S 2775 Introduced – HACKED Act

Last week Sen Wicker (R,MS) introduced  S 2775, the Harvesting American Cybersecurity Knowledge through Education (HACKED) Act of 2019. The bill would modify a number of existing federal computer training related programs to specifically include cybersecurity training.

Programs Amended

This bill would make amendments to the following programs under the National Institute for Standards and Technology (NIST):

15 USC 7451 – National cybersecurity awareness and education program;

15 USC 7442 – Federal Cyber Scholarship-for-Service Program; and

15 USC 278g-3 – Computer standards program

This bill would make amendments to the following programs under the National Science Foundation (NSF):

42 USC 1862s-7 - Computer science education research;

42 USC 1862i – Scientific and technical education;

42 USC 1869c – Low-income scholarship program;

42 USC 1869 – Scholarships and graduate fellowships;

42 USC 1881b – Presidential awards for teaching excellence;

42 USC 1862s-6 – Presidential awards for excellence in STEM mentoring; and

42 USC 6621 - Coordination of Federal STEM education

This bill would make amendments to the following programs under the Department of Transportation:

49 USC 5505 - University transportation centers program;

49 USC 6503 - Transportation research and development 5-year strategic plan

Moving Forward

Wicker is the Chair of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. The bill is scheduled to be taken up by that Committee today as part of a business meeting. The bill will almost certainly be adopted by a significant bipartisan vote since no new funds are authorized by the bill.

Commentary

The biggest problem with this bill is that there is no definition of ‘cybersecurity’ anywhere in the bill. The underlying definitions for the NIST portions of the bill come from PL113-274. In my blog post about that bill I noted that while “industrial or supervisory control systems” are specifically mentioned in the underlying bill {§2(2)} they are only addressed in reference to IT specific information systems.

There are no definitions of ‘cybersecurity’ in any of the referenced NSF programs or DOT programs.

Now I have previously addressed a number of definitional issues related to cybersecurity. My most comprehensive attempt at coming up with cybersecurity definitions that were clearly applicable to both information and operational cyber systems can be found here. Unfortunately, I did not specifically address the term ‘cybersecurity’. I will try to take that up here.

I do not expect that this bill would be a good place (nor is this Committee the appropriate agent) to address each of the definitions that I proposed earlier, so I will try to accomplish this with just addressing two terms; ‘cybersecurity threat’ and ‘cybersecurity’. First, I would use the existing definition of ‘cybersecurity threat’ from 6 USC 1501; remember that definition relies on the ICS inclusive definition of ‘information system’ from that section. Then I would define ‘cybersecurity’:

Cybersecurity – The term cybersecurity means any actions, policies or procedures utilized to protect an information system (as that term is defined in 6 USC 1501) from a cybersecurity threat (as that term is defined in the same section) or mitigate the effects of a cybersecurity threat against such cybersecurity threat.