intelligence apparatus has the knowledge base to develop control system threat intelligence.