Policy
Section 2 of the bill sets some pretty broad policy
guidelines for DHS. First it allows DHS to work with “critical infrastructure
owners and operators and State, local, tribal, and territorial
entities” {§2(a)}
to determine how DHS “can best serve the sector-specific cybersecurity needs to
manage risk and strengthen the security and resilience of the Nation’s critical
infrastructure against terrorist attacks”.
In fulfilling this policy DHS is specifically directed to “seek
to reduce vulnerabilities, minimize consequences, identify and disrupt
terrorism threats, and hasten response and recovery efforts related to impacted
critical infrastructures” {§2(b)}. Additionally, the Secretary is allowed to “investigate
the best means for engaging sector-specific agencies in participation in a
voluntary cybersecurity information sharing, emergency support, and emerging
threat awareness program” {§2(c)}.
Strategic Imperatives
Section 3 of the bill requires DHS to “implement an
integration and analysis function for critical infrastructure that includes
operational and strategic analysis on terrorism incidents, threats, and
emerging risks” {§3(b)}.
That ‘function’ will include data sharing with Fusion Centers to accomplish the
following:
• Determine the appropriate role
that Fusion Centers may fill in reporting data related to cybersecurity threat
or incident information regarding individuals or service providers with access
to or ongoing business relationships with critical infrastructure.
• Determine whether or how the
National Protection and Programs Directorate and the National Cybersecurity and
Communications Integration Center may work with Fusion Centers to report
possible cybersecurity incidents.
• Determine a means for Fusion
Centers to report availability of critical infrastructure to support local,
State, Federal, tribal, and territorial law enforcement and the provision of
basic public services after disruption events such as electric power brownouts
and blackouts, accidents that disrupt service, and vandalism to or near
facilities.
• Categorize and prioritize
cybersecurity intake risk information based on relevance to critical
infrastructure owners or operators in the area served by the Fusion Center.
• Establish an emerging threat
hotline and secure online sector-specific cybersecurity incident reporting
portal by which information may be disseminated through Fusion Centers.
• Develop, keep up to date, and
make available a Federal agency directory of designated offices or individuals
tasked with responding to, mitigating, or assisting in recovery from
cybersecurity incidents involving critical infrastructure and make the directory
available on a voluntary basis to critical infrastructure owners and operators.
• Establish a voluntary incident
access portal with the ability to allow users to determine the means, methods,
and level of incident reporting that is sector-specific and relevant to the
recipient as defined and controlled by the recipient.
• Gather voluntary feedback from
critical infrastructure owners and operators on the value, relevance, and
timeliness of the information received, which shall include how they believe
information and the means used to disseminate that information might be
improved.
• Report to Congress every 2 years
on the voluntary participation of critical infrastructure owners and operators
in the programs established under this title.
• Implement a capability to
collate, assess, and integrate vulnerability and consequence information with
threat streams and hazard information
• Support the Department of Homeland Security’s
ability to maintain and share, as a common Federal service, a near real-time
situational awareness capability for critical infrastructure.
In evaluating vulnerability and consequence information the
bill specifies the following cybersecurity related considerations {§3(b)(10)}:
• Evaluate the impact of
cybersecurity and cyberphysical impacts of critical physical assets;
• Determine, through the voluntary
cooperation of critical infrastructure owners and operators, the staffing and
professional need for cybersecurity critical infrastructure protection with
Fusion Centers;
• Determine, through coordination
with the sector-specific agencies, the agency staffing needed to support
cybersecurity critical infrastructure protection and report the findings to Congress;
• Anticipate interdependencies and
cascading impacts related to cyber telecommunications failures;
• Recommend security and resilience
measures for critical infrastructure prior to, during, and after a terrorism
event or incident;
• Evaluate interdependencies and
cascading impacts related to electric grid failures; and
• Make recommendations on
preventing the collapse or serious degrading of the telecommunication
capability in an area impacted by a terrorism event.
Moving Forward
Jackson-Lee is an influential member of the House Homeland
Security Committee, the committee to which this bill was assigned for
consideration. She certainly has the political influence to see this bill
considered in committee.
Since the bill requires no new regulations or spending,
there is little to attract the ire of the Republican leadership. It is very
likely that if this bill is considered that it would attract bipartisan
support. I suspect that if it would make it to the floor of the House for
consideration, that it would be considered under the House suspension of the
rules process. This means there would be limited debate, no floor amendments
and it would require a super-majority for passage.
Commentary
The title of this bill is more misleading than most. The
bill has only very limited influence on ‘securing communications of utilities’.
It is a much more generalized counter-terrorism support of critical
infrastructure bill that would probably have minimal impact on operations of
DHS, fusion centers or critical infrastructure.
The term ‘cybersecurity’ is thrown into various places in
the bill in a haphazard manner. We see it combined frequently with ‘critical
infrastructure’ in a way that makes it unclear whether the bill is calling out
a new, undefined, type of critical infrastructure or whether it is referring to
cybersecurity for each of the current critical infrastructure categories.
The closest the bill comes to defining its use of
cybersecurity is the definition of the term ‘security’. That is defined as “reducing
the risk to critical infrastructure by physical means or defense cyber measures
to intrusions, attacks, or the effects of terrorist intrusions or attacks” {§4(4)}. This is about as
useless a definition as I have seen in proposed legislation.
I suspect that this bill will make it to the President’s
desk as a feel-good measure for congress critters to be able to claim that they
have done something about counterterrorism and cybersecurity. At least it will
not cost anything; except perhaps the preemption of attempts at actually doing
something.