Senate Passes Two Cybersecurity Bills – S 333 and S 1846

Yesterday the Senate passed two cybersecurity bills under their unanimous consent process. There was no debate and no vote. The bills now move to the House.

The two bills were:

S 333, the National Cybersecurity Preparedness Consortium Act of 2019; and

S 1846, the State and Local Government Cybersecurity Act

A companion bill (HR 1062) was introduced in the House, but no action has been taken on that bill in Committee. This bill passing in the Senate may allow that roadblock to be bypassed.

S 1846 has not received any coverage in this blog beyond its introduction because there is nothing in the language that addresses control system security issues.

S 333 Introduced – Cybersecurity Consortium

Earlier this month Sen. Cornyn (R,TX) introduced S 333, National Cybersecurity Preparedness Consortium Act of 2019. The bill would authorize the DHS NCCIC to work with a consortium of non-profit entities to “develop, update, and deliver cybersecurity training in support of homeland security” {§2(1)}.

S 333 is a companion bill to HR 1062 that I discussed earlier this week. As I noted in that blog post, Neither Cornyn, nor his two co-sponsors are members of the Senate Homeland Security and Governmental Affairs Committee. Normally this would mean that it would be unlikely for that Committee to consider the bill. Interestingly, this bill is an exception to that ‘rule’. The bill was considered on February 13^th and adopted without amendment in a voice vote.

If this bill makes it to the floor of the Senate (probably under their unanimous consent process) it is likely to pass.

HR 1062 Introduced – Cybersecurity Consortium

Earlier this month Rep. Castro (D,TX) introduced HR 1062, the National Cybersecurity Preparedness Consortium Act of 2019. The bill would authorize the DHS NCCIC to work with a consortium of non-profit entities to “develop, update, and deliver cybersecurity training in support of homeland security” {§2(1)}. The bill is very similar to HR 1465 from the 115^th Congress and HR 4743 from the 114^th. No action was taken on HR 1465 but HR 4743 was passed in the House with bipartisan support.

Differences in the Bills

The current language is most closely a copy of the version of HR 1465 that was reported in the House. There are still a number of differences in the two versions of the bill; some of them minor and others with more significant.

The first noticeable change is the references to both the Homeland Security Act of 2002 and 6 USC. These changes are strictly editorial updates for changes made to that Act and the US Code (USC) by the CISA authorization bill that was passed last year. As usual I prefer to use the USC links. All references to 6 USC 659 in the current bill are the same as the old 6 USC 148 that I have made numerous references to in the past. Unfortunately, the GPO has yet to update the USC for last year’s modifications, so all links to 6 USC in this post will be to the congressional version of the US Code.

Next this bill removes almost all references to the phrase ‘including threats of terrorism and acts of terrorism’ that were included frequently in the earlier bills. This was used as a pretty constant modifier of the phrase ‘cybersecurity risks and incidents. The current bill only uses this phrase one time in §3(b)(3):

Provide technical assistance services to build and sustain capabilities in support of preparedness for and response to cybersecurity risks and incidents, including threats of terrorism and acts of terrorism, in accordance with such section 2209;

There are two paragraphs from the earlier bills that are completed removed in this latest version. Section 2(c) admonished the Secretary to “to prevent unnecessary duplication of existing programs or efforts of the Department of Homeland Security”. Section 2(g) terminated the authorization for the program in five years from the date of enactment. There is no similar language for either of these provisions in the current bill.

Finally, there are two additional sections found in this bill that were not included in the earlier versions. Section 2 provides definitions of important terms; those definitions were included in the text of various paragraphs in the reported version of HR 1465. Section 4 added an important rule of construction to the bill:

“Nothing in this Act may be construed to authorize a consortium to control or direct any law enforcement agency in the exercise of the duties of the law enforcement agency.”

Moving Forward

Neither Castro or any of his six bipartisan cosponsors are members of the House Homeland Security Committee to which this bill was assigned for consideration. HR 1465 had a similar problem last session which explains why it was not considered in Committee. If the bill were to be considered in Committee (possible if a new cosponsor who was on the Committee were added) it would probably be adopted by a bipartisan majority. There is nothing in the bill that should draw any significant opposition.

A similar sounding bill, S 333, was introduced in the Senate, but it looks to have a similar consideration problem; none of the four Senators currently associated with the bill are on the Senate Homeland Security and Governmental Affairs Committee.

Commentary

I did now write about HR 1465 last session because the definitions provided for ‘cybersecurity risk’ and ‘incident’ rely on the IT restrictive definition of information system used in §659. This means that there is no authorization for providing training for incident response or response planning for industrial control system incidents. As it becomes more and more apparent that the physical consequences of a potential attack on industrial control systems could be much more significant than a purely IT system attack, this restrictive definition becomes more and more problematic.

I have been complaining about this definitional problem for some time. As is usual I have offered a number of different possible suggestions for the problem. The most comprehensive can be found in my discussion of HR 2831 last session.

Bills Introduced – 03-15-16

With both the House and Senate in session yesterday there were 26 bills introduced. Three of those bills may be of specific interest to readers of this blog:

HR 4740 To direct the Attorney General to make grants to States and units of local government for the prevention, enforcement, and prosecution of cybercrimes against individuals, and for other purposes. Rep. Clark, Katherine M. [D-MA-5]

HR 4743 To authorize the Secretary of Homeland Security to establish a National Cybersecurity Preparedness Consortium, and for other purposes. Rep. Castro, Joaquin [D-TX-20]

S 2684 A bill to provide for the operation of unmanned aircraft systems by owners and operators of critical infrastructure. Sen. Inhofe, James M. [R-OK] 

The Clark and Castro bills probably have nothing to do with control system security. If so, they will not be mentioned again.

The Inhofe bill is an odd take on UAS and critical infrastructure in that it apparently does nothing to protect CI against drone intrusions. We will see.