Saturday, August 13, 2022

Review - HR 8403 Introduced – Federal Cybersecurity Initiatives

Last month, Rep Swalwell (D,CA) introduced HR 8403, the Proactive Cyber Initiatives Act of 2022. The bill would establish requirements for proactive cybersecurity measures such as penetration testing and deceptive defense processes for federal information systems. It would require reports to Congress on penetration testing, active defense and proactive cybersecurity initiatives. No new funding is authorized by the bill.

Moving Forward

Swalwell is not a member of either the Oversight and Reform Committee or Armed Services Committee to which this bill was assigned for consideration. This means that there is not likely to be sufficient influence to see this bill considered in either committee. I see nothing in the bill that would engender any organized opposition. I suspect that the bill would receive bipartisan support in either committee. The bill would probably be considered in the House under the suspension of the rules process.

Swalwell is a member of the House Homeland Security Committee and I suspect that he figured that the bill would be assigned to that committee for consideration. To be fair, that is the committee to which I would have expected it to be assigned. I suspect that the Oversight and Reform assignment is a political attempt to expand the cybersecurity oversight responsibility of that Committee. The secondary assignment to the Armed Services Committee is required because of the DOD study and report requirements in Section 7.


The active defense report requirements in Section 6 seem to be rather bland until you go back and look at the definition of ‘active defense’ in Section 2. That definition includes feeding false information to an attacker, presumably through some sort of honeypot, and the use of “proportional action taken in response to an unlawful breach”. Typically, that phrase is used as a less confrontational way of describing limited ‘hack back’ actions. This is why the report is required to address “analysis of whether there are legislative, regulatory, or resource burdens” that need to be addressed before such actions can be undertaken. What is missing from that analysis is requirement is a specific need to identify the limits that would have to be imposed on such activities. I would change §6(b)(3) to read:

“(3) An analysis of whether there are legislative, regulatory, or resource burdens that prevent such techniques from being effectively utilized, including the resources necessary to implement such techniques, and a reasonable set of limitations that should be imposed on using such techniques.”

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */