Tuesday, January 15, 2019

HR 360 Introduced – Cyber Sense Program


Last week Rep. Latta (R,OH) introduced HR 360, the Cyber Sense Act of 2019. The bill is nearly identical to HR 5239 introduced last session and adopted by the House Energy and Commerce Commission. The new bill is most closely related to the reported version of the earlier bill.

Moving Forward


This bill was scheduled to be considered (along with HR 359)  in the House today under the suspension of the rules process, but that has since changed. This was apparently done to provide time for the consideration of HJ Res 27 as I mentioned earlier.

This bill received bipartisan support in Committee during the last session and I suspect that it will again, if/when it reaches the floor of the House.

The House has still not made committee assignments for its members (beyond most Chairs and Ranking Members), so it is not yet possible to definitively comment on the possibility of this bill being considered in the House Energy and Commerce Committee, it that is not pre-empted by floor action. I suspect that Latta and his co-sponsor {Rep. McNerney (D,CA)} will be influential members of that Committee.

Commentary


I still have concerns about the information sharing restrictions in the bill. Most of the devices that would be covered under the Cyber Sense program would be used by manufacturing facilities outside of the electric sector. They could be substantially harmed by restricting the sharing of vulnerability information about those devices by making that information Critical Electrical Infrastructure Information (CEII).

As I outlined in my post on the introduction to HR 5239, I would much rather see a requirement to provide restricted early notification of vulnerabilities to organizations in the electric sector before universal notifications are made by NCCIC-ICS.

Interestingly, device vendors would probably not be restricted from publishing vulnerability reports on their own products, even if ‘protected’ by the CEII labeling. CEII restrictions only apply to government agencies within the United States.

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */