HR 3712 Introduced – Reserve Cybersecurity Units

Earlier this month Rep. Kilmer (D,WA) introduced HR 3712, the Major General Tim Lowenberg National Guard Cyber Defenders Act. The bill would provide specific authorization for military reserve component cyber civil support teams. NOTE: For more on Gen. Lowenberg see here and here.

Emergency Preparedness Programs

Section 2 of the bill amends 10 USC 12310(c) which provides for military reservists to be used in an active duty role to support of emergency preparedness programs. It would add a new subparagraph (1)(E) to add “An attack or natural disaster impacting a computer, electronic, or cyber network” to the list of covered emergencies for which the emergency preparedness programs would be appropriate.

The bill then goes on to add a new subparagraph (3)(B) that would specifically allow an individual reservist or a “a reserve component cyber civil support team” to provide emergency preparedness support for the newly added cyber-attacks or disasters.

Cyber Civil Support Team Authorization

Section 3 of the bill requires that each state will have (within 5 years) “an operational reserve component cyber civil support team composed of reserve component members of the Armed Forces” {§3(a)}. To be considered operational each Cyber Civil Support Team would be required to be able to {§3(c)}:

• Perform duties relating to analysis and protection in support of responding to emergencies involving an attack or natural disaster impacting a computer, electronic, or cyber network;

• Advise and coordinate on any incident deemed critical for the protection of life, property, and maintenance of good order for the Governor;

• Cooperate with and assist private sector owners and operators of critical infrastructure and key resources;

• Collaborate and participate in information sharing with Federal, State, and local Fusion Centers, emergency management authorities, and emergency management divisions; and

• Coordinate with elements of the Department of Homeland Security.

Section 4 of the bill ensures that these Cyber Civil Support Teams are specifically covered by the provisions of the Freedom of Information Act under 5 USC 552.

Section 5 of the bill provides for a spending authorization of $50 million for support of the requirements of this bill.

Moving Forward

Neither Kilmer nor his two cosponsors {Rep. Palazzo (R,MS) and Rep. Heck (D,WA)} are members of the House Armed Services Committee to which this bill was assigned for consideration. This means that the bill is very unlikely to be considered in that Committee; pretty much ensuring that the bill will not get to the floor of the House for a vote.

There is nothing in this bill which would engender any serious opposition to its passage. The one major drawback to the bill is the spending authorization, but that is one area where Kilmer and Palazzo have some influence, since they are both on the House Appropriations Committee. If the bill were to be considered it is quite likely that it would receive substantial bipartisan support.

Commentary

While there is a great deal of talk in Congress about protecting critical infrastructure from cyber-attacks, there does not seem to be too much that the military can do to protect the vast majority of critical infrastructure cyber-systems that are owned by the private sector. In fact, there is a very real argument that the private sector is responsible for that and should pay for that protection via activities either in-house or through a wide variety of organizations in the ever-expanding cybersecurity market place.

However, where cyber breaches have a physical impact on the community beyond the boundaries of critical infrastructure, there is certainly a need for the kind of support outlined in this bill. What concerns me about the approach taken in the bill is the focus on post-incident response instead of emergency preparedness planning.

Planning for the potential consequences of broadly effective cybersecurity incidents is a pre-requisite for effective responses to such wide scale incidents. In fact, the §12310(c) program was founded on the idea that providing one or two professional planners (military folks are, after all, as much planners as they are fighters) to local government emergency-response planning agencies was a cost-effective way of helping to mitigate the consequences of terrorist attacks and natural disasters.

All but the largest local government agencies are ill prepared to plan for or respond to cyber-attacks on critical infrastructure. Most have problems enough providing for their own cybersecurity prevention efforts, much less have time or resources to plan for attacks on privately owned critical infrastructure effecting their area. Cyber Civil Support Teams under State control could provide another (though still limited) resource for local governments involved in the planning process.