Reveiw - HR 4623 Introduced – Cybersecurity Standards

Review - Last month, Rep Lieu (D,CA) introduced HR 4623, the Cyber Shield Act of 2023. The bill would establish require the Department of Commerce to establish the Cyber Shield Program; a program for the voluntary certification and labeling of products that meet industry-leading cybersecurity and data security benchmarks to enhance cybersecurity and protect data.

This bill is identical to HR 2236, introduced by Lieu last session. No action was taken on that bill.

Moving Forward

Lieu is not a member of the House Energy and Commerce Committee to which this bill is assigned for consideration. This means that it is unlikely that he has enough influence with that Committee to see this bill considered. Lieu will need to get a member of that Committee to cosponsor the bill for it to move forward.

 

For more details about the provisions of the program, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4623-introduced - subscription required.

Review - HR 2236 Introduced - Cyber Shield Act of 2021

Back in March Rep Lieu (D,CA) introduced HR 2236, the Cyber Shield Act of 2021. The bill would establish require the Department of Commerce to establish the Cyber Shield Program; a program for the voluntary certification and labeling of products that meet industry-leading cybersecurity and data security benchmarks to enhance cybersecurity and protect data. The bill is a companion bill to S 965 that was introduced in April by Sen Markey (D,MA).

In addition to the requirement to establish the standards necessary for obtaining the designation of a Cyber Shield product, DOC would also have to maintain a searchable web site that would provide information about the standards, a listing of all of the designated products, and a database with cybersecurity and program information about each of designated products.

Moving Forward

Lieu is not a member of the House Energy and Commerce Committee to which this bill is assigned for consideration. This means that it is unlikely that he has enough influence with that Committee to see this bill considered. Lieu will need to get a member of that Committee to cosponsor the bill for it to move forward.

Commentary

Congress is really enamored of ‘voluntary programs.’ If some manufacturer, who happens to be a ‘supporter’ of one or more congresscritters, objects to the requirement of the program, the automatic response is ‘its voluntary, you do not have to participate’. It keeps financial backers happy while allowing congress to look like it is doing something. Unfortunately, we have too many recent examples of voluntary programs that flat do not work.

And it really does not help a program to work when a bill specifically kills a main reason that a software/firmware/hardware vendor might have to want to participate in the program; to gain some measure of liability protection. The provision of §6 in this bill specifically disallows that protection. Instead of disallowing liability protections the crafters of this bill should have been providing some sort of limited liability protection like that provided in the Safety Act (Subtitle G of the Homeland Security Act of 2002, 6 USC 441 et seq) for vendors of qualified antiterrorism products.

For a more detailed review see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-2236-introduced 

Bills Introduced – 3-26-21

Yesterday, with the House meeting in pro forma session, there were 106 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 2225 To authorize appropriations for fiscal years 2022, 2023, 2024, 2025, and 2026 for the National Science Foundation, and for other purposes. Rep. Johnson, Eddie Bernice [D-TX-30] 

HR 2236 To establish a voluntary program to identify and promote internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes, and for other purposes. Rep. Lieu, Ted [D-CA-33]

I will be watching HR 2225 for cybersecurity research initiatives.

HR 2236 is probably a companion bill to S 965 that was introduced yesterday by Sen. Markey (D,MA).