HR 2980 Introduced - Cybersecurity Vulnerability Remediation Act

Earlier this month Rep Jackson-Lee introduced HR 2980, the Cybersecurity Vulnerability Remediation Act. The bill would amend 6 USC 659 to allow the National Cybersecurity and Communications Integration Center (NCCIC) to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities” {new §659(n)}. The bill is essentially identical to HR 3710 that was passed in the House last session.

Changes to §659

The major change to 6 USC 659 made in this bill is the addition of a new sub-section (n):

“(n) Protocols To Counter Cybersecurity Vulnerabilities.—The [CISA] Director may, as appropriate, identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.”

Report on Vulnerabilities

Section 3 of the bill requires CISA to prepare a report to Congress on how it coordinates vulnerability disclosures under §659(m), Cybersecurity outreach, and how it “disseminate actionable protocols to mitigate cybersecurity vulnerabilities” under the new subsection (n). The report will include {§3(a)}:

• A description of the policies and procedures relating to the coordination of vulnerability disclosures,

• A description of the levels of activity in furtherance of such subsections (m) and (n) of such section 2209,

• Any plans to make further improvements to how information provided pursuant to such subsections can be shared (as such term is defined in such section 2209) between the Department and industry and other stakeholders.

• Any available information on the degree to which such information was acted upon by industry and other stakeholders.

• A description of how privacy and civil liberties are preserved in the collection, retention, use, and sharing of vulnerability disclosures.

Moving Forward

Jackson-Lee is a member of the House Homeland Security Committee. She certainly has the influence to see this bill considered in Committee. In fact, as I mentioned earlier today, it looks like the bill will be skipping the committee consideration process based upon the passage of HR 3710 last session. The bill will almost certainly pass in the House with strong bipartisan support.

Commentary

As I mentioned in a couple of posts on HR 3710, the one real problem with this legislation is found in the last phrase in the new subsection (n): “…including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.” As long as the mitigation measures offered by CISA or researchers only address workaround or process measures, there should not be any significant issues. But such measures are seldom a real fix for the problem in practice. To really fix a software problem, one has to change the program.

Unfortunately, the only one who can change the program is the owner of the software. One of the peculiarities of modern technology is that the person who operates software is not typically the owner of the software; they buy a license. Making changes to the program without the permission of the owner is probably a violation of 18 USC 1030(a)(5). In my post on the House Homeland Security Committee report on HR 3710, I proposed ‘not withstanding’ language to address this potential fraud issue, but that ignores the larger issue of the liability issues of making changes to the software. And those issues are not addressed in this bill.