HR 2556 Introduced – Cybersecurity

As I noted in an earlier blog, Rep. Honda (D,CA) introduced HR 2556, the Excellence in Cybersecurity Act. The bill directs the Director of the National Institute of Standards and Technology (NIST) to establish five separate centers of cybersecurity excellence providing support and guidance to specific industries in preventing cyber-crime.

Findings

Section 2 of the bill establishes that ‘cyber-crime’ is a trillion dollar global problem. It also notes that many in industry do not know who is responsible for combatting cyber-crime or how to best go about countering the problem. It goes on to declaim that ‘experts’ have established four key responses to prevent cyber-crime {§2(6)(d)}:

• Understanding the changes to and best practices for the current threat environment;

• Developing strategy and execution of a cybersecurity program;

• Identifying key assets in need of protection; and

• Developing relationships with similar organizations to develop protection within the industry ecosystem

Vertical Centers of Excellence on Cybersecurity

Section 3 of the bill requires the establishment of five Vertical Centers of Excellence on Cybersecurity. In particular, the NIST Director is required to select {§3(c)} for each Center:

• A particular industry that faces cybersecurity challenges to be the focus of the work of that Center;

• A manager to be responsible for the administrative functions of that Center; and

• The location of that Center.

The locations will be selected with an eye toward {§3(d)}:

• The proximity to the geographical location of a number of businesses operating in the industry selected;

• The accessibility to the experts selected to serve that center; and

• The capacity of the facilities at the Center to convene, and promote collaboration among, experts and individuals in that industry.

Section 4 of the bill sets for the duties of the experts selected by the NIST Director and each Center Manager to staff the Centers. Those duties will include {§4(b)}:

• Identifying and analyzing existing and future cybersecurity challenges faced by the industry selected

• Creating solutions to those cybersecurity challenges that are cost-effective, repeatable, and scalable;

• Collaborating, convening discussions, and sharing knowledge with individuals in that industry to accomplish the work of the Center; and

• Creating educational programs to promote best practices in cybersecurity for such individuals.

Those duties will support the requirements set forth in §4(c) that each Center must meet. Those requirements include:

• Working within the Cybersecurity Framework created pursuant to section 7 of Executive Order 13636;

• Collaborating with each of the other Centers to share relevant information;

• Encourage the development of relationships among individuals in the industry selected; and

• Sharing the best practices and lessons learned from the work of the Center.

The NIST Director, in consultation with the industry participants at each Center, “shall establish procedures to ensure the confidentiality of the information handled by the Centers” {§4(d)}. The bill does specifically exempt the Centers from the requirements set forth in 5 USC 552(b). There does seem to be some confusion here, because that paragraph provides for the various exemptions from disclosure under the Freedom of Information Act. Exempting the Centers from such exemptions would require them to disclose such things as classified information, personal information and trade secrets (amongst others). This should probably read 5 USC 552(a).

Section 8 of the bill provides authorization for appropriating $25 million per year for the period of 2014 thru 2019. The monies would be evenly split between each of the Centers. There is no indication of from where those monies would come.

Commentary

There are no mentions in this bill what types of cybersecurity are to be addresses. Surprisingly there is not even a specific mention of information technology or information security to be found in the bill. As always I would be more assured that control systems were to be addressed if they were specifically mentioned, but the lack of any reference to information security would certainly allow coverage of control system security issues.

There is no guidance provided in this bill as to what industries, or even what types of industries would be selected for coverage by these five Centers of Excellence. There is not even a requirement that they come from designated critical infrastructure. That particular lack of mention is important because it does not insure that information shared with the Centers by industry would be covered by Protected Critical Infrastructure Information (PCII) rules. That is the apparent reason for the poorly worded paragraph on confidentiality.

I suspect that the lack of guidance on the selection of industries for support may have to do with potential political wrangling to get the bill passed. Rep. Honda may be intending to use this as part of the horse trading necessary to move the bill forward. I expect that Mr. Honda does intend for one of those Centers to be established in the Santa Clara Valley.

These Centers and their horizontal information sharing are going to run afoul of restraint-of-trade rules. This will be especially true if the Centers are not generous in their extension of membership. Any organization not asked to join a Center, or excluded from any of the Center’s deliberations, will have cause for civil suits under anti-trust rules. This very evident problem will do more to inhibit information sharing than any other. Specific anti-trust exemptions will have to be written into the bill if the Centers are to successfully encourage information sharing between organizations.

Since a major part of the program outlined in this bill involves information sharing, the bill will be subject to many of the complaints that other information sharing bills have faced. There are no provisions in the bill for protecting personal information during the information sharing process. There are no provisions against sharing the information with the military or intelligence community. There are no immunities provided for regulatory issues identified in the information sharing process.

Moving Forward

The general idea behind this bill is fairly innovative, but until some of the problems identified above are dealt with, this bill will have no chance of moving out of the Science, Space and Technology Committee. Only a significant committee re-write would allow this bill to make it to the floor of the House.