S 4226 Introduced - Cyber State of Distress

Last month Sen Peters (D,MI) introduced S 4225, the Assessing a Cyber State of Distress Act of 2020. The bill would require DHS to conduct two studies in support of the implementation of a key recommendation of the Cyber Solarium Commission Report (CSCR) regarding responses to serious cyber incidents. CSCR key finding 3.3 recommends that Congress should codify a cyber state of distress tied to a cyber response and recovery fund to ensure sufficient resources and capacity to respond rapidly to significant cyber incidents.

 

Cyber State of Distress

 

Section 3 of the bill would require DHS to “conduct an assessment of the feasibility and advisability of establishing an authority for the declaration of a cyber state of distress” {§3(a)}. This assessment would address the recommendations in the CSCR (pgs 61-3) and would include the discussion of additional areas to include {§3(b)(2)}:

 

• The determinations that the DHS should make and any other actions that should be taken before the Secretary is authorized to declare or renew a cyber state of distress, including whether the declaration or any renewal should require congressional oversight or approval,

• The definition of the term ‘‘significant cyber incident’’, which shall include a consideration of the threat and scope or magnitude of the impact of such an incident,

• The authority for the coordination, including the extent and type of coordination, of the response of Federal, State, local, and Tribal governments (including the National Guard) and private entities

• The appropriate duration of a cyber state of distress and any renewal of a cyber state of distress,

• Whether there should be a limitation on the number of renewals of a cyber state of distress, with or without congressional oversight or approval,

• Appropriate exemptions from applicable legal requirements necessary to facilitate activities during a cyber state of distress,

• The scope of any allowable activities in preparation for, during, or immediately following the termination of the cyber state of distress,

• The scope of any other interaction between Federal entities and between Federal and non-Federal entities, and

• Any other aspects of a cyber state of distress that the Secretary of Homeland Security determines relevant.

 

Cyber Response and Recovery Fund

 

Section 4 of the bill would require DHS to “conduct an assessment of the feasibility and advisability of establishing a Cyber Response and Recovery Fund” {§4(a)). Again the assessment would include an analysis of the recommendations in the CSCR (pgs 62-3) and would also address {§4(b)(2)}:

 

• The administration of a Cyber Response and Recovery Fund,

• The eligibility of entities that may receive direct or indirect support under a Cyber Response and Recovery Fund,

• Allowable expenses for a Cyber Response and Recovery Fund, and

• Whether any entity receiving funds from the Cyber Response and Recovery Fund should be required to match funds or reimburse any funds to the Cyber Response and Recovery Fund.

 

Moving Forward

 

Peters is the Ranking Member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that he should have sufficient influence to see this bill considered in the Committee. Unfortunately, this late in the session, especially in a Covid-19 affected presidential-election year this bill will probably not be considered ‘important’ enough to move forward through the legislative process.

 

There is a remote chance that the bill could skip the committee review process and move directly to the floor under the Senate unanimous consent process, but that could only happen with the full blessing of Sen Johnson (R,WI), the Chair of the Committee.

 

Commentary

 

Anyone interested in this bill should definitely read the CSCR section (pgs 61-3) dealing with key recommendation 3.3. This recommendation notes that there could be a class of significant cyber events (or more importantly a possible series of coordinated cyber events) that, while not reaching the level justifying the declaration of a national emergency, would justify a coordinated Federal response that could include financial support for the affected parties. There currently is no mechanism for that sort of response short of that declaration.

 

What is not clear in this bill is whether or not the assessments required would also address the six ‘enabling recommendations’ that the CSCR suggested would support the ‘Cyber State of Distress’ measures addressed in the Report. Those include:

 

3.3.1 Designate responsibilities for cybersecurity services under the Defense Production Act,

3.3.2 Clarify liability for Federally directed mitigation, response, and recovery efforts,

3.3.3 Improve and expand planning capacity and readiness for cyber incident response and recovery efforts,

3.3.4 Expand coordinated cyber exercises, gaming, and simulation,

3.3.5 Establish a biennial national cyber tabletop exercise, and

3.3.6 Clarify the cyber capabilities and strengthen the interoperability of the National Guard.

 

It would seem to me that, with the possible exception of the first and last recommendations, the list should be considered within the scope of this bill. I would like to suggest insertion of a new subparagraph in §3(b):

 

(2) the assessment of CSC recommendations should specifically include a review of the following enabling recommendations supporting key finding 3.3:

 

(A) clarify liability for Federally directed mitigation, response, and recovery efforts,

(B) improve and expand planning capacity and readiness for cyber incident response and recovery efforts,

(C) expand coordinated cyber exercises, gaming, and simulation, and

(D) establish a biennial national cyber tabletop exercise.

 

This bill does not require DHS to actually do anything beyond look at the situation and advise Congress on what actually needs to be done. This is because there will almost certainly have to be Congressional authorization for most of what is being recommended here by the Cyber Solarium Commission. That authorization will almost certainly have to include significant spending authority. The bill should also require the Government Accountability Office, once the DHS assessments are reported to Congress, to provide estimates as to the potential costs of the program.