Thursday, June 3, 2021

Review - HR 2236 Introduced - Cyber Shield Act of 2021

Back in March Rep Lieu (D,CA) introduced HR 2236, the Cyber Shield Act of 2021. The bill would establish require the Department of Commerce to establish the Cyber Shield Program; a program for the voluntary certification and labeling of products that meet industry-leading cybersecurity and data security benchmarks to enhance cybersecurity and protect data. The bill is a companion bill to S 965 that was introduced in April by Sen Markey (D,MA).

In addition to the requirement to establish the standards necessary for obtaining the designation of a Cyber Shield product, DOC would also have to maintain a searchable web site that would provide information about the standards, a listing of all of the designated products, and a database with cybersecurity and program information about each of designated products.

Moving Forward

Lieu is not a member of the House Energy and Commerce Committee to which this bill is assigned for consideration. This means that it is unlikely that he has enough influence with that Committee to see this bill considered. Lieu will need to get a member of that Committee to cosponsor the bill for it to move forward.

Commentary

Congress is really enamored of ‘voluntary programs.’ If some manufacturer, who happens to be a ‘supporter’ of one or more congresscritters, objects to the requirement of the program, the automatic response is ‘its voluntary, you do not have to participate’. It keeps financial backers happy while allowing congress to look like it is doing something. Unfortunately, we have too many recent examples of voluntary programs that flat do not work.

And it really does not help a program to work when a bill specifically kills a main reason that a software/firmware/hardware vendor might have to want to participate in the program; to gain some measure of liability protection. The provision of §6 in this bill specifically disallows that protection. Instead of disallowing liability protections the crafters of this bill should have been providing some sort of limited liability protection like that provided in the Safety Act (Subtitle G of the Homeland Security Act of 2002, 6 USC 441 et seq) for vendors of qualified antiterrorism products.

For a more detailed review see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-2236-introduced 

No comments:

 
/* Use this with templates/template-twocol.html */