S 658 Introduced – National Cybersecurity Preparedness Consortium Act of 2021

Last month Sen. Cornyn (R,TX) introduced S 658, the National Cybersecurity Preparedness Consortium Act of 2019. The bill would authorize the DHS NCCIC to work with a consortium of non-profit entities to “develop, update, and deliver cybersecurity training in support of homeland security” {§2(1)}. This bill is nearly identical to S 333 that was passed in the Senate last session, but was not taken up in the House.

Definitions

Section 2 of the bill provides definitions of the following four key terms used in the legislation:

• Consortium,

• Cybersecurity risk,

• Department, and

• Secretary

The term ‘cybersecurity risk’ is defined by reference to the definition of that term found in 6 USC 659(a).

Assistance to NCCIC

The bill would authorize DHS to work with a consortium primarily composed of nonprofit entities, including academic institutions to assist the National Cybersecurity and Communications Integration Center (NCCIC) in {§3(b)}:

• Providing training to State and local first responders and officials specifically for preparing for and responding to cybersecurity risks and incidents, in accordance with applicable law,

• Developing and updating a curriculum utilizing existing programs and models in accordance with such 6 USC 659, for State and local first responders and officials, related to cybersecurity risks and incidents,

• Providing technical assistance services to build and sustain capabilities in support of preparedness for and response to cybersecurity risks and incidents, including threats of terrorism and acts of terrorism, in accordance with such §659,

• Conducting cross-sector cybersecurity training and simulation exercises for entities, including State and local governments, critical infrastructure owners and operators, and private industry, to encourage community-wide coordination in defending against and responding to cybersecurity risks and incidents, in accordance with 6 USC 660(c),

• Helping States and communities develop cybersecurity information sharing programs, in accordance with §659, for the dissemination of homeland security information related to cybersecurity risks and incidents; and

• Helping incorporate cybersecurity risk and incident prevention and response into existing State and local emergency plans, including continuity of operations plans.

Moving Forward

Neither Cornyn, nor his two cosponsors {Sen Leahy (D,VT) and Sen Boozman (R,AZ)} are members of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. Typically, this means that there is not adequate influence to have the bill considered in Committee. If the bill were considered, I would expect to see a repeat of the last session’s passage of S 333 by a voice vote.

NOTE: Last session Cornyn was a member of HSGAC.

Commentary

Congress certainly is not going to fund enough positions within CISA to be able to conduct the training, coordinating and planning envisioned in §3(b), so authorizing CISA to use outside agencies to perform these functions makes eminent sense. Unfortunately, nothing in the bill provides any indication of source of funding for these activities. If the end users are going to have to self-fund their participation, they might as well turn to any number of private companies for the support.

(Deep Breath, Hold, Let it Out Slowly) The definition of ‘cybersecurity risk’ used in this bill is based upon the IT restrictive definition of information system that §659 takes from 44 USC 3502. That means that the activities authorized in this bill do not specifically include activities related to cybersecurity issues of industrial control systems, transportation control systems, security systems, building control systems, medical systems or a whole slew of lesser operational technology. This restricted definition does not prevent any of the activities described in this bill being applied to operational technology cybersecurity issues, but it does not provide clear authority to do it either.

Long time readers of this blog have heard my rant about this issue many times before (most completely here). For most things that CISA does (I will admit) that this definition ‘problem’ does not make any significant difference, CISA does a lot of things that it is not specifically authorized to do. If CISA were regulating based upon these definitions, there would be lots of push back from the regulated community and there would probably be substantial support for that push-back from the Courts. Another way this could make problems for the Agency is when Congress starts to restrict or cutback funding, then those operations that are not specifically authorized will be the first to see the trimming.

But, this bill is not the place to make a stand on this particular definitional hill. I just did not want anyone to think that I had dropped the issue.