Thursday, August 6, 2015

Amendments to S 754 – 08-05-15

Yesterday there were 23 additional amendments submitted in the Senate for S 754, the Cybersecurity Information Sharing Act  (CISA) of 2015. Only three of those proposed amendments may be of specific interest to readers of this blog.

SA 2623. Ms. Collins, pgs S6411;
SA 2626. Mr. Whitehouse, pgs S6415-6; and
SA 2628. Mr. Wyden, pg S6419

The Amendments

The Collins amendment would require the owners of ‘critical cyber infrastructure’ to report to the DHS Secretary or appropriate agency head “if an information system of a covered entity that is essential to the operation of critical cyber infrastructure is successfully intruded upon” {new §lll(b)(1)}; note that there is no definition of ‘successfully intruded upon’ provided. The report would include {new §lll(b)(2)}:

A description of the technique or method used in such intrusion;
A sample of the malicious software, if discovered and isolated by the covered entity, involved in such intrusion;
Damage assessment; and
Such other matters as the Secretary or the appropriate agency head, as the case may be, consider appropriate.

The Whitehouse amendment would add a new section to the US criminal code; 18 USC 1030A. This new section would make it a federal crime “during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer” {new §1030A(a)}. Unfortunately, because of the definition of ‘protected computer’ in §1030(e)(2) only attacks on financial institutions or communications companies would give rise to the underlying felony that is a required part of this new definition. I do not think that that was the intent.

The Wyden amendment would require the Secretary of Commerce to reconsider the rulemaking concerning the implementation of the Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. The reconsideration would include drafting a supplemental of proposed rulemaking that is written in consultation with “civil society organizations, including privacy advocates, public and private sector technologists, security researchers, and public and private sector software developers” {new §ll(b)(1)}. The new proposed rule would be required to be:

Limited to the scope of the agreements reached at the plenary meeting of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies in December 2013;
Consistent with the regulation of cybersecurity items by other countries participating in the Wassenaar Arrangement, as appropriate; and
Exclude cybersecurity items available for mass-market purchase from regulation under the proposed rule

Agreement to Consider the Bill

A unanimous consent agreement was reached yesterday to allow for the Senate to move forward with the consideration of the bill without having to go through a cloture procedure. That agreement calls for the consideration of 21 specific amendments; ten from the Republicans and eleven from the Democrats. There is a possibility that other amendments may be subsequently considered.

Of the seven amendments that I discussed here yesterday and today only one is on either list; Whitehouse 2626. Most of the remaining ones that I discussed were excluded from consideration because they did not directly deal with cybersecurity information sharing.

No comments:

/* Use this with templates/template-twocol.html */