HR 5394 Introduced – Cybersecurity Coordination

Earlier this month Rep Taylor (R,TX) introduced HR 5394, the Strengthening State and Local Cybersecurity Defenses Act. The bill would amend 6 USC 659; adding a number of coordination, education and assistance responsibilities to the Cybersecurity and Infrastructure Security Agency (CISA) charter to provide cybersecurity support to a wide variety of public and private entities in the country.

Definitions

The bill would add a new definition to 6 USC 651; ‘entity’. This term would be very broadly defined as including {new §651(4)}:

• An association, corporation, whether for-profit or nonprofit, partnership, proprietorship, organization, institution, establishment, or individual, whether domestic or foreign;

• A government agency or other governmental entity, whether domestic or foreign, including State, local, Tribal, and territorial government entities; and

• The general public.

New CISA Coordination Responsibilities

The bill would add a new paragraph (n) to 6 USC 659, entitled ‘Coordination’. That paragraph would require CISA to coordinate (to the extent practicable) with Federal and non-Federal entities (specifically including the Multi-State Information Sharing and Analysis Center) to:

• Conduct exercises with Federal and non-Federal entities;

• Provide operational and technical cybersecurity training related to cyber threat indicators, defensive measures, cybersecurity risks, and incidents to entities to address cybersecurity risks or incidents, with or without reimbursement;

• Assist entities, upon request, in sharing cyber threat indicators, defensive measures, cybersecurity risks, and incidents from and to the Federal Government as well as among entities, in order to increase situational awareness and help prevent incidents;

• Provide entities timely notifications containing specific incident and malware information that may affect such entities or individuals with respect to whom such entities have a relationship;

• Provide and periodically update via a web portal and other means tools, products, resources, policies, guidelines, controls, procedures, and other cybersecurity standards and best practices and procedures related to information security;

• Work with senior Federal and non-Federal officials, including State and local Chief Information Officers, senior election officials, and through national associations, to coordinate a nationwide effort to ensure effective implementation of tools, products, resources, policies, guidelines, controls, procedures, and other cybersecurity standards and best practices and procedures related to information security to secure and ensure the resiliency of Federal and non-Federal information systems, including election systems;

• Provide, upon request, operational and technical assistance to entities to implement tools, products, resources, policies, guidelines, controls, procedures, and other cybersecurity standards and best practices and procedures related to information security, including by, as appropriate, deploying and sustaining cybersecurity technologies, such as an intrusion detection capability, to assist such entities in detecting cybersecurity risks and incidents;

• Assist entities in developing policies and procedures for coordinating vulnerability disclosures, to the extent practicable, consistent with international and national standards in the information technology industry;

• Ensure that entities, as appropriate, are made aware of the tools, products, resources, policies, guidelines, controls, procedures, and other cybersecurity standards and best practices and procedures related to information security developed by the Department and other appropriate Federal entities for ensuring the security and resiliency of civilian information systems; and

• Promote cybersecurity education and awareness through engagements with Federal and non-Federal entities.

Moving Forward

Taylor and four of his cosponsors {Ranking Member Rogers (R,AL), Green (D,TX), Guest (R,MS) and Slotkin (D,MI)} are members of the House Homeland Security Committee to which this bill was assigned for consideration. This bill will almost certainly be considered in Committee early next year. There is nothing in the language of the bill that would engender any significant opposition to the bill.

When the bill is considered (and it is likely to reach the floor) it will receive significant bipartisan support. When it is considered on the floor of the House it will be considered under the suspension of the rules process; limited debate, no floor amendments and will require a super-majority to pass.

Commentary

This is another one of the cybersecurity bills being considered this session that are purely motherhood and apple pie attempts by Congress to make it look like they are doing something about cybersecurity. There is nothing in the bill that CISA is not already doing or DHS has not been doing for quite some time before before the investiture of CISA.

If Taylor really wants this bill to accomplish something, he could straighten out the definitions in §659 that officially (though not actually in practice) limits CISA from looking at control system security, by excluding all but pure information technology systems from their purview. Again, I would refer Taylor, and the Committee Staff, to my blog post from February where I discuss the cybersecurity definition problem in detail and provide legislative language to correct those problems.