6 Cybersecurity Bills Passed in House – 7-20-21

Yesterday the House passed six cybersecurity bills as part of an en bloc vote on 21 bills that were considered on Monday and Tuesday under the suspension of the rules process. The recorded vote was 319 to 105 with the Republican vote nearly evenly split. The six cybersecurity bills were:

HR 2928 – Cyber Sense Act of 2021

HR 1871 – Transportation Security Transparency Improvement Act,

HR 3138 – State and Local Cybersecurity Improvement Act, as amended,

HR 1833 – DHS Industrial Control Systems Capabilities Enhancement Act of 2021, as amended,

HR 2980 – Cybersecurity Vulnerability Remediation Act, as amended,

HR 3223 – CISA Cyber Exercise Act

Committee Hearings – Week of 7-18-21

This week with both the House and Senate meeting in Washington, there will be a full slate of committee hearings. Hearings of interest include the markup of the Senate version of the FY 2022 National Defense Authorization Act, three cybersecurity hearings and the start of the consideration process for FY 2022 spending bills. And we will have an interesting slate of cybersecurity legislation being considered on the floor of the House.

NDAA Markup in Senate

The Senate Armed Services Committee will be marking up their version of the FY 2022 NDAA. Each subcommittee will be meeting to markup their portions of the NDAA on Monday and Tuesday. Then the full Committee will meet Wednesday and probably Thursday to complete the markup process. The subcommittee markups of interest here include:

• Monday - Subcommittee on Cybersecurity. CLOSED

• Tuesday - Subcommittee on Emerging Threats and Capabilities. CLOSED.

Cybersecurity Hearings

On Tuesday the House Small Business Committee will be holding a hearing on “Strengthening the Cybersecurity Posture of America’s Small Business Community”. This hearing is unlikely to specifically address control system security issues. The witness list will include:

• Tasha Cornish, Cybersecurity Association of Maryland, Inc.,

• Sharon Nichols, Mississippi Small Business Development Center,

• Kiersten Todt, Cyber Readiness Institute,

• Graham Dufault, The App Association,

On Tuesday the Subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce will be holding a hearing on "Stopping Digital Thieves: The Growing Threat of Ransomware". This hearing is very likely to specifically address control system security issues and could get fairly technical. The witness list includes:

• Kemba Walden, Microsoft Corporation,

• Robert M. Lee, Dragos,

• Christian Dameff, M.D., M.S., Medical Director of Cybersecurity, UC San Diego Health,

• Charles Carmakal, FireEye-Mandiant

• Philip Reiner, Institute for Security and Technology

On Wednesday, the Senate Environment and Public Works Committee will be holding a hearing on “Addressing Cybersecurity Vulnerabilities Facing Our Nation’s Physical Infrastructure”. While the witness list is not yet available, there is a decent chance that there will be some discussion about control system cybersecurity issues. I would not be surprised to see witnesses from the water treatment sector.

Spending Bills

The House Rules Committee has announced that they are accepting amendments for the first spending bill for FY 2022. The House will be considering a minibus (multiple spending bills under one bill number), probably next week. The amendment deadline is Wednesday evening and the Committee is likely to hold their rulemaking hearing next Monday.

The slate for the first minibus is set to include:

Division A (Labor, Health and Human Services, Education),

Division B (HR 4356 – Agriculture, Rural Development),

Division C (Energy and Water Development),

Division D (HR 4345 – Financial Services and General Government),.

Division E (HR 4372 – Interior, Environment),

Division F (HR 4355 – Military Construction, Veterans Affairs),

Division G (Transportation, Housing, and Urban Development),

I do not typically review the FSG, or MCV spending bills, and the ARD bill contained nothing that I cover in this blog. The LHHS and THUD bills will probably be introduced today.

On the Floor

The House will be spreading their 27 bills considered under suspension of the rules over two days this week. The list includes seven cybersecurity bills:

• Monday

◦ HR 2931 – Enhancing Grid Security through Public-Private Partnerships Act,

◦ HR 2928 – Cyber Sense Act of 2021

• Tuesday

◦ HR 1871 – Transportation Security Transparency Improvement Act,

◦ HR 3138 – State and Local Cybersecurity Improvement Act, as amended,

◦ HR 1833 – DHS Industrial Control Systems Capabilities Enhancement Act of 2021, as amended,

◦ HR 2980 – Cybersecurity Vulnerability Remediation Act, as amended,

◦ HR 3223 – CISA Cyber Exercise Act

Republicans have been forcing recorded votes on the suspension bills. Democrats have responded by voting on some and including the remainder in the vote on the language of the rule for consideration of bills under regular order. This may make reporting passage of these bills somewhat piece meal.

HR 3223 Introduced - CISA Cyber Exercise Act

Last week Rep Slotkin (D,MI) introduced HR 3223, the CISA Cyber Exercise Act. The bill would establish in CISA the National Cyber Exercise Program. It also takes care of some administrative changes to the section numbering in Subtitle A of title XXII of the Homeland Security Act of 2002.

Cyber Exercise Program

Section 2(a) of the bill amends the Homeland Security Act of 2002 by adding a new §2220A, National Cyber Exercise Program. It establishes in CISA the National Cyber Exercise Program to evaluate the National Cyber Incident Response Plan, and other related plans and strategies. The program will be {new §2220A(a)(2)(A)}:

• Based on current risk assessments, including credible threats, vul­ner­a­bil­i­ties, and consequences,

• Designed, to the extent practicable, to simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident,

• Designed to provide for the systematic evaluation of cyber readiness and enhance operational understanding of the cyber incident response system and relevant information sharing agreements, and

• Designed to promptly develop after-action reports and plans that can quickly incorporate lessons learned into future operations.

The Exercise Program will include a selection of model exercises that State, local, and Tribal governments, as well as private sector entities, could use in the design, implementation, and evaluation of exercises that {new §2220A(a)(2)(B)(ii)}:

• Conform to the requirements described above,

• Are consistent with any applicable national, State, local, or Tribal strategy or plan, and

• Provide for systematic evaluation of readiness.

HSA Cleanup

Congress writes many of their homeland security bills as amendments to the Homeland Security Act of 2002. The piecemeal nature of these amendments frequently results in section numbering issues that have to be created. The current version of the HSA has a series of these issues in Subtitle A,Cybersecurity and Infrastructure Security, of Title XXII. The table of contents shows:

Sec. 2214. National Asset Database.

Sec. 2215. Sector Risk Management Agencies.

Sec. 2215. Cybersecurity State Coordinator.

Sec. 2215. Joint cyber planning office.

Sec. 2215. Duties and authorities relating to.gov internet domain.

Sec. 2216. Cybersecurity Advisory Committee.

Sec. 2217. Cybersecurity Education and Training Programs.

Section 2(b) of the bill corrects this multiple §2215 situation so that the revised table of contents will read:

Sec. 2214. National Asset Database.

Sec. 2215. Duties and authorities relating to .gov internet domain.

Sec. 2216. Joint cyber planning office.

Sec. 2217. Cybersecurity State Coordinator.

Sec. 2218. Sector Risk Management Agencies.

Sec. 2219. Cybersecurity Advisory Committee.

Sec. 2220. Cybersecurity Education and Training Programs.

Sec. 2220A. National Cyber Exercise Program.

Moving Forward

As I mentioned earlier, this bill will be marked up this afternoon by the House Homeland Security Committee. I expect that the bill will receive substantial bipartisan support. I then expect it to be considered by the full House under the suspension of the rules process.

Commentary

CISA, and it’s predecessor agency, have already been holding a series of national cybersecurity exercises, so this bill is not really starting something new with the National Cyber Exercise Program. I am not sure if CISA has had a formal program for being able to share exercise models with State, local and Tribal governments so this may be an addition to the existing program.

It would be nice if CISA were able to stand up something like the TSA’s Exercise Information System to aid in the development of industry and local government cybersecurity exercises. Unfortunately, this bill does not go quite that far, and it does not provide for any funding that would allow for that type of expansion.

Update on Cybersecurity Markup – 5-18-21

The House Homeland Security web site now has complete listings for the seven bills that it will be marking up this afternoon. Four of the bills are cybersecurity bills and a fifth deals with critical infrastructure. I have not yet had a chance to publish detailed reviews of each of these bills, so I am going to do a quick review of those that I have not reviewed.

The five bills of interest are:

• HR 2980, the “Cybersecurity Vulnerability Remediation Act”

• HR 3138, the “State and Local Cybersecurity Improvement Act”

• HR 3223, the “CISA Cyber Exercise Act”

• HR 3243, the “Pipeline Security Act”

• HR 3264, the “Domains Critical to Homeland Security Act”

HR 3138

This bill is similar to HR 5823 from last session. It would establish a grant program, the State and Local Cybersecurity Grant Program, with $500 million being authorized each year for the program through 2026. Each grant applicant would have to submit a cybersecurity plan to DHS for approval. Each applicant would also have to establish a cybersecurity planning committee. Multi-state grants would be authorized.

CISA would be required to establish a State and Local Cybersecurity Resiliency Committee. CISA would also be required to prepare and maintain a resource guide to help officials identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents.

Definition of ‘information system’ in this bill uses the ICS inclusive definition from 6 USC 1501.

HR 3223

This bill would amend the Homeland Security Act or 2002 by adding a new section 2220A, National Cyber Exercise Program. It would require CISA to establish a National Cyber Exercise Program  to evaluate the National Cyber Incident Response Plan. No additional funding authorization is provided. CISA is already conducting similar cybersecurity exercises.

HR 3243

This bill (Committee Print) would amend 49 USC 114, Transportation Security Administration, mandating that TSA continue being responsible for securing pipeline transportation and pipeline facilities against cybersecurity threats {new §114(f)(16)}.

It would also add a new section 1631, Pipeline Security Section, to a new Subtitle D, Pipeline Security, to the Homeland Security Act of 2002. It would require TSA to establish a pipeline security section to implement the responsibilities of §114(F)(16) {§1631(a)}. The new section would include personnel with cybersecurity expertise {§1631(c)}.

HR 3264

This bill (Committee Print) would add a new section 890B, Homeland Security Critical Domain Re6 Search And Development, to the Homeland Security Act of 2002. It defines two new terms {§890B(c)}: ‘United States critical domains for economic security’ (NOT related to  the cyber term ‘domains’) and ‘economic security’. Section 890B(a) would authorize research and development to identify and evaluate United States critical domains for economic security and homeland security. The bill authorizes $1 million for this program.

Committee Hearings – Week of 5-16-21

This week, with both the House and Senate in session, there is a full slate of committee hearings. There are two cybersecurity hearings of interest this week, one a markup hearing and the other a look at the cybersecurity of the defense industrial base.

Cybersecurity Markup

Tomorrow, the House Homeland Security Committee will be holding a markup hearing for seven pieces of legislation, including at least three cybersecurity bills. I say ‘at least’ because three of the bills slated to be covered are listed on the House.gov calendar page are simply listed as “H.R.____”. I suspect that one of those three blank will be HR 3243, I discussed that briefly on Friday. The cybersecurity bills we know for sure are:

• HR 2980, Cybersecurity Vulnerability Remediation Act

• HR 3138, State and Local Cybersecurity Improvement Act

• HR 3223, CISA Cyber Exercise Act

Sharp eyed readers will recall that I thought those three bills might be coming to the floor this week. That is not the case. It seems that Rep Thompson (D,MS), Chair of the Homeland Security Committee asked the GPO to print those bills earlier than ‘normal’ so the Committee did not have to rely on committee prints for their markups.

Defense Industrial Base Cybersecurity

The Subcommittee on Cyber of the Senate Armed Services Committee will be holding a hearing Tuesday on “Cybersecurity of the Defense Industrial Base”. The witness list includes:

• Rear Admiral William Chase III, DOD

• Jesse Salazar, DOD

The DIB is increasingly becoming the most heavily regulated industry for the purposes of cybersecurity. We should probably be watching this area of regulation as a potential test-bed for cybersecurity regulations for other critical infrastructure sectors.

On the Floor

There will be nothing of particular interest on the floor of the House this week, but there is some potential for some cybersecurity action in the Senate. Last Thursday, the Senate started to consider S 1260, the Endless Frontiers Act. This bill will establish a new Directorate for Technology and Innovation at the National Science Foundation. I have not been covering this bill, but there are indications that there could be come cybersecurity amendments offered that may be of interest here.

The Senate will vote today to close debate on the motion to consider. That will start the amendment process, so I will be watching the Congressional Record closely for any potential cybersecurity amendments.

Bills Introduced – 5-13-21

Yesterday, with both the House and Senate in session, there were 120 bills introduced. One of those bills may receive additional coverage in this blog:

HR 3223 To amend the Homeland Security Act of 2002 to establish in the Cybersecurity and Infrastructure Security Agency the National Cyber Exercise Program, and for other purposes. Rep. Slotkin, Elissa [D-MI-8]

I will be watching this bill for language and definitions that would indicate that industrial control systems would be included in the exercise program.