Rules Committee Adopts Rule for Cyber Sharing Bills

This evening the House Rules Committee held a hearing to craft the rule for the consideration of HR 1560 and HR 1731 (Wednesday and Thursday respectively) later this week on the floor of the House. These two bills are the latest cybersecurity bills attempting to encourage and control the sharing of cybersecurity threat information between government agencies and the private sector.

Each bill will be considered separately under a structured rule with limited debate and a pre-selected set of amendment to be considered. If each bill is adopted (a pretty good certainty) the Clerk of the House is directed to mash the two bills together by adding the provisions of HR 1731 to the end of HR 1560. The revised HR 1560 will then be sent to the Senate for consideration.

General Bill Provisions

I have started to review these bills on a number of occasions both before and after their amendments in committee (HR 1560, intel; HR 1731, homeland security), but both bills have become even more convoluted than normal in the frequent (and apparently poorly coordinated) attempts to placate the concerns of the privacy advocates that have been the main opponents of previous attempts at crafting information sharing bills.

Both bills strive to allow and encourage the private sector to share cyber threat information with each other and federal agencies. In numerous places and manners there have been attempts made to make it clear that personally identifiable information is not included in the sharing process.

The differences in the two  bills is more a matter of focus and procedure rather than any real difference in intent. HR 1560 establishes a stand-alone process for information sharing while HR 1731 amends two sections of the United States Code (6 USC 148 and 6 USC 131) to provide statutory law to support that information sharing.

ICS Security Issues

Both of these bills were generally crafted to address information sharing about threats to IT systems. HR 1560 made a brief concession to the idea of industrial control systems also being vulnerable to cyber-attack by specifically including “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controller” {§11(8)(B)} in the definition of ‘information system’. Otherwise there is no specific mention of measures to address the unique security threats to industrial control systems.

HR 1731 does go a bit further. In the amendment to 6 USC 148 (included in PL 113-282 passed last December) that modifies the mandatory composition of the National Cybersecurity and Communications Integration Center the DHS ICS-CERT is added as a represented organization with the following specific responsibilities {§148(d)(1)(G)}:

∙ Coordinate with industrial control systems owners and operators;

∙ Provide training, upon request, to Federal entities and non-Federal entities on industrial control systems cybersecurity;

∙ Collaboratively address cybersecurity risks and incidents to industrial control systems;

∙ Provide technical assistance, upon request, to Federal entities and non-Federal entities relating to industrial control systems cybersecurity; and

∙ Shares cyber threat indicators, defensive measures, or information related to cybersecurity risks and incidents of industrial control systems in a timely fashion.

Floor Amendments

Before today’s hearing there were a number of amendments submitted to the Rules Committee for possible inclusion in the floor action on these bills; 25 for HR 1560 and 38 for HR 1731. The final rule selected 5 of those for HR 1560 and 11 for 1731.

There was one amendment that added an additional responsibility to those discussed for ICS-CERT about. That amendment (#15) would have added the responsibility to evaluates and make recommendations to the Under Secretary on industrial control systems that are essential for food, medicine, and medical device production or processing and wholesale delivery. This amendment will not be considered on the floor of the House.

There were two amendments {both submitted by Rep. Hahn (D,CA)} to HR 1560 that addressed port cybersecurity issues; one requiring a report to congress (#1) and the second prohibiting giving additional Port Security Grants to ports that had not conducted “a cybersecurity vulnerability assessment, as defined by the Secretary of Homeland Security” (#2). The first was one of the amendments that will be considered on the floor of the House.

Moving Forward

Both of these bills will probably pass this week in the House. There will be significant opposition to the bill because of perceived privacy issues, but I don’t think that it will be enough to derail either bill.

It is unlikely that the final version of HR 1560 will be considered by the Senate. The Senate will consider their own version of an information sharing bill next week. The language for that bill will then likely be transferred to HR 1560 setting up the need for a conference committee to work out the differences in the bill. It is very likely that a final version will be passed by both houses before the summer recess.