Last month Sen Rosen (D,NV) introduced S 4795, the Cyber Sense Act of 2020. This bill is very similar to HR 360 that passed in the House days before this bill was introduced. The bill would require DOE to establish “a voluntary Cyber Sense program to identify and promote cyber-secure products intended for use in the bulk-power system” {§2(b)}.
Differences Between S 4795 and HR 360
The essential components of the ‘Cyber Sense Program’ are the same in the two bills. The differences are structural (S 4795 includes a definitions sub-section {§2(a)} and editorial (HR 360 makes multiple references to the ‘Cyber Sense Program’ where S 4795 makes reference to ‘the program’). These are common stylistic differences frequently seen in House and Senate language.
Moving Forward
Rosen is not a member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration, but her three cosponsors {Sen Hoven (R,ND), Sen King (I,NH), and Sen Risch (R,ID)} are members of that Committee. If this bill had been introduced earlier in the session there would be a good chance that the bill would be considered in Committee and adopted with bipartisan support. There probably is not enough time remaining in the session for this to happen.
Given the fact that HR 360 passed in the House by a voice vote, there remains a good chance that the Senate could directly take up this bill under the unanimous consent process, but I am not sure why they would want to take up this bill rather than HR 360. If S 4795 were passed, it would have to go back to the House for an additional vote (where it would almost certainly pass) but passing HR 360 would avoid having to take that extra step. It is probably a toss up for which would be considered.
Commentary
My two objections to the language of HR 360 also apply to
this bill. The information protection language in both bills would allow
vendors to continue to sell vulnerable devices without notification and it
would probably stop researchers from reporting vulnerabilities to the program
instead of CISA NCCIC-ICS. The bigger problem continues to be the lack of
specific funding authorization in either bill. This would mean that the DOE
would have to fund this program with existing monies, taking money from other
programs.
No comments:
Post a Comment