HR 7331 Introduced – National Cyber Director Act

Back in June Rep Langevin (D,RI) introduced HR 7331, the National Cyber Director Act. The bill would establish the Office of the National Cyber Director in the White House. The Office would consist of a Director, two Deputy Directors and a staff of up to 75 personnel.

 

Definitions

 

Section 2(f) provides the definitions of key terms used in this bill. The term defined include:

 

• Cybersecurity posture,

• Cyber attacks and cyber campaigns of significant consequence,

• Incident, and

• Information security

 

Both ‘incident, and ‘information security’ are defined by reference to current definitions in 44 USC. Neither definition would include control system security within their purview.

 

The second term has the most complex definition in the bill. It would include an incident or series of incidents that have the purpose or effect of {§2(f)(2)}:

 

• Causing a significant disruption to the availability of a Federal information system,

• Harming, or otherwise significantly compromising the provision of service by, a computer or network of computers that support one or more entities in a critical infrastructure sector,

• Significantly compromising the provision of services by one or more entities in a critical infrastructure sector,

• Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain, or

• Otherwise constituting a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”

 

Duties of Director

 

Section 2(c) of the bill lays out the duties of the National Cyber Director. The Director would be required to:

 

• Serve as the principal advisor to the President on cybersecurity strategy and policy,

• Develop the United States National Cyber Strategy, which shall include elements related to Federal departments and agencies,

• Supervise implementation of the strategy,

• Lead joint interagency planning for the Federal Government’s integrated response to cyberattacks and cyber campaigns of significant consequence,

• Direct the Federal Government’s response to cyberattacks and cyber campaigns of significant consequence,

• Engage with private sector leaders on cybersecurity and emerging technology issues,

• Annually report to Congress on cybersecurity threats and issues facing the nation, including any new or emerging technologies that may impact national security, economic prosperity, or enforcing the rule of law, and

• Be responsible for such other functions as the President may direct “

 

Section 2(d) of the bill would amend 50 USC 3021(c)(2), adding the Director to the list of people that the President may direct “to attend and participate in meetings of the [National Security] Council.”

 

Moving Forward

 

Langevin is a member of the House Armed Services Committee, one of the committees to which this bill was assigned for consideration. With 15 bipartisan cosponsors of the bill, it is likely that the bill will be considered in one or more of those committees. The big problem for this bill is that with the House currently in their summer recess there is probably not enough time for this bill to make its way through the legislative process. It just does not have a high enough priority to compete with spending bills and Covid-19 legislation.

 

An ideal way to work around that would have been to include the language of this bill as an amendment to the National Defense Authorization Act, but that was not done. There is still a chance that these provisions could be included in a consolidated spending bill after the election.

 

Commentary

 

In this bill Langevin carries on a long-standing legislative tradition of failing to distinguish between information technology and operational technology. The definitions in this bill rely on IT limited definitions of ‘information technology’ and then specify duties that should clearly involve operational technology. But, even when operational technology concerns are implied, they are only limited to economic consequences of a cyber attack (ie: ‘provision of services’) and ignore the potentially catastrophic physical consequences that could be associated with a successful cyberattack on manufacturing or transportation assets.

 

I would (as I frequently do) refer readers to my earlier blog on changing cybersecurity definitions used in legislative language. Upon further reflection I would also like to add a subparagraph (D) to the definition of ‘incident’ that I propose in that post:

 

“(D) the health or safety of the local community through the release of energy or toxic chemicals.”