HR 5077 Introduced – FY 2017 Intel Authorization Bill

Last week Rep. Nunes (R,CA) introduced HR 5077, the Intelligence Authorization Act for Fiscal Year 2017. Analysis of this bill is complicated because significant portions (How much? Don’t know.) are classified for fairly obvious reasons. The unclassified portion available to the public does include one cybersecurity provision; a requirement for a port cybersecurity report.

Port Cybersecurity Report

Section 604 requires the Under Secretary of Homeland Security for Intelligence and Analysis to submit a report on port cybersecurity to the congressional intelligence committees. The report will cover the “cybersecurity threats to, and the cyber vulnerabilities within, the software, communications networks, computer networks, or other systems employed by” {§604(a)}:

• Organizations conducting significant operations at seaports in the United States;

• Maritime shipping concerns of the United States; and

• Organizations conducting significant operations at transshipment points in the United States.

The report will include:

• A description of any recent and significant cyberattacks or cybersecurity threats directed against software, communications networks, computer networks, or other systems employed by the port entities described above; and

• An update on the status of the efforts of the Coast Guard to include cybersecurity concerns in the National Response Framework, Emergency Support Functions, or both, relating to the shipping or ports of the United States.

The report will also include an intelligence assessment of:

• Any planned cyberattacks directed against such software, networks, and systems;

• Any significant vulnerabilities to such software, networks, and systems; and

• How such entities and concerns are mitigating such vulnerabilities.

Moving Forward

Nunes is the Chair of the House Intelligence Committee and this is one of those ‘must pass’ authorization bills. The battles have been fought behind closed doors on this bill and will not see the light of day. This bill will be considered on the floor of the House, probably with limited debate and amendments. That is limited in the terms of time; we know that it will be limited to unclassified information.

The Senate will probably have their own version of the bill that will be passed in that body and then a conference committee will work out the differences between the two bills.

Commentary

The port cybersecurity report required in this report would be significantly different than the one in HR 3878 that was passed in the House last December. This is much more of an intelligence report than a security systems report that was described in the earlier bill. The bill does not state this (an understandable oversight from the Intel Committee staff) but the report will certainly be classified and probably will not be shared further than with the Coast Guard’s Captains of the Port.

It would have been nice to see a requirement for an unclassified version of the report so that more sharing could be done with the information, but you never get much unclassified information from the intel community. It just goes too much against the grain.