Wednesday, December 2, 2015

HR 4127 Introduced – Intelligence Authorization Act

On Monday Rep. Nunes (R,CA) introduced HR 4127, the Intelligence Authorization Act for Fiscal Year 2016. The bill was then considered by the House yesterday and passed by a largely bipartisan vote of 364 to 58 (22 Republicans voted No).

I noted in a blog post yesterday that there were three sections of the public (unclassified) portion of the bill that might be of specific interest to readers of this blog. All three dealt with reports to Congress. After closer review it looks like only one may be of substantial interest; §313 – Cyber attack standards of measurement study.

The bill would require the Director of National Intelligence (DNI), in conjunction with DHS and DOD, to conduct a study to determine standards that “can be used to measure the damage of cyber incidents for the purposes of determining the response to such incidents” {§313(a)(1)}. The only specific requirement for the study is that it includes “a method for quantifying the damage caused to affected computers, systems, and devices” {§313(a)(2)}.

Moving Forward

With the bill having been considered yesterday under the suspension of rules process it is apparent that Chairman Nunes has done a good job of crafting a bill that has raised no substantial opposition.

This bill is a substitute for HR 2596 that was passed on more partisan lines back in June. The Senate version of the intel authorization bill is S 1705 that was reported out of Committee in July by unanimous vote, but has not been taken up by the Senate. If the Senate takes up HR 4127 they could still substitute the language from S 1705 before voting on the bill. Differences then would be settled by a conference committee.


I have some minor concerns about the wording of §313. As currently constructed it would appear to limit the report to the consideration of damage to the actual computer systems attacked, not the consequences of the loss or compromise of data involved in IT system breaches or the cyber physical consequences of an attack on an industrial control system. I think that any consideration of a potential response to a cyber-attack would have to take those consequences into account.

The DNI is not prohibited from including those considerations in his report to Congress, but I would have thought that Congress would have wanted those items to be specifically considered. This is especially true when in any significant cyber attack those consequences would certainly be of higher ‘value’ than any specific damage to just the computer systems.

Since §313 is unlikely to be amended at this point, I suppose that we are going to have to rely on the DNI to expand on the limited congressional guidance provided for this report to include more relevant information than that required by Congress. I suspect, however, that there is little incentive for the DNI to do so.

No comments:

/* Use this with templates/template-twocol.html */