Monday, March 18, 2013

HR 756 Ordered Reported Favorably – Cybersecurity R&D

Last Thursday the House Space, Science and Technology Committee amended HR 756, the Cybersecurity Enhancement Act of 2013 and ordered reported favorably. All of the actions were approved by voice votes, a usually reliable sign of bipartisan support. Eight amendments were offered, one was withdrawn and the remainder were adopted.

Bill Does Include Control System Language

In an earlier blog post I stated that this bill did not contain any language specifically addressing control system issues. That was wrong. Somehow I missed a single sentence in §110 that would add paragraph (e)(4) to 15 USC 278g-3. This would add research “associated with improving security of industrial control systems” to research to be conducted by NIST “to determine the nature and extent of information security vulnerabilities and techniques for providing cost-effective information security” {15 USC 278g-3(d)(3)}.

This requirement is shoe-horned into a position that it is not really suited to; ICS research in a section devoted to IT research, but that came about because there is no place in the existing law that addresses control system security. It’s not much for control systems, but it is something. Too bad there was not money authorized for the research.

Increased Funding

One of the eight amendments came from Chairman Smith (R,TX) and it would increase the funding authorized for the various research programs identified in §105 of the bill. Having increased the authorization, however, §206 of the amendment states:

“No additional funds are authorized to carry out this Act, and the amendments made by this Act. This Act, and the amendments made by this Act, shall be carried out using amounts otherwise authorized or appropriated.”

So the NIST Director gets to make the hard political decision as to what programs get cut to pay for these programs. That is a job that more properly belongs to Congress.

Science of Cybersecurity

Rep. Wilson (D,FL) proposed an amendment (that was accepted by a voice vote) that would add §111, Research on the Science of Cybersecurity. This would be research that leads to the development “of a scientific foundation for the field of cybersecurity, including research that increases understanding of the underlying principles of securing complex networked systems, enables repeatable experimentation and creates quantifiable security metrics”.

This is important sounding research, but once again, no new money has been made available to fund the research and, in this case, no specific funding was authorized for the directed research. No money means no research.

Moving Forward

This is a bipartisan bill, it spends no money and looks like it accomplishes something. It is a sure bet to pass floor votes in both the House and Senate, IF (that’s a big ‘if; sorry I couldn’t help myself) it gets to the floor. This bill (HR 2906) passed in the House last session but was never considered in the Senate. That was because the Senate leadership wanted a comprehensive bill and thought piecemeal bills would prevent the consideration of the big bill. With the cybersecurity EO in place that pressure is greatly relieved, so this bill may make it eventually to the President’s desk.

No comments:

/* Use this with templates/template-twocol.html */