Review - HR 3078 Introduced - Pipeline and LNG Facility Cybersecurity

Last month Rep Upton (R,MI) introduced HR 3078, the HR 3078 Introduced - Pipeline and LNG Facility Cybersecurity Preparedness Act. The bill would give the Department of Energy primary responsibility for physical and cybersecurity of pipelines and liquified natural gas facilities.

NOTE: This analysis of HR 3078 is based upon a Committee Print of the bill being used during today’s markup hearing by the House Energy and Commerce Committee. The Government Printing Office has not yet published the official version of the bill.

Moving Forward

Upton is a senior member of the Energy and Commerce Committee and the bill is cosponsored by eighteen Republicans and Democrats, including the Chair {Rep Pallone (D,NJ)} and the Ranking Member {Rep McMorris (R,WA)}. This explains why the bill is moving forward with a markup hearing so quickly.

The bill has wide bipartisan support within the Committee and will have no problem passing in today’s hearing. The problem is going to be moving this bill forward to the floor of the House. Since this bill gives new authority to DOE over pipelines it also provides the Energy and Commerce Committee with new oversight responsibility as well. As I noted in my commentary on the introduction of HR 3243, this is going to put the Committee in direct conflict with the House Homeland Security Committee and the House Transportation and Infrastructure Committee as who will be top dog in keeping pipeline security under control.

Until that conflict is resolved, neither of these bills will be able to move to the floor of the House for consideration.

For a more detailed analysis of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3078-introduced Subscription Required.

HR 3243 Introduced - Pipeline Security Act

Last week Rep Cleaver (D,MO) introduced HR 3243, the Pipeline Security Act. The bill would amend 49 USC 114, specifically charging the Transportation Security Administration with responsibility for pipeline cybersecurity. Additionally, the bill would require the establishment, and outline the responsibilities, of a pipeline security section within TSA.

The Homeland Security Committee considered the bill earlier this week in a markup hearing. After considering and adopting three separate amendments, the bill was ordered reported and favorably recommended to the full House. One of the amendments would raise the status of the TSA pipeline cybersecurity program by changing the ‘section’ to a ‘pipeline security division’.

Moving Forward

The unanimous consent adoption for this bill in Committee would indicate that the bill has strong bipartisan support. That would normally mean that it should move easily to the floor of the House, probably under the suspension of the rules process. Unfortunately, bipartisan support is not all that a bill needs to move forward. In this case there are at least three other committees (the Science, Space, and Technology Committee, the Energy and Commerce Committee, and the Transportation and Infrastructure Committee) that think that they should have oversight responsibilities for cybersecurity in pipelines.

The language in this bill would specifically cut them out of the oversight process. That is why the §1631 language was shoehorned into 6 USC Title XVI (the CISA title) instead of in 49 USC where the TSA §114 is. That means that two Committee Chairs and a number of influential congresscritters are going to work hard to stop this bill from moving forward. This chair infighting has delayed a large number of homeland security related initiatives over the years, chemical facility security being a prime example. At this point I do not see the House leadership moving this bill forward.

For a more detailed review of the contents of the bill and the amendments adopted in Committee, see my post (subscription required) on ‘CFSN Detailed Analysis’ on Substack.com.

Update on Cybersecurity Markup – 5-18-21

The House Homeland Security web site now has complete listings for the seven bills that it will be marking up this afternoon. Four of the bills are cybersecurity bills and a fifth deals with critical infrastructure. I have not yet had a chance to publish detailed reviews of each of these bills, so I am going to do a quick review of those that I have not reviewed.

The five bills of interest are:

• HR 2980, the “Cybersecurity Vulnerability Remediation Act”

• HR 3138, the “State and Local Cybersecurity Improvement Act”

• HR 3223, the “CISA Cyber Exercise Act”

• HR 3243, the “Pipeline Security Act”

• HR 3264, the “Domains Critical to Homeland Security Act”

HR 3138

This bill is similar to HR 5823 from last session. It would establish a grant program, the State and Local Cybersecurity Grant Program, with $500 million being authorized each year for the program through 2026. Each grant applicant would have to submit a cybersecurity plan to DHS for approval. Each applicant would also have to establish a cybersecurity planning committee. Multi-state grants would be authorized.

CISA would be required to establish a State and Local Cybersecurity Resiliency Committee. CISA would also be required to prepare and maintain a resource guide to help officials identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents.

Definition of ‘information system’ in this bill uses the ICS inclusive definition from 6 USC 1501.

HR 3223

This bill would amend the Homeland Security Act or 2002 by adding a new section 2220A, National Cyber Exercise Program. It would require CISA to establish a National Cyber Exercise Program  to evaluate the National Cyber Incident Response Plan. No additional funding authorization is provided. CISA is already conducting similar cybersecurity exercises.

HR 3243

This bill (Committee Print) would amend 49 USC 114, Transportation Security Administration, mandating that TSA continue being responsible for securing pipeline transportation and pipeline facilities against cybersecurity threats {new §114(f)(16)}.

It would also add a new section 1631, Pipeline Security Section, to a new Subtitle D, Pipeline Security, to the Homeland Security Act of 2002. It would require TSA to establish a pipeline security section to implement the responsibilities of §114(F)(16) {§1631(a)}. The new section would include personnel with cybersecurity expertise {§1631(c)}.

HR 3264

This bill (Committee Print) would add a new section 890B, Homeland Security Critical Domain Re6 Search And Development, to the Homeland Security Act of 2002. It defines two new terms {§890B(c)}: ‘United States critical domains for economic security’ (NOT related to  the cyber term ‘domains’) and ‘economic security’. Section 890B(a) would authorize research and development to identify and evaluate United States critical domains for economic security and homeland security. The bill authorizes $1 million for this program.

Bills Introduced – 5-14-21

Yesterday, with just the House in session, there were 36 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 3243 To codify the Transportation Security Administration's responsibility relating to securing pipelines against cybersecurity threats, acts of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of pipelines, and for other purposes. Rep. Cleaver, Emanuel [D-MO-5]

HR 3262 To require the Secretary of Transportation to submit a report on cybersecurity risks to motor vehicle safety, and for other purposes. Rep. Upton, Fred [R-MI-6]

Looking at the list of cosponsors, HR 3243 may be as much about maintaining committee oversight of the pipeline security as it is about improving pipeline cybersecurity. We will have to wait to see what the actual language is in the bill.