HR 3710 Introduced – Cybersecurity Vulnerabilities

Last week Rep. Jackson-Lee (D,TX) introduced HR 3710, the Cybersecurity Vulnerability Remediation Act. The bill would amend 6 USC 659 to allow the National Cybersecurity and Communications Integration Center (NCCIC) to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities” {new §659(n)}.

Changes to Section 659

Section 2 of the bill first adds a definition of ‘cybersecurity vulnerability’ taken from ‘security vulnerability; in 6 USC 1501. It then goes on to modify the functions of the NCCIC in §659(c). The revisions would make that paragraph read:

(c) Functions

The cybersecurity functions of the Center [NCCIC] shall include-

•••

(5)(A) conducting integration and analysis, including cross-sector integration and analysis, of cyber threat indicators, defensive measures, cybersecurity risks, and incidents; and

(B) sharing mitigation protocols to counter cybersecurity vulnerabilities pursuant to subsection (n); and

(C) (B) sharing the analysis conducted under subparagraph (A) and mitigation protocols to counter cybersecurity vulnerabilities in accordance with subparagraph (B) with Federal and non-Federal entities;

•••

(9) sharing cyber threat indicators, defensive measures, mitigation protocols to counter cybersecurity vulnerabilities and other information related to cybersecurity risks and incidents with Federal and non-Federal entities, including across sectors of critical infrastructure and with State and major urban area fusion centers, as appropriate;

Finally, it would add a new paragraph (n):

(n) PROTOCOLS TO COUNTER CYBERSECURITY VULNERABILITIES.—The Director may, as appropriate, identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.

Vulnerability Disclosure

Section 3 of the bill would require a report to Congress on how the Cybersecurity and Infrastructure Security Agency (CISA) on how the Agency carries out its vulnerability disclosure responsibilities described in §659(m). That report would include activities undertaken to “to disseminate actionable protocols to mitigate cybersecurity vulnerabilities” {§3(a)} outlined in this bill. That unclassified report would include:

• A description of the policies and procedures relating to the coordination of vulnerability disclosures.

• A description of the levels of activity in furtherance of such subsections (m) and (n) of §659;

• Any plans to make further improvements to how information provided pursuant to such subsections can be shared (as such term is defined in §659) between the Department and industry and other stakeholders.

• Any available information on the degree to which such information was acted upon by industry and other stakeholders; and

• A description of how privacy and civil liberties are preserved in the collection, retention, use, and sharing of vulnerability disclosures.

Vulnerability Competition

Section 4 of the bill would allow CISA to “establish an incentive-based program that allows industry, individuals, academia, and others to compete in providing remediation solutions for cybersecurity vulnerabilities”. No funding is provided.

Moving Forward

As I mentioned in an earlier post, this bill will be marked up by the House Homeland Security Committee tomorrow. I do not expect any amendments will be offered and the bill will almost certainly receive bipartisan support. I expect that the bill will be considered by the full House under the suspension of the rules process; limited debate and no floor amendments. It is very likely to pass with strong bipartisan support.

Commentary

The final phrase in §659(n) is very interesting; “including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.” This clearly recognizes that software (and of course, operating systems) is (are) quite frequently used well after the vendor stops providing support and that this significantly increases the risk associated with that continued use. And, I would assume that the ‘competition’ outlined in §4 is primarily aimed at these out-of-support systems.

There is a significant problem with this approach. While the vendors have stopped support for these systems, I do not think that most would surrender their copywrite rights or outright ownership of the ‘non-supported’ systems. This means that it would be a violation of any of a number of Federal (and probably international) laws to modify the software, firmware or operating system to mitigate any vulnerabilities found after the close of support on the product without the specific authorization of the vendor. These issues will have to be resolved by Congress.