HR 3494 Reported in House – FY 2020 Intel Authorization

This week the House Intelligence Committee reported on HR 3494, Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020. While the bill contains some cyber operations and cyber intelligence language, it does not address any control system cybersecurity issues. There is, however, a brief discussion in the Committee Report about the development of a “cybersecurity and intelligence collection doctrine” that bears some scrutiny.

The House Rules Committee is meeting tomorrow to create the rule under which this bill will be considered on the floor later this week. A total of 46 amendments were proposed to the Committee last week. They will consider which amendments may be considered during the consideration of the bill on the floor of the House. One of those amendments addresses cybersecurity in the energy sector.

Cybersecurity and Intelligence Collection Doctrine

On page 95 of the Report, the Committee directs the Office of the Director of National Intelligence (ODNI) “to develop an analytic framework that could support the eventual creation and execution of a Government-wide cybersecurity and intelligence collection doctrine.” The framework would include:

• An assessment of the current and medium-term cyber threats to the protection of the United States’ national security systems and critical infrastructure;

• IC definitions of key cybersecurity concepts, to include cyberespionage, cyber theft, cyber acts of aggression, and cyber deterrence;

• Intelligence collection requirements to ensure identification of cyber actors targeting U.S. national security interests, and to inform policy responses to cyberattacks and computer network operations directed against the United States;

• The IC’s methodology for assessing the impacts of cyberattacks and computer network operations incidents directed against the United States, taking into account differing levels of severity of incidents;

• Capabilities that the IC could employ in response to cyberattacks and computer network operations incidents, taking into account differing levels of severity of incidents;

• A policy and architecture for sharing cybersecurity-related intelligence with government, private sector, and international partners, including existing statutory and other authorities which may be exercised in pursuit of that goal; and

• Any necessary changes in IC authorities, governance, technology, resources, and policy to provide more capable and agile cybersecurity.

Possible Cybersecurity Amendment

Amendment #20 was submitted by Rep. Ruppersberger (D,MD) and Rep. Carter (R,TX). This amendment would authorize a pilot program identifying new classes of security vulnerabilities and researching technology to address the ever-present and changing face of cyber security threats to the energy grid. The amendment is essentially HR 680, which Ruppersberger and Carter introduced in January. No action has been taken on that bill. Nearly identical language was included (§10742) Intel Authorization Act that was included in S 1790, the FY 2020 NDAA that was passed last month.

There is no resolution of the vulnerability disclosure issue  that I discussed in my post on HR 680 in either this submitted amendment to HR 3494 or in §10742 in S 1790.

Moving Forward

The House is currently scheduled to consider HR 3494 on Tuesday. With the small number of amendments be submitted to the Rules Committee, it looks like it could complete consideration of the bill on the same day. The bill is likely to pass, but I suspect it will be largely a party-line vote. The problem is going to come with how to deal with the intel authorization once the House vote is completed. Normally, there would be a conference committee to iron out the differences, but the Senate passed their intel authorization act as part of the DOD authorization act. It will be interesting to see how this procedural issue is resolved.