HR 3710 Reported in House – Cybersecurity Vulnerabilities

Last month the House Homeland Security Committee published their report on HR 3710, the Cybersecurity Vulnerability Remediation Act. The Committee held their markup hearing back in July and ordered the bill reported without amendment. The bill is currently scheduled for consideration under the House suspension of the rules process on Wednesday. There will be limited floor debate, no amendments may be offered from the floor and a supermajority is required for passage.

Commentary

The Committee did not deal with the copywrite issue or software ownership issue that I mentioned in my blog post on the introduction of the bill. This means that any mitigation measures that the Cybersecurity and Infrastructure Security Agency publishes as a result of this bill will have to be limited to the generic measures that CISA already includes in the control system security advisories published by NCCIC-ICS. CISA is not going to be able to publish any true ‘hacks’ of the affected software or firmware because of these issues and the bill would do nothing to provide liability protection for owners or users that would use such ‘hacks’ even if reported by CISA.

Making changes to the software, owned in most cases by the vendor not the facility in which the software operates, could be held to be a violation of 18 USC 1030(a)(5)(A) for CISA or any researcher providing a software ‘hack’ to CISA or a violation of 18 USC 1030(a)(5)(C) for facility owners that employed such a software hack to their systems.

So again, we have Congress taking action to solve a cybersecurity action that is really no action at all. There is a potential (but very unlikely) way for the House to correct this bill, even under the suspension of the rules process. Under a motion to reconsider after passage, the bill could be sent back to the Homeland Security Committee with direction to offer an amendment. That amendment would read:

On page 4, line 21; insert “(a)” before “The director”;

On page 5, line 2; delete the period after “dor” and insert a colon;

On page 5, after line 2; insert:

“(b) Not withstanding 18 USC 1030(a)(5), the publication by CISA of any mitigation measure that changes the programing of a computer or device to provide a mitigation measure as described in (a) is not considered to be a fraud related activity as defined in §1030; and

“(c) Not withstanding 18 USC 1030(a)(5), the use of a mitigation measure described in (b) by a government agency or private entity to mitigate a vulnerability defined in (a) is not considered to be a fraud related activity as defined in §1030.”

On page 6, line 15; insert “(a)” before “The Under”;

On page 6, line 23; delete the period at the end and insert “; and”

On page 6, after line 23; insert:

“(b) Not withstanding 18 USC 1030(a)(5), the submission to CISA of suggested changes to the affected software to mitigate an identified vulnerability as part of the program described in (a) is not considered to be a fraud related activity as defined in §1030.”

I do not really expect that this would happen, but I can always be surprised by congresscritters. More likely such changes would have to be undertake in the Senate Homeland Security Committee if/when they markup HR 3710 after it passes in the House, but before it is considered under the unanimous consent process in the Senate. Again, I would not really expect that to happen. It would be too much like actually trying to accomplish something.