Last Thursday the House Space, Science and Technology
Committee amended HR 756, the Cybersecurity Enhancement Act of 2013 and ordered
reported favorably. All of the actions were approved by voice votes, a usually
reliable sign of bipartisan support. Eight amendments were offered, one was
withdrawn and the remainder were adopted.
Bill Does Include
Control System Language
In an earlier
blog post I stated that this bill did not contain any language specifically
addressing control system issues. That was wrong. Somehow I missed a single
sentence in §110 that would add paragraph (e)(4) to 15
USC 278g-3. This would add research “associated with improving security of
industrial control systems” to research to be conducted by NIST “to determine the
nature and extent of information security vulnerabilities and techniques for
providing cost-effective information security” {15 USC 278g-3(d)(3)}.
This requirement is shoe-horned into a position that it is
not really suited to; ICS research in a section devoted to IT research, but
that came about because there is no place in the existing law that addresses
control system security. It’s not much for control systems, but it is
something. Too bad there was not money authorized for the research.
Increased Funding
One of the eight amendments came from Chairman Smith (R,TX)
and it would increase the funding authorized for the various research programs
identified in §105 of the bill. Having increased the authorization, however, §206
of the amendment states:
“No additional funds are authorized
to carry out this Act, and the amendments made by this Act. This Act, and the
amendments made by this Act, shall be carried out using amounts otherwise
authorized or appropriated.”
So the NIST Director gets to make the hard political
decision as to what programs get cut to pay for these programs. That is a job
that more properly belongs to Congress.
Science of
Cybersecurity
Rep. Wilson (D,FL) proposed an amendment (that was accepted by
a voice vote) that would add §111, Research on the Science of Cybersecurity.
This would be research that leads to the development “of a scientific
foundation for the field of cybersecurity, including research that increases
understanding of the underlying principles of securing complex networked
systems, enables repeatable experimentation and creates quantifiable security
metrics”.
This is important sounding research, but once again, no new
money has been made available to fund the research and, in this case, no
specific funding was authorized for the directed research. No money means no
research.
Moving Forward
This is a bipartisan bill, it spends no money and looks like
it accomplishes something. It is a sure bet to pass floor votes in both the
House and Senate, IF (that’s a big ‘if; sorry I couldn’t help myself) it gets
to the floor. This bill (HR 2906) passed
in the House last session but was never considered in the Senate. That was
because the Senate leadership wanted a comprehensive bill and thought piecemeal
bills would prevent the consideration of the big bill. With the cybersecurity
EO in place that pressure is greatly relieved, so this bill may make it
eventually to the President’s desk.
Posts
No comments:
Post a Comment