HR 4743 Introduced – Cybersecurity Consortium

Last week Rep. Castro (D,TX) introduced HR 4743, the National Cybersecurity Preparedness Consortium Act of 2016. The bill would establish a consortium to support efforts to address cybersecurity risks and incidents, including threats of terrorism and acts of terrorism.

The Consortium

Section 2 of the bill would require the DHS Secretary to establish the National Cybersecurity Preparedness Consortium. The Consortium would “consist of academic, nonprofit, industry, and government partners that develop, update, and deliver cybersecurity training in support of homeland security” {§2(e)}. The Consortium would be authorized to {§2(c)}:

• Provide training to State and local first responders and officials specifically for preparing for and responding to cybersecurity risks and incidents;

• Develop and update a curriculum utilizing existing programs and models;

• Provide technical assistance services to build and sustain capabilities in support of preparedness for and response to cybersecurity risks and incidents, including threats of terrorism and acts of terrorism;

• Conduct cross-sector cybersecurity training and simulation exercises for entities, including State and local governments, critical infrastructure owners and operators, and private industry;

• Coordinate with the national cybersecurity and communications integration center of the Department of Homeland Security to help States and communities develop cybersecurity information sharing programs;

• Coordinate with appropriate Department of Homeland Security cybersecurity and training officials to assist in the incorporation of cybersecurity risk and incident prevention and response (including related to threats of terrorism and acts of terrorism) into existing State and local emergency plans.

Moving Forward

Castro is not a member of the Homeland Security Committee to which the bill was referred for consideration. A number of his cosponsors, however, are influential members of that Committee including Rep. Smith (R,TX) and Rep. Richmond (D,LA). It would seem that there is enough interest in this bill to ensure that it would be considered in Committee. Whether that would translate into an ability to move it forward to the whole House remains to be seen.

If this were to reach the floor in either the House or Senate, there does not seem to be anything controversial enough to cause any significant opposition. I would suspect that it would be considered under suspension of the rules in the House and under unanimous consent in the Senate.

Commentary

Unfortunately, this bill uses a dated definition of ‘cybersecurity risks’ and ‘incident’ that does not include industrial control systems, so the efficacy of preventing cyber-based acts of terrorism is greatly reduced. The definition of both terms refer to ‘information system’ and that is defined in 44 USC 3502(8). That definition reads:

“(T)he term ‘‘information system’’ means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”.

For the last year or so most cybersecurity legislation {for example see §102(9) of the Cybersecurity Information Sharing Act (CISA) of 2015 included in Division N of the Consolidated Appropriations Act, 2016} has been modifying that definition by adding language that specifically includes “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers”. This has been done in recognition of the fact that successful attacks on such systems could have physical effects that would be much more devastating than attacks on purely information systems.

To truly be effective the definition of information system used in this bill will have to be changed to the CISA definition. It is also about time that someone in Congress should consider amending the definition in §3502 to bring it into a more inclusive status.