HR 1975 Introduced – Cybersecurity Advisory Committee

Last month Rep. Katko (R,NY) introduced HR 1975, the Cybersecurity Advisory Committee Authorization Act of 2019. The bill would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to establish a cybersecurity advisory committee to advise the Director on the development, refinement, and implementation of policies, programs, rulemakings, planning, training, and security directives pertaining to the mission of CISA.

Composition

The Committee would be composed of 35 individuals representing State and local governments and of a broad range of industries, including {new §2215(c)(1)(C)}:

• Defense.

• Education;

• Financial services;

• Healthcare;

• Manufacturing;

• Media and entertainment;

• Chemicals;

• Retail;

• Transportation;

• Energy;

• Information Technology; and

• Communications.

Moving Forward

Katko is a member of the House Homeland Security Committee, one of the three committees to which this bill was assigned for consideration. This means that it is likely that this bill will receive consideration in that Committee. None of the current cosponsors of the bill are members of the other two committees to which the bill was assigned. This greatly decreases the possibility that this bill will be considered in those committees. There is a reasonable chance that the bill could move to the floor without action by the Energy and Commerce or Oversight and Reform committees if the Homeland Security Committee were to strongly indorse the bill.

There is nothing in this bill that would engender serious opposition. If the bill were to be considered it would probably receive broad bipartisan support. I suspect that there is a good chance that this bill will come to the floor of the House under the suspension of the rules process.

Commentary

There is no language in this bill that specifically identifies control system cybersecurity as a targeted interest of the Committee. But, having said that, it seems clear to me that the crafters of the bill intended operational technology cybersecurity to be included in the Committee’s purview. One just has to look at the industrial sectors specified to see that a wide variety of industrial control systems are core technologies for many of the sectors. I do have a minor concern, however, that the support side (vendors, integrators and researchers) of control system security may not receive any recognition in this committee. This concern could be reduced by changing the name of one of the industries from ‘information technology’ to ‘information and operational technology’.

The Federal government has successfully used this type of advisory committee to help provide regulators with a wide span of technical expertise. There have periodically been complaints about the ‘influence’ these industry insiders have over the regulatory process. Usually, this type of complaint has been short circuited by ensuring the inclusion of counter-industry advocacy representative like labor organizations or privacy groups. For this Committee, I think the failure to include representative of privacy groups is a significant shortcoming that should be corrected before this legislation makes its way to the President.