HR 3895 Introduced – Smart Technology

Earlier this month Rep. DelBene (D,WA) introduced HR 3895, the Smart Cities and Communities Act of 2017. The bill is designed to “promote smart technologies and systems to improve community livability, services, communication, safety, mobility, energy productivity, and resilience” {§2}. It includes a workforce training and development grant program supporting smart technology implementation.

Cybersecurity

Cybersecurity concerns are mentioned throughout the bill. For example, in the discussion about the purpose of the bill in §2, it mentions the protection of “the security of data and systems” {§2(2)}. Again, in the definition of ‘smart city or community’ the bill includes, as one of the inclusive actions taken by such communities, measures “to ensure the resilience of civic systems against cybersecurity threats and physical vulnerabilities and breaches” {§3(6)(B)(vi)(I)}.

Section 101 of the bill requires the establishment of the Interagency Council on Smart Cities “to promote the coordination of the activities and funding from Federal agencies relating to smart cities or communities” {§101(a)(1)(A)(i)}. The Council would consist of the Secretary of Commerce (Chair), the Secretaries of Energy, HUD, and Transportation, and the Director of the National Science Foundation.

The long list of priorities {§101(b)} for the Council includes the safeguarding of cybersecurity, specifically including by “promoting industry practices regarding cybersecurity” {§101(a)(1)(B)(vii)}. Three separate ‘considerations’ are listed in that paragraph supporting the cybersecurity priority {§101(a)(1)(C)}:

• Take into account existing Federal, State, and local frameworks, guidelines, and best practices when considering their application to smart city technologies;

• Take into consideration software quality, especially as that quality impacts reproducibility, maintainability, reliability, and security; and

• Ensure the privacy of individuals through the use of technologies with inherent privacy and security considerations

Building upon existing Department of Commerce (DOC) programs (eg: Internet Policy Task Force and the Digital Economy Leadership Team) §202 of the bill requires DOC to establish the Cybersecurity Working Group “to develop tools for communities to use to evaluate the cybersecurity of smart city or community technologies” {§202(b)(1)}. Membership of the Group would include {§202(b)(2)}:

• Representatives of consumer groups;

• Representatives of small units of local government;

• Representatives of large units of local government;

• Manufacturers of smart city or community devices, equipment, and software;

• Individuals with expertise in communications networks;

• Federal, State, and local law enforcement officials; and

• Such representatives of the Council as the Secretary determines to be appropriate.

The Group would be tasked with the requirement to {§202(b)(3)}:

• Leverage and build on previous activities carried out by the Department of Commerce relating to Internet of Things technology;

• Develop tools for communities to evaluate the cybersecurity of smart city or community technology being considered by the communities for adoption in those communities; and

• Develop tools for communities to protect against cybersecurity threats relevant to the technology the community has chosen to adopt.

Additionally, the Group would be specifically directed to assess {§202(b)(3)(D)}:

• Whether Internet of Things cybersecurity standards should exist;

• Whether the standards should be voluntary or mandatory; and

• Identify which entity is appropriate to devise the standards

Moving Forward

While DelBene is not a member of the House Energy and Commerce Committee (the primary of four committees assigned consideration of this bill), her single co-sponsor {Rep. Lujan (D,NM)} is. This means that it is possible that that Committee could take up this bill. Some fairly large amounts of money for the various grant programs included in this bill will be the biggest stumbling block to potential consideration and adoption of this bill. If the House Leadership can be convinced that those funds are reasonable and supportable then this bill should be able to pass with bipartisan support.

Commentary

While cybersecurity is mentioned throughout the bill there is not a single definition related to cybersecurity provided. Nor is there a working definition of the technologies encompassed by the term ‘smart technologies’. This makes it difficult to assess whether or not operations systems would be addressed by the cybersecurity concerns outlined in the bill. The lack of specificity means that they could be, but there is no clear congressional intent that they will be addressed.

The other thing that concerns me about the bill is the lack of inclusion of the Department of Homeland Security in the Council. DOC could invite DHS to provide representation, but it is not required to do so. While DOC certainly has a great deal of cyber expertise, DHS has the mandate to be responsible for the cybersecurity information sharing activities of the Federal government and ICS-CERT has specific responsibility for that information sharing when it comes to operational technology. I do not think that this was an intentional slight of DHS by the crafters of this bill, but rather reflects a general lack of congressional appreciation for the scope of the problem.

Finally, I am disappointed in not seeing the bill provide for a grant program for continued studies on the development of cybersecurity tools and strategies supporting the smart technology covered in this bill. While the grant program included in the bill (the TechHire Workforce Training and Development Pilot Program in §203) is required to include “privacy and cybersecurity considerations” {§203(b)(3)} in its curriculum, there is no on-going program to address the inevitable changes in the cybersecurity realm caused by developing technology and changes in the threat landscape.