Wednesday, February 20, 2019

HR 1062 Introduced – Cybersecurity Consortium


Earlier this month Rep. Castro (D,TX) introduced HR 1062, the National Cybersecurity Preparedness Consortium Act of 2019. The bill would authorize the DHS NCCIC to work with a consortium of non-profit entities to “develop, update, and deliver cybersecurity training in support of homeland security” {§2(1)}. The bill is very similar to HR 1465 from the 115th Congress and HR 4743 from the 114th. No action was taken on HR 1465 but HR 4743 was passed in the House with bipartisan support.

Differences in the Bills


The current language is most closely a copy of the version of HR 1465 that was reported in the House. There are still a number of differences in the two versions of the bill; some of them minor and others with more significant.

The first noticeable change is the references to both the Homeland Security Act of 2002 and 6 USC. These changes are strictly editorial updates for changes made to that Act and the US Code (USC) by the CISA authorization bill that was passed last year. As usual I prefer to use the USC links. All references to 6 USC 659 in the current bill are the same as the old 6 USC 148 that I have made numerous references to in the past. Unfortunately, the GPO has yet to update the USC for last year’s modifications, so all links to 6 USC in this post will be to the congressional version of the US Code.

Next this bill removes almost all references to the phrase ‘including threats of terrorism and acts of terrorism’ that were included frequently in the earlier bills. This was used as a pretty constant modifier of the phrase ‘cybersecurity risks and incidents. The current bill only uses this phrase one time in §3(b)(3):

Provide technical assistance services to build and sustain capabilities in support of preparedness for and response to cybersecurity risks and incidents, including threats of terrorism and acts of terrorism, in accordance with such section 2209;

There are two paragraphs from the earlier bills that are completed removed in this latest version. Section 2(c) admonished the Secretary to “to prevent unnecessary duplication of existing programs or efforts of the Department of Homeland Security”. Section 2(g) terminated the authorization for the program in five years from the date of enactment. There is no similar language for either of these provisions in the current bill.

Finally, there are two additional sections found in this bill that were not included in the earlier versions. Section 2 provides definitions of important terms; those definitions were included in the text of various paragraphs in the reported version of HR 1465. Section 4 added an important rule of construction to the bill:

“Nothing in this Act may be construed to authorize a consortium to control or direct any law enforcement agency in the exercise of the duties of the law enforcement agency.”

Moving Forward


Neither Castro or any of his six bipartisan cosponsors are members of the House Homeland Security Committee to which this bill was assigned for consideration. HR 1465 had a similar problem last session which explains why it was not considered in Committee. If the bill were to be considered in Committee (possible if a new cosponsor who was on the Committee were added) it would probably be adopted by a bipartisan majority. There is nothing in the bill that should draw any significant opposition.

A similar sounding bill, S 333, was introduced in the Senate, but it looks to have a similar consideration problem; none of the four Senators currently associated with the bill are on the Senate Homeland Security and Governmental Affairs Committee.

Commentary


I did now write about HR 1465 last session because the definitions provided for ‘cybersecurity risk’ and ‘incident’ rely on the IT restrictive definition of information system used in §659. This means that there is no authorization for providing training for incident response or response planning for industrial control system incidents. As it becomes more and more apparent that the physical consequences of a potential attack on industrial control systems could be much more significant than a purely IT system attack, this restrictive definition becomes more and more problematic.

I have been complaining about this definitional problem for some time. As is usual I have offered a number of different possible suggestions for the problem. The most comprehensive can be found in my discussion of HR 2831 last session.

No comments:

 
/* Use this with templates/template-twocol.html */