On Monday Rep. Nunes (R,CA) introduced HR 4127,
the Intelligence Authorization Act for Fiscal Year 2016. The bill was then
considered by the House yesterday and passed by a largely bipartisan vote of
364 to 58 (22 Republicans voted No).
I noted in a blog
post yesterday that there were three sections of the public (unclassified)
portion of the bill that might be of specific interest to readers of this blog.
All three dealt with reports to Congress. After closer review it looks like
only one may be of substantial interest; §313 – Cyber attack standards of measurement study.
The bill would require the Director of National Intelligence
(DNI), in conjunction with DHS and DOD, to conduct a study to determine
standards that “can be used to measure the damage of cyber incidents for the purposes
of determining the response to such incidents” {§313(a)(1)}. The only specific requirement for the study
is that it includes “a method for quantifying the damage caused to affected
computers, systems, and devices” {§313(a)(2)}.
Moving Forward
With the bill having been considered yesterday under the
suspension of rules process it is apparent that Chairman Nunes has done a good
job of crafting a bill that has raised no substantial opposition.
This bill is a substitute for HR
2596 that was passed
on more partisan lines back in June. The Senate version of the intel
authorization bill is S
1705 that was reported out of Committee in July by unanimous vote, but has
not been taken up by the Senate. If the Senate takes up HR 4127 they could
still substitute the language from S 1705 before voting on the bill.
Differences then would be settled by a conference committee.
Commentary
I have some minor concerns about the wording of §313. As currently
constructed it would appear to limit the report to the consideration of damage
to the actual computer systems attacked, not the consequences of the loss or
compromise of data involved in IT system breaches or the cyber physical consequences
of an attack on an industrial control system. I think that any consideration of
a potential response to a cyber-attack would have to take those consequences
into account.
The DNI is not prohibited from including those considerations
in his report to Congress, but I would have thought that Congress would have
wanted those items to be specifically considered. This is especially true when
in any significant cyber attack those consequences would certainly be of higher
‘value’ than any specific damage to just the computer systems.
Since §313
is unlikely to be amended at this point, I suppose that we are going to have to
rely on the DNI to expand on the limited congressional guidance provided for
this report to include more relevant information than that required by
Congress. I suspect, however, that there is little incentive for the DNI to do
so.
Posts
No comments:
Post a Comment