HR 3523 Rule

NOTE: Links added in first paragraph 4-26-12 05:51 EDT.

Last night (Wednesday) the House Rules Committee adopted therule for the consideration of HR 3523, the Cyber Intelligence Sharing and Protection Act (CISPA) on Thursday and Friday of this week. This will be a structured rule providing for limited debate (one hour on the bill and 10 minutes for each amendment) and allows for consideration of 16 specificamendments.

The vast majority of the amendments that will be considered on the floor of the House will deal with privacy issues; nothing surprising there.

Still No Mention of Control System Security

None of the amendments addresses control system security. There is one amendment that could be construed (with some imagination) to kind of possibly extend some of the definitions of covered ‘systems or networks’ so that an aggressive regulation writer might be able to use to justify trying to expand this bill to include control systems (did I get enough waffle words in there?). Rep. Turner’s (R,NY) amendment (#14) would add ‘deny access to’ in various definition phrases {§1104(h)}; “efforts to degrade, disrupt, or destroy such system or network”.  A denial of service attack on a control system might then be covered. The other components of that definition would not really apply to a control system attack since that attack only uses a control system network to attack the controlled physical system.

No Requirement for Feds to Share

As I noted in an earlier blog posting about this bill, there are not any provisions in the current version of the bill that would direct or require DHS or the intelligence community to share threat information with the private sector. Rep. Richardson (D,CA) has offered an amendment that almost comes close to allowing federal agencies to share information with the private sector. Her amendment (#10) would make clear that nothing in the bill would “prohibit a department or agency of the Federal Government from providing cyber threat information to owners and operators of critical infrastructure” {§1104(g)(3)}. That’s a long way from requiring such sharing.

No Requirement for Private Sector to Participate

There was never a requirement for any private entity to participate in any sharing activity under this bill. Just in case this wasn’t clearly understood, Rep. Woodal (R,GA) has proposed an amendment (#12) that specifically states that there is no liability “for choosing not to engage in the voluntary activities authorized under this section” {§1104(g)(3)}. Some people just need to ensure that voluntary means uh voluntary.