Yesterday Rep. Torres (D,CA) introduced HR 3878,
the Strengthening Cybersecurity Information Sharing and Coordination in Our
Ports Act of 2015. The bill would require DHS to undertake a number of
activities to increase the cybersecurity of port operations in the United
States.
Information Sharing
The bill contains three separate cybersecurity information
sharing provisions targeted at different levels of operations. The first is a
directive to the Secretary to “enhance participation by the Maritime
Information Sharing and Analysis Center (an independent, nonprofit entity sponsored
and managed by the Maritime
Security Council [link added]) in the National Cybersecurity and
Communications Integration Center” {§2(1)}.
The second would require the National
Maritime Security Advisory Committee to “report and make recommendations to
the Secretary on matters relating to methods to enhance cybersecurity situational
awareness and information sharing between and with maritime security
stakeholders” {§2(2)}.
Finally each Captain of the Port to establish a working group within the local Area
Maritime Security Advisory Committee to “facilitate the sharing of information
about and development of plans to address port-specific cybersecurity
vulnerabilities” {§3}.
Security Plans
Section 4 of the bill would require that all area and
facility security plans approved after the enactment of this bill would “address
cyber threats and vulnerabilities and include mitigation measures to prevent,
manage, and respond to such threats and vulnerabilities”.
Moving Forward
Torres is a junior Democrat on the Border and Maritime
Security Subcommittee of the House Homeland Security Committee. Normally this
would not be expected to be a position of much influence in the Committee. In
any case, the bill is already scheduled for a markup before the full Committee
tomorrow, so it is obvious that this bill has the attention of the Committee
leadership.
The bill was also assigned to the Transportation and
Infrastructure Committee so we will have to wait and see if the two Committee
Chairs can work out a way for it to move to the floor of the House.
If the bill does make it to the floor it is unlikely to
attract any serious opposition from industry. The bill would probably be
considered under suspension of the rules with minimal debate and no amendments.
Commentary
The information sharing provisions of this bill are largely symbolic
as there are no specific requirements for private sector facilities to report
cybersecurity incidents. Additionally, any intelligence reports produced from
such incidents would almost certainly be classified (that is the nature of
intelligence agencies) and there are no provisions in the bill to provide
classified information access to facility security managers.
I am very pleased that the bill tries to address the need
for cybersecurity to be addressed in area security plans and facility security
plans under the MTSA. Unfortunately the wording in the bill is weak since it
does not actually amend the underlying statute or require a change to the
regulations. Amendments should have been made to 46
USC 70103(b) and §70103(c)
requiring security plans to address cybersecurity issues. That way appropriate
changes could be made to 33
CFR 103.505 and §105.405.
I was disappointed to see that the cybersecurity provisions
for security plans only applied to new security plans. I suspect that the
intent was also to include the periodic (every 5 years) revisions of the security
plans. Even so this could leave an area or facility without cybersecurity
coverage for almost five years. Again, if changes had been made to §70103, then a reasonable
effective date could have been provided in the regulatory change.
Posts
No comments:
Post a Comment