HR 6221 Introduced – Cybersecurity

Last month Rep. Clarke (D,NY) and Rep. Lungren (R,CA) introduced HR 6221, the Identifying Cybersecurity Risks to Critical Infrastructure Act of 2012. It’s interesting that Ms. Clarke, Ranking Member of the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies and the Subcommittee Chair are the sponsors of this bill since he voted against similarly worded amendments that she has offered on each of the cybersecurity bills that were reported by the Subcommittee. The bill would add a new section to the Homeland Security Act of 2002 (6 USC 141): § 226 Identification of Sector Specific Cybersecurity Risks.

Identification of Cybersecurity Risks

The bill would require the Secretary of DHS to “research, identify, and evaluate cybersecurity risks to critical infrastructure” {§226(a)} on a continuous and sector-by-sector basis. The Secretary would coordinate with sector specific agencies, owners and operators and any “private sector entity engaged in ensuring the security or resilience of critical infrastructure” {§226(a)(3)}.

The Secretary would take into account the following factors when identifying cybersecurity risks {§226(b)}:

• The actual or assessed threat, including a consideration of adversary capabilities and intent, preparedness, target attractiveness, and deterrence capabilities.

• The extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by a disruption, destruction, or unauthorized use of critical infrastructure.

• The threat to national security caused by the disruption, destruction, or unauthorized use of critical infrastructure.

• The harm to the economy that would result from the disruption, destruction, or unauthorized use of critical infrastructure.

• Other risk-based security factors that the Secretary determines appropriate to protect public health and safety, critical infrastructure, or national and economic security

Communication of Cybersecurity Risks

The Secretary would be required {§226(c)} to share information about the identified risks with owners and operators. If the risk information is classified the Secretary would be restricted to sharing it with owner operators that “possess the appropriate security clearances”.

As is expected in this type of bill the Secretary would also have to provide Congress with periodic reports on the identified “cybersecurity risks to critical infrastructure researched, identified, and evaluated” {§226(d)}.

Application of Requirements

The definition of ‘critical infrastructure’ that is central to this bill is taken from 42 USC 5195c(e):

“In this section, the term ‘‘critical infrastructure’’ means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

This is a very expansive definition of critical infrastructure. The term ‘debilitating impact’ is the key part of that definition and it is not clear what it means. This gives the Secretary wide latitude in deciding what types of facilities to cover with the cybersecurity risk evaluations.

No Funding

The bill does not provide for the establishment a new office in DHS (presumably within NPPD) that would be responsible for the conduct of the necessary research, identification and evaluation of cybersecurity risks. More importantly it doesn’t provide for any new money for the Department to use in the execution of these requirements. In other words, everything necessary to accomplish the requirements of the bill will have to come out of existing Department operations.

Moving Forward

This is a fairly innocuous bill with no new requirements laid upon the private sector. Being introduced by the Ranking Member and the Chair of the Subcommittee with jurisdiction for cybersecurity matters it would normally be expected to have a the bipartisan support necessary for early consideration and passage. This late in the session in an election year, however, it is unlikely that this bill will wend its way through the approval process, especially since the Subcommittee did not hold any hearings on the bill before the summer recess.