Monday, December 30, 2019

2019 Cybersecurity Legislation

As 2019 slides to a close, it would seem to be a good time to look back at what the 1st Session of the 116th Congress has accomplished on the OT cybersecurity front. The short story is not much; 60 pieces of legislation have been introduced, five have passed in the House, 1 passed in the Senate, and two have made into law. Okay now for the details.

Cybersecurity Legislation Selection

Here in this blog I try to look at every piece of legislation that is introduced that is going to, could, or will with some suggested tweaks, have an effect on what I generally call ‘control system security’. And I take a pretty broad definition of that ‘control system’; including such things as industrial control systems, building maintenance, security, transportation control, and even medical devices. In general, I do not cover purely IT related cybersecurity bills, or bills that only address government cybersecurity issues. But exceptions are made.

For each the Congress is in session (both active presence and pro forma sessions) the web site publishes a list of each bill introduced; generally the next day. I scan the brief description of the bills introduced and select those that sound like they may have a potential impact on control system security. I try to be very broad in my selection at this point; it is too hard to go back later and find such bills. And I publish a brief blog post identifying those bills.

Later, when the Government Printing Office finally is able to get around to publishing the official text of the bill, I download and read each of the bills that I previously identified as being potential candidates. I end up rejecting about a third of these bills as not fitting my very broad criteria of being a control system security bill. Those bills that do make the cut get a brief (okay sometimes not so brief) blog post about the provisions of the bills, my assessment of the bill’s probability to move forward, and frequently suggestions on how I think that the bill could be improved.

Now sometimes these bills are about nothing but control system security. More frequently, bills are about some larger problem, but do address control system security issues. Less frequently there really nothing in the bill about the topic, but I feel there should have been. In any case, the point I am trying to make is that my list of ‘cybersecurity bills’ is going to be different than anyone else’s. If there are any objections, contact me and I’ll take the matter under advisement.

Before this goes any further, there is one other rather odd thing about the way I treat legislation, I report on bills by their bill number (HR XXXX or S XXXX) where most other reporting agencies go by the bill name or some popular variation on that theme. This makes it easier to ensure we are all talking about the same bill since many bills have the same or similar names.

The Legislative List

The 116th Congress is one of the most prolific bill-writing congresses that I have followed. Already, in the first session (2019) they have introduced 10,168 bills and resolutions. This compares to the 13,563 that were introduced in the complete 115th Congress.

Out of those 10K bills and resolutions, I have identified 60 bills that I consider to be related to control system security. It could be 61, but one bill that I have identified as a potential candidate, HR 5527, has not yet had its language published so I don’t know yet if it actually qualifies by my loose criteria. Of those 60 bills, 38 were introduced in the House and 22 in the Senate. This is pretty close (1.73 vs 1.74) to the same ratio as that of bills introduced in the House and Senate.

Of the bills introduced on my list only the following 18 bills (30% of the total) have been considered in Committee; a general perquisite for eventual passage:

Bill #
HR 359
DOE Cybersecurity
HR 360
Cybersense Progam
HR 370
Pipeline Security
HR 1158
Cyber Response Teams
HR 1668
IOT Cybersecurity
HR 3318
TSA Threat Analysis
HR 3699
TSA Pipeline Security
HR 3710
Cybersecurity Vulnerabilities
HR 4091
ARPA-E Reauthorization
HR 4634
TRIA Reauthorization
S 174
Energy Sector Security
S 315
Cyber Response Teams
S 333
Cybersecurity Consortium
S 715
Smart Manufacturing
S 2095
DOE Cybersecurity
S 2333
Grid Security
S 2556
S 2714
ARPA-E Reauthorization

The links in the ‘Introduced’ column are to my blog posts about the initial bill. Dates in the ‘Hearing’ column reflect the date the Committee report on the bill was published; if there is a link its to my blog post on the Report. Where it simply reflects ‘Hearing’, the report has yet to be published. Usually a report is published before the full body (House or Senate) will take up the bill.

In general cybersecurity bills have done better than average in being considered in committee. Of the 8,675 bills (not counting resolutions) introduced this year, 1,103 have been considered in committee, or 1 in 7.8 bills. For my cybersecurity bills it is 1 in 3.3 bills. On this basis it would seem that cybersecurity is a relative priority in the 116th Congress.

Only one of the bills on the above list made it to being considered by the other body; HR 1158 was considered and passed (after being amended) in the Senate. The House ended up agreeing to the Senate’s language (taken from S 315), but it was included in the second spending bill passed this month, HR 1856, which was signed into law by the President.

That was not, however, the only bill on the list that made it into law. Another bill, HR 4634, was also included as part of the same spending bill. So, 3% of the cybersecurity bills on my list have made it into law. That looks better than the 1% of the total bills introduced during the session that have been signed by the President. I am careful to say ‘looks better’ because I have not tried to determine how many other bills made it into law by being combined into another bill. It is a favorite congress critter trick to get bills into law that would not make it there on their own merits.


So, looking at the number, it would seem that the 116th Congress has been a good one for cybersecurity. Unfortunately, the numbers are misleading. See, one of the two bills (HR 1158) that made it into law just authorized the ‘cyber hunt teams’ that are already employed by the Cybersecurity and Infrastructure Security Agency (CISA). The only thing really new in the law was the authorization to use civilian contractors on those teams; with the permission of the owner/operator of the facility where the team is hunting. The other bill is similarly not a big deal; the ‘cybersecurity’ provisions of HR 4634 consisted of language requiring the Department of Treasury to report to Congress on the advisability of considering cyberattacks as terrorist attacks under the Terrorism Risk Insurance (TRIA) Program. That could be helpful down the road but would still take new legislation to make it happen.

So, in my opinion, the first session of the 116th Congress has been kind of a wash for cybersecurity. Congress appears to be taking more of a look at the problem but, so far has done very little to deal with it

No comments:

/* Use this with templates/template-twocol.html */