Bills Introduced – 12-19-18

Yesterday with both the House and Senate in session, there were 60 bills introduced. I will be watching the following:

HR 7327 To require the Secretary of Homeland Security to establish a security vulnerability disclosure policy, to establish a bug bounty program for the Department of Homeland Security, to amend title 41, United States Code, to provide for Federal acquisition supply chain security, and for other purposes. Rep. Hurd, Will [R-TX-23] 

HR 7328 To reauthorize certain programs under the Public Health Service Act and the Federal Food, Drug, and Cosmetic Act with respect to public health security and all-hazards preparedness and response, to clarify the regulatory framework with respect to certain nonprescription drugs that are marketed without an approved drug application, and for other purposes. Rep. Brooks, Susan W. [R-IN-5] 

HR 7327

HR 7327 was actually passed yesterday in the House by a vote of 362 to 1 (69 representatives – almost evenly from both parties – not voting and likely not present) even without an official text of the bill available from the GPO.

A quick look at a draft posted on the shows IT-centric cybersecurity measures requiring DHS to establish: a researcher vulnerability reporting system for public facing DHS software and systems, a cyber-supply chain security program and a bug bounty program. It also includes vague language requiring DHS to establish a policy of publicly reporting such vulnerabilities. Oddly enough, the ‘other provisions’ includes a Title II, Border Patrol Agent Pay Reform.

None of this is new, but it was combined into one package for a last minute passage in the House under suspension of the rules. There is a chance that the Senate could take this bill up today or tomorrow (if they are still in session) under the unanimous consent process, but the border patrol pay language may prevent that.

HR 7328

No action was taken yesterday on HR 7328, but it was published by the GPO. Some interesting (for emergency response planning) provisions but it does include a somewhat odd cybersecurity provision. Section 703 of the bill would require the Secretary of Health and Human Services to submit to Congress a “strategy for public health preparedness and response to address cybersecurity threats (as defined in section 102 of Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501) [link added]) that present a threat to national health security.” Sharp eyed readers will recall that that definition is based upon a control system inclusive definition of ‘information system’ {§1501(9)}.

The language of §703 is rather vague about what specific types of cyber incidents that strategy should address. It is likely that Brooks (who will not return to Congress next month) was concerned about attacks on medical information systems and perhaps medical devices, but the language is broadly enough crafted to include incidents like those I have recently been addressing in my Future ICS Security News blog (see here for instance).

There is an outside chance that this bill could be considered in the House today or tomorrow (again if they are in session tomorrow), but it is extremely unlikely to go past consideration there. It is not clear if there would be enough bipartisan support for this bill to pass in the House (as it would require a super-majority- 2/3rds vote) if considered under suspension of the rules.