Yesterday there were 23 additional amendments
submitted in the Senate for S 754, the
Cybersecurity Information Sharing Act (CISA) of 2015. Only three of those
proposed amendments may be of specific interest to readers of this blog.
∙ SA 2623. Ms. Collins, pgs S6411;
∙ SA 2626. Mr. Whitehouse, pgs S6415-6; and
∙ SA 2628. Mr. Wyden, pg S6419
The Amendments
The Collins amendment would require the owners of ‘critical
cyber infrastructure’ to report to the DHS Secretary or appropriate agency head
“if an information system of a covered entity that is essential to the
operation of critical cyber infrastructure is successfully intruded upon” {new §lll(b)(1)}; note that
there is no definition of ‘successfully intruded upon’ provided. The report
would include {new §lll(b)(2)}:
∙ A description of the technique or method used in such intrusion;
∙ A sample of the malicious software, if discovered and isolated by
the covered entity, involved in such intrusion;
∙ Damage assessment; and
∙ Such
other matters as the Secretary or the appropriate agency head, as the case may
be, consider appropriate.
The Whitehouse amendment would add a new section to the US
criminal code; 18 USC 1030A. This new section would make it a federal crime “during
and in relation to a felony violation of section 1030, to knowingly cause or
attempt to cause damage to a critical infrastructure computer” {new §1030A(a)}.
Unfortunately, because of the definition of ‘protected computer’ in §1030(e)(2)
only attacks on financial institutions or communications companies would give
rise to the underlying felony that is a required part of this new definition. I
do not think that that was the intent.
The Wyden amendment would require the Secretary of Commerce
to reconsider the rulemaking concerning the implementation of the Wassenaar
Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance
Items. The reconsideration would include drafting a supplemental of proposed rulemaking
that is written in consultation with “civil society organizations, including
privacy advocates, public and private sector technologists, security
researchers, and public and private sector software developers” {new §ll(b)(1)}. The new
proposed rule would be required to be:
∙ Limited to the scope of the agreements reached at the plenary
meeting of the Wassenaar Arrangement on Export Controls for Conventional Arms
and Dual-Use Goods and Technologies in December 2013;
∙ Consistent with the regulation of cybersecurity items by other
countries participating in the Wassenaar Arrangement, as appropriate; and
∙ Exclude cybersecurity items available for mass-market purchase
from regulation under the proposed rule
Agreement to Consider
the Bill
A unanimous
consent agreement was reached yesterday to allow for the Senate to move
forward with the consideration of the bill without having to go through a
cloture procedure. That agreement calls for the consideration of 21 specific
amendments; ten from the Republicans and eleven from the Democrats. There is a possibility
that other amendments may be subsequently considered.
Of the seven amendments that I discussed here yesterday and
today only one is on either list; Whitehouse 2626. Most of the remaining ones
that I discussed were excluded from consideration because they did not directly
deal with cybersecurity information sharing.
Posts
No comments:
Post a Comment