As I
noted last week Rep. Blackburn (R,TN) introduced HR
1468, the Strengthening and Enhancing Cybersecurity by Using Research,
Education, Information, and Technology Act of 2013 (SECURE IT). This is
very similar to HR
4263 and S
2151 that were introduced in the 112th Congress.
Changes
This latest version of SECURE IT has been substantially
revised from both of the earlier versions. The bill remains essentially a
Federal IT security bill with a few odd provisions that will affect the private
sector and control systems.
The gross changes from the previous House bill include the
following additions:
§ 104. Construction.
§ 205. Clarification of
authorities.
§ 307. No new funding.
TITLE V—Data Security and Breach
Notification
Title V addition significantly broadens the effect of the
bill in that it provides notification requirement for breaches of computer
systems that result in the compromise of personally identifiable information
from computers in both the government and private sectors.
The following sections were not included from the earlier
House bill:
§ 404. Cloud computing services for
research.
§ 405. Cybersecurity
university-industry task force.
§ 410. Cybersecurity strategic
research and development plan.
§ 414. Cybersecurity automation and
checklists for Government systems.
§ 415. National Institute of
Standards and Technology cybersecurity research and development.
Removing that last section had an impact on control system
security in that §415(e)(4) had directed NIST to “carry out research associated
with improving security of industrial control systems”.
Important ICS
Provision Remains
The most important provision (from an ICS security view
point) from HR 4263 still remains virtually unchanged; § 305, Damage to Critical Infrastructure Computers.
This would amend 18
USC Chapter 47 by adding ‘‘§ 1030A. Aggravated damage to a critical
infrastructure computer. This section would make it a federal crime to knowingly
cause or attempt to cause damage to a critical infrastructure computer if it
results in substantial impairment of either the computer or “the critical
infrastructure associated with the computer”. Violations would be punishable by
fines and or imprisonment for 3 to 20 years.
Moving Forward
This bill went nowhere in either the House or Senate last
session. If it had been introduced earlier it might possibly have been
considered by the House yesterday, but it faces an uphill battle because of the
number of different committees (six) that would have to consider it because of
the number of different areas that it impacts.
Posts
No comments:
Post a Comment