Monday, October 26, 2015

S 754 Amendments to Date - CISA -

Okay, I couldn’t help myself. I have gone back and looked at the amendments to S 754 to date and I have pieced together the following analysis.

Boxer Amendment

The Senate is currently dealing with what many are referring to as the ‘Boxer Amendment’. This is actually Senate Amendment # 2716 submitted by Sen. Burr (R.NC) and Sen. Boxer (D,CA) (Chair and Ranking Member of the Senate Intelligence Committee). It is substitute language for S 754 that takes the least controversial of the 21 amendments that the Senate agreed to consider last July and rolls them into S 754, along with some other changes that have bipartisan support in Committee.

There is only one section of this substitute language that specifically applies to control system security issues (kind of); §407. Strategy to protect critical infrastructure at greatest risk. This section requires the DHS Secretary to “identify critical infrastructure entities where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” {§407(b)}. It would then require a report to Congress “describing the extent to which each covered entity reports significant intrusions of information systems essential to the operation of critical infrastructure” {§407(c)} to either DHS or a regulating agency.

Additionally, DHS would be required to “conduct an assessment and develop a strategy that addresses each of the covered entities, to ensure that, to the greatest extent feasible, a cyber security incident affecting such entity would no longer reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” {§407(d)(1)}.

Unreasonably short timelines are required for all of the required reports to Congress.

Other Control System Security Amendments

In my July blog post I mentioned that the only one of the 21 amendments agreed to be considered specifically (okay almost specifically) addressed control system security issues was Whitehouse 2626. Since the Senate has taken up consideration of the bill this week only one more amendment has been proposed that address (again, almost specifically) control system security issues and that is Whitehouse 2713.

It would add a new section to 18 USC, the US criminal statutes (§1030A. Aggravated damage to a critical infrastructure computer). This is virtually the same section that was proposed in # 2713 and my comments in the earlier blog post certainly apply here. The implementation of its intent seems to me (again I am not a lawyer) to be fatally flawed by its reliance on the definition of ‘protected computer’ in the existing §1030(e)(2).

Interestingly, the Friday Daily Digest of the Congressional record lists a ‘Modified Amendment No. 2626’as one of the pending amendments being considered by the Senate. I suspect that the modification is making it amendment to Amendment 2716 instead of S 754. Unfortunately, neither amendment was included in the unanimous consent agreement list of those that will be considered today before a vote on S 2716.

Moving Forward

There is one more cloture vote possible today on the full bill. If that passes (and all cloture votes to date have) then there will be a final vote on the bill today.

The question then arises if the Senate will just send S 754 to the House or if it will substitute the language from S 754 for HR 1560, the House passed information sharing bill. The later would then almost certainly see a Conference Committee ironing out the differences between the two bills. Just sending S 754 to the House would probably result in the House amending that bill and prolonging the ultimate passage. Either way it is beginning to look like we are going to see an information sharing bill on the President’s desk during this session of Congress (which remember does not end until December of next year.

No comments:

/* Use this with templates/template-twocol.html */