HR 5459 Introduced – Cybersecurity Information Sharing

Last month Rep. Donovan (R,NY) introduced HR 5459, the Cyber Preparedness Act of 2016 [Note: there is currently something wrong with this link at the GPO, alternative text of bill here]. The bill makes minor revisions to the Homeland Security Act of 2002 to enhance cybersecurity information sharing.

Fusion Centers and NCCIC

Section 2(1) of the bill would add ‘cybersecurity risk information’ to the list of types of information designated in 6 USC 124h(b)(6) and (b)(8) to be shared with fusion centers by DHS. Additionally, the same ‘cybersecurity risk information’ would be added to the list of types of information in §124h(d)(1) for which DHS would be required to “assist law enforcement agencies and other emergency response providers of State, local, and tribal governments and fusion center personnel in using information within the scope of the information sharing environment”.

Section 2(2) of the bill would amend 6 USC 148 addressing the information sharing responsibilities of the National Cybersecurity and Communications Integration Center (NCCIC). It would add fusion centers to the information sharing requirements of §148(c)(5)(B).

Grants

Section 3 of the bill would amend 6 USC 609 by adding “enhancing cybersecurity, including preparing for and responding to cybersecurity risks and incidents” to the list of permitted uses at §609(a) for which grants under the Urban Area Security Initiative or State Homeland Security Grant Program can be used.

As is fairly typical no additional funding is provided for either grant program.

Moving Forward

Donovan and all three of his cosponsors {McCaul (R,TX), Ratcliffe (R,TX), and Payne (D,NJ)} are influential members of the House Homeland Security Committee. That means that this bill has a good chance of moving forward through the committee review process. In fact, shortly after the bill was introduced, it was approved without amendments by the Emergency Preparedness, Response, and Communications Subcommittee.

There is nothing in this bill that would draw any sort or organized opposition. If the bill makes it to the floor of the House it would almost certainly be approved under the suspension of the rules procedure. The only question is if there is enough interest in the bill to get it to the floor of the House for consideration in the limited time remaining in the session.

Commentary

This is the type of ‘i-dotting and t-crossing’ legislative work that needs to take place to ensure that everyone has the appropriate authority to carry out legislative mandates that have been previously passed. Unfortunately, in this case, problems with the underlying definitions that are critical to the intent of the legislation are not addressed.

In this case we go back to the problem of the definition of ‘cybersecurity risk’. There is no definition of the term in §124h, so we are still left with the lack of any real authority to share cybersecurity risk information within the fusion center environment. In §148 we do have a definition {§148(a)(1)}, but it is one of those definitions that narrowly defines the term just with respect to IT systems. So again, we technically have no authority for the NCCIC to share information about cybersecurity risks that apply uniquely to industrial control systems.

Finally, as I have mentioned numerous times, expanding the allowable uses of federal grant monies is all well and good as long as the amount of available funding is already increased. In cases like the one here in this bill where that money pool is not enlarged, the expansion of the allowable uses has the direct effect of decreasing the money available to the existing list of potential grant uses. This means that grants will either be smaller (and less useful) or fewer grants for exiting programs will be approved. Either may be a perfectly legitimate outcome, but there is no discussion of those consequences when bills like this are discussed.