HR 1648 Introduced – SBA Security Assistance

Last Month Rep. Chabot (R,OH) introduced HR 1648, the Small Business Advanced Cybersecurity Enhancements Act of 2019. The bill would require the Small Business Administration to establish a Central Small Business Cybersecurity Assistance Unit as well as regional cybersecurity assistance units.

Cybersecurity Assistance Units

The CSBCAU would be collocated with the DHS National Cybersecurity and Communications Integration Center (NCCIC) and would serve as a conduit for sharing cybersecurity threat information between small businesses and the federal government. All of the information sharing protections provided under the CISA legislation {6 USC 1503(c)} would apply to information sharing via the CSBCAU {new 15 USC 648(a)(9)(B)(iii)}. Information on cyberthreat indicators or defensive measures shared through the CSBCAU will not be subject to the narrow regulatory exemption found in 6 USC 1504(d) (5)(D)(ii)(I).

The regional small business cybersecurity assistance units will be part of each Small Business Administration (SBA) small business development center. The bill would require the SBA to set aside $1 million from the monies authorized for small business development centers for the operation of regional SBCAU’s.

Moving Forward

Chabot and both of his cosponsors {Rep. Balderson (R,OH) and Rep. Velasquez (D,NY)} are members of the House Small Business Committee, the Committee to which this bill was assigned for consideration. This means that there is a good chance that this bill will be considered in Committee.

There is nothing in this bill that would incur any significant opposition. I suspect that if it is considered in committee that it would pass with significant bipartisan support. If considered by the full House it would likely be considered under the suspension of the rules process with limited debate and no floor amendments. Again, it would probably pass with substantial bipartisan support.

Commentary

This bill is an attempt to encourage small business owners to participate in the existing cybersecurity information sharing program with CISA by using familiar SBA channels of communication. Unfortunately, it does not address the underlying issues that appear to be hindering businesses in general from participating in the information sharing process. That is the appearance that the information sharing process is a one-way street with little useable information flowing back to the private sector.

The one small sop thrown to the small business community, the §1504 exception will do little to add encouragement for small businesses to participate in the CISA information sharing process. Section 1504 allows units of the federal government to use information shared with NCCIC to be used to fine tune existing cybersecurity regulations. Since there are few areas of the federal regulatory system that are specifically allowed to regulate cybersecurity, this is a fairly unimportant exception.

There is no mention in this bill of industrial control system security issues. The findings section of the bill only mentions information technology security concerns. Fortunately, since this bill attempts to supplement the CISA information sharing process, it uses control system friendly definitions from 6 USC 1501 that are based on the definition of ‘information system’ that specifically includes control systems. Unfortunately, this is as unlikely to encourage small businesses to share control system security threat information with CISA as it is purely IT threat information. Congress needs to clearly identify the existing impediments to information sharing and rectify those before they can expect small businesses to become part of the process.