Last week Sen Cortez-Masto introduced S 3205, the Strengthening
and Enhancing Cybersecurity Usage to Reach Every (SECURE) Small Business Act.
The bill would require the Small Business Administration (SBA) to establish a
cybersecurity cooperative marketplace (CCMP) program to assist small business
concerns with purchasing cybersecurity products and services.
Definitions
Section 2 of the bill provides the definition of six terms
used in the bill. Two are of particular interest here:
• Cybersecurity – means {§2(4)}:
◦ The art of protecting networks, devices, and data
from unauthorized access or criminal use; and
◦ The practice of ensuring the confidentiality,
integrity, and availability of information.
• Cybersecurity Threat – means “the
possibility of a malicious attempt to infiltrate, damage, disrupt, or destroy
computer networks or systems” {§2(5)}.
The Market Place
Section 3 of the bill would require the SBA to establish a
marketplace web site that {§3(c)(1)}:
• Is free to use for small business
concerns and covered vendors; and
• Provides a cooperative
marketplace that facilitates the creation of mutual agreements under which
small business concerns cooperatively purchase cybersecurity products (including
cybersecurity risk insurance) and services from vendors.
The SBA would be required to adjudge the ‘legitimacy’ of
both the vendors and buyers on the marketplace.
This marketplace provision would sunset on September 30,
2024.
Moving Forward
Cortez-Masto is not a member of the Senate Small Business
and Entrepreneurship Committee to which this bill was assigned, though two of her
cosponsors {Sen Risch (R,ID) and Sen Rosen (D,NV)} are. This means that there
is a good chance that this bill would be brought up in Committee. Since there
is no spending authorization in the bill, I see nothing that would draw any
organized opposition to the bill’s consideration. The Committee would likely
report the bill favorably with substantial bipartisan support.
This does not mean, however, that the bill would be
considered on the floor of the Senate. The bill is not important enough to be
considered under regular order so it would have to be considered under the
unanimous consent process; which means a single Senator could block consideration
of the bill. That possibility is almost impossible to predict.
Commentary
The cybersecurity definitions in the bill are very vague but
tend towards information technology, not control system security. That could be
easily remedied by revising the cybersecurity definition in §2(4):
(4) CYBERSECURITY.—The term
‘‘cybersecurity’’ means—
(A) the art of protecting
networks, devices, and data from unauthorized access or criminal use and the practice of ensuring:
(i) for information systems, the practice of
ensuring the confidentiality, integrity, and availability of information;
or
(ii) for process control systems (including building
control and security control systems), the view and safe control of the
affected process.
The other oddity is the that the lengthy list of ‘covered
industry sectors’ does not include the chemical sector. I suspect that Cortez-Masto
envisions the chemical sector to be made up of massive petrochemical process
facilities. It does, however, contain a very large number of small business entities
in the production, transportation and distribution sides of the business. The
failure to include those small business concerns is a major problem in this
bill that is not adequately remedied by the pro forma inclusion of ‘any other
industry sector that the Administrator determines to be relevant’ at the end of
the list.
Finally, I am not sure how any congressional staffer figures
that the SBA will be able to establish this type of marketplace without any
additional funding being provided to the agency. Setting up an on-line commerce
site is not cheap, nor is the upkeep and operation of the site. I understand
the reluctance of Senators to authorize new spending, it could be the death knell
of a bill. But carving these costs out of the existing SBA budget is only going
to harm current programs.
There is an alternative, make the market-place self-funding.
This could be accomplished with the following addition to §3(c):
(c) the Administrator will
charge the participants in Market Place a user fee to cover the costs of
establishing and maintaining the Marketplace.
Posts
No comments:
Post a Comment