Wednesday, February 22, 2017

HR 940 Introduced – Securing Communications

Earlier this month Rep. Jackson-Lee (D,TX) introduced HR 940, the Securing Communications of Utilities from Terrorist Threats (SCOUTS) Act. The bill addresses the relationships between DHS and critical infrastructure in planning for, and responding to, terrorist attacks.


Section 2 of the bill sets some pretty broad policy guidelines for DHS. First it allows DHS to work with “critical infrastructure owners and operators and State, local, tribal, and territorial
entities” {§2(a)} to determine how DHS “can best serve the sector-specific cybersecurity needs to manage risk and strengthen the security and resilience of the Nation’s critical infrastructure against terrorist attacks”.

In fulfilling this policy DHS is specifically directed to “seek to reduce vulnerabilities, minimize consequences, identify and disrupt terrorism threats, and hasten response and recovery efforts related to impacted critical infrastructures” {§2(b)}. Additionally, the Secretary is allowed to “investigate the best means for engaging sector-specific agencies in participation in a voluntary cybersecurity information sharing, emergency support, and emerging threat awareness program” {§2(c)}.

Strategic Imperatives

Section 3 of the bill requires DHS to “implement an integration and analysis function for critical infrastructure that includes operational and strategic analysis on terrorism incidents, threats, and emerging risks” {§3(b)}. That ‘function’ will include data sharing with Fusion Centers to accomplish the following:

• Determine the appropriate role that Fusion Centers may fill in reporting data related to cybersecurity threat or incident information regarding individuals or service providers with access to or ongoing business relationships with critical infrastructure.
• Determine whether or how the National Protection and Programs Directorate and the National Cybersecurity and Communications Integration Center may work with Fusion Centers to report possible cybersecurity incidents.
• Determine a means for Fusion Centers to report availability of critical infrastructure to support local, State, Federal, tribal, and territorial law enforcement and the provision of basic public services after disruption events such as electric power brownouts and blackouts, accidents that disrupt service, and vandalism to or near facilities.
• Categorize and prioritize cybersecurity intake risk information based on relevance to critical infrastructure owners or operators in the area served by the Fusion Center.
• Establish an emerging threat hotline and secure online sector-specific cybersecurity incident reporting portal by which information may be disseminated through Fusion Centers.
• Develop, keep up to date, and make available a Federal agency directory of designated offices or individuals tasked with responding to, mitigating, or assisting in recovery from cybersecurity incidents involving critical infrastructure and make the directory available on a voluntary basis to critical infrastructure owners and operators.
• Establish a voluntary incident access portal with the ability to allow users to determine the means, methods, and level of incident reporting that is sector-specific and relevant to the recipient as defined and controlled by the recipient.
• Gather voluntary feedback from critical infrastructure owners and operators on the value, relevance, and timeliness of the information received, which shall include how they believe information and the means used to disseminate that information might be improved.
• Report to Congress every 2 years on the voluntary participation of critical infrastructure owners and operators in the programs established under this title.
• Implement a capability to collate, assess, and integrate vulnerability and consequence information with threat streams and hazard information
• Support the Department of Homeland Security’s ability to maintain and share, as a common Federal service, a near real-time situational awareness capability for critical infrastructure.

In evaluating vulnerability and consequence information the bill specifies the following cybersecurity related considerations {§3(b)(10)}:

• Evaluate the impact of cybersecurity and cyberphysical impacts of critical physical assets;
• Determine, through the voluntary cooperation of critical infrastructure owners and operators, the staffing and professional need for cybersecurity critical infrastructure protection with Fusion Centers;
• Determine, through coordination with the sector-specific agencies, the agency staffing needed to support cybersecurity critical infrastructure protection and report the findings to Congress;
• Anticipate interdependencies and cascading impacts related to cyber telecommunications failures;
• Recommend security and resilience measures for critical infrastructure prior to, during, and after a terrorism event or incident;
• Evaluate interdependencies and cascading impacts related to electric grid failures; and
• Make recommendations on preventing the collapse or serious degrading of the telecommunication capability in an area impacted by a terrorism event.

Moving Forward

Jackson-Lee is an influential member of the House Homeland Security Committee, the committee to which this bill was assigned for consideration. She certainly has the political influence to see this bill considered in committee.

Since the bill requires no new regulations or spending, there is little to attract the ire of the Republican leadership. It is very likely that if this bill is considered that it would attract bipartisan support. I suspect that if it would make it to the floor of the House for consideration, that it would be considered under the House suspension of the rules process. This means there would be limited debate, no floor amendments and it would require a super-majority for passage.


The title of this bill is more misleading than most. The bill has only very limited influence on ‘securing communications of utilities’. It is a much more generalized counter-terrorism support of critical infrastructure bill that would probably have minimal impact on operations of DHS, fusion centers or critical infrastructure.

The term ‘cybersecurity’ is thrown into various places in the bill in a haphazard manner. We see it combined frequently with ‘critical infrastructure’ in a way that makes it unclear whether the bill is calling out a new, undefined, type of critical infrastructure or whether it is referring to cybersecurity for each of the current critical infrastructure categories.

The closest the bill comes to defining its use of cybersecurity is the definition of the term ‘security’. That is defined as “reducing the risk to critical infrastructure by physical means or defense cyber measures to intrusions, attacks, or the effects of terrorist intrusions or attacks” {§4(4)}. This is about as useless a definition as I have seen in proposed legislation.

I suspect that this bill will make it to the President’s desk as a feel-good measure for congress critters to be able to claim that they have done something about counterterrorism and cybersecurity. At least it will not cost anything; except perhaps the preemption of attempts at actually doing something.

No comments:

/* Use this with templates/template-twocol.html */