HR 3578 Introduced – DHS S&T

Two weeks ago Rep Ratcliffe (R,TX) introduced HR 3578, the DHS Science and Technology Reform and Improvement Act of 2015. The bill amends the authorizing language of the Homeland Security Act of 2002 as it pertains to the operations of the DHS Science and Technology (S&T) Directorate. One of the new sections being added to the 2002 Act deals specifically with the cybersecurity responsibilities of S&T.

Cybersecurity Provisions

The new §322 directs the Department to “support research, development, testing, evaluation, and transition of cybersecurity technology, including fundamental, long-term research to improve the sharing of information related to cybersecurity risks and incidents” {new §322(a)}. The expected R&D activities would include new {new §322(b)}:

• Advance the development and accelerate the deployment of more secure information systems;

• Improve and create technologies for detecting attacks or intrusions, including real-time continuous diagnostics and real-time analytic technologies;

• Improve and create mitigation and recovery methodologies, including techniques and policies for real-time containment of attacks, and development of resilient networks and information systems;

• Develop and support infrastructure and tools to support cybersecurity research and development efforts, including modeling, testbeds, and data sets for assessment of new cybersecurity technologies;

• Assist the development and support of technologies to reduce vulnerabilities in industrial control systems; and

• Develop and support cyber forensics and attack attribution.

Paragraph (d) provides a series of definitions used in this new section. The defined terms include:

• Cybersecurity risk;

• Homeland security enterprise;

• Incident; and

• Information system.

The only definition of consequence to readers of this blog is the last one. The bill uses the restrictive definition from 44 USC 3502 that specifically limit it to “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information” {§3502(8)}. Interestingly the term is never actually used in the new section.

Moving Forward

Ratcliffe is the Chair of the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of the House Homeland Security Committee. As such he has oversight responsibility for S&T and certainly has the political pull to move this bill forward. I expect that we will see a markup hearing before his Subcommittee in the coming weeks and there is a good possibility that this bill will move forward to the full House before the end of the year.

It is strongly possible that this bill will be considered under suspension of the rules with minimal debate and no amendments. We will know better when we see how the Committee votes when this bill is marked up.

Commentary

I am glad to see that industrial control systems are finally getting the Congressional recognition they deserve separate from the larger information systems that they have been lumped in with in the last couple of years.

One problem, however, with this belated recognition of the control system security issue, is that Congress still does not understand the real scope of the problem. For example §322(c) provides a list of agencies with whom S&T should coordinate their cybersecurity research program. Unfortunately, it fails to list a number of Federal agencies that have some oversight responsibility for control systems issues, including:

• Department of Transportation (automobiles, PTC, aircraft, etc);

• Food and Drug Administration (medical devices); and

• Department of Energy (energy production and transmission)

Coordinating and sharing control system security research with these other agencies would certainly help make the Federal research dollar go much further. This is particularly important since this bill does not provide any additional funding to S&T.

BTW: Have I mentioned how much I detest the new House Homeland Security Committee website? It is set up on the infographic model instead of the ‘old fashioned’ web site model with easy to find links to specific information on the site. Whoever designed this site needs to be banished from government service until they learn how to provide information rather than making something that looks pretty.