HR 6237 Introduced – Intel Authorization

Last month Rep. Nunes (R,CA) introduced HR 6237, the Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. The bill contains the two Divisions reflecting authorizations for both fiscal years. There are two reports of interest and a requirement to establish an Energy Infrastructure Security Center mentioned in the unclassified portion of the bill. Additionally, the Committee Report discusses a topic with a potential for impact on cybersecurity information sharing.

Reports

Section 1506 of the bill requires the Director of National Intelligence (DNI) to submit a report to Congress on “the potential establishment of a fully voluntary exchange program between elements of the intelligence community and private technology companies” {§1501(a)}. The report would address intelligence community (IC) to private sector and private sector to IC sharing of cybersecurity qualified personnel.

Section 1510 of the bill would require the DNI to prepare a report to Congress on how each element of the IC implements the Vulnerabilities Equities Policy and Process. The report would address who at each agency is responsible for determining whether “a vulnerability must be submitted for review under the Vulnerabilities Equities Process” {§1510(a)(1)(A)(i)} and the process used for making that determination. A subsequent report would be required when changes are made at an agency. The required report would be unclassified (but generally unavailable to the public) but, could potentially include classified annexes. Additionally, the section would require an annual classified report to congress on {§1510(b)(1)}:

• The number of vulnerabilities submitted for review under the Vulnerabilities Equities Process;

• The number of vulnerabilities described in subparagraph (A) disclosed to each vendor responsible for correcting the vulnerability, or to the public, pursuant to the Vulnerabilities Equities Process; and

• The aggregate number, by category, of the vulnerabilities excluded from review under the Vulnerabilities Equities Process, as described in paragraph 5.4 of the Vulnerabilities Equities Policy and Process document

Energy Infrastructure Security Center

Section 2422 amends 42 USC 7144b by inserting a new paragraph (d) which requires the Secretary to establish the Energy Infrastructure Security Center within the DOE’s Office of Intelligence and Counterintelligence (the old Office of Counterintelligence as revised by this bill). The EISC will coordinate and disseminate intelligence relating to the security of the energy infrastructure of the United States. This mission will include {new §7144b(d)(2)}:

• Establishing a primary organization within the United States Government for analyzing and integrating all intelligence possessed or acquired by the United States pertaining to the security of the energy infrastructure of the United States;

• Ensuring that appropriate departments and agencies have full access to and receive intelligence support needed to execute the plans or activities of the agencies, and perform independent, alternative analyses;

• Establishing a central repository on known and suspected foreign threats to the energy infrastructure of the United States, including with respect to any individuals, groups, or entities engaged in activities targeting such infrastructure, and the goals, strategies, capabilities, and networks of such individuals, groups, or entities; and

• Disseminating intelligence information relating to the security of the energy infrastructure of the United States, including threats and analyses, to the President, to the appropriate departments and agencies, and to the appropriate committees of Congress.

Committee Report

On page 48 of the Committee Report the Committee notes that “businesses without ownership of a Sensitive Compartmented Information Facility (SCIF), which includes many small businesses, find it very difficult to perform classified work”. They go on to note that “Construction and accreditation of SCIF spaces may be cost-prohibitive for small business and non-traditional government contractors.”

After briefly discussing the apparently unrelated idea of innovation hubs, the Committee suggests that such hubs might be a model to solve the problem of providing small businesses access to SCIFs. They then call for a report to Congress that addresses:

• Potential approaches to allow for SCIF spaces to be certified and accredited outside of a traditional contractual arrangement;

• Options for classified co-use and shared workspace environments such as: innovation, incubation, catalyst, and accelerator environments;

• Pros and cons for public, private, government, or combination owned classified neutral facilities; and

• Any other opportunities to support companies with appropriately cleared personnel but without ownership of a SCIF effective access to a neutral SCIF.

Moving Forward

This bill was approved by a unanimous vote of the Committee. That would normally mean that bipartisan support for the bill could be expected when the bill gets to the floor in the coming weeks. Unfortunately, as we saw with HR 3180 (the FY 2018 version of this bill) that is not necessarily true. That bill was finally passed in the House by a near party-line vote and was thus not able to receive consideration in the Senate.

This bill also contains a number of provisions (see the ‘Minority Views’ section of the Report starting on page 164) that might draw opposition from Democrats, especially in an election year. We will have to wait and see how this bill fairs on the House floor before we can predict its chance of final passage.

Commentary

The establishment of the EISC is certainly a measure of the congressional recognition of the potential foreign threats to the energy infrastructure in this country. I am concerned, however, with bill’s failure to address the need for sharing the intelligence information produced by the EISC with private sector entities responsible for the operation of that infrastructure. I suppose it could be argued that the Federal Energy Regulatory Commission (FERC) would be the appropriate agency through which that information might be expected to flow, but I still would have expected to see specific private sector information sharing requirements in the EISC language.

Of course, congressional intent to share intelligence information with appropriate private sector entities is not always successful as we have seen with the DHS automated information sharing (AIS) program. Part of that is the failure of the intelligence community to prepare unclassified briefs on intelligence information, but that is not always possible to do. The larger problem is the inability of many private sector organizations to handle classified information. This is where the Report’s attention to SCIFs may end up being more important than the Committee intended.

They were specifically looking at expanding the access to classified information to small contractors, but the larger use of non-traditional SCIFs may be for the sharing and processing of classified information by organizations that cannot justify the cost of establishing their own SCIF so that they may be able to process classified intelligence reports that may or may not be made available to them.