House Passes HR 3503

This afternoon the House passed HR 3503, the Department of Homeland Security Support to Fusion Centers Act of 2015 by a voice vote. The ‘debate’ lasted just over ten minutes and no amendments were allowed since the bill was considered under suspension of the rules.

The bill will move to the Senate where it will also, if moved to the floor, will be considered with little debate and no amendments.

I would still like to see this bill amended to include an assessment of the need for surface transportation and chemical facility intelligence analysis capability in DHS to support fusion centers, but that is unlikely to happen with this bill.

Homeland Security Committee Marks-Up Multiple Bills

Last Wednesday the House Homeland Security Committee held a markup hearing that dealt with a large number of bills. As I mentioned in an earlier post some of those bills will be of specific interest to readers of this blog. Those include:

HR 3350, the Know the CBRN Terrorism Threats to Transportation Act;

HR 3490, the Strengthening State and Local Cyber Crime Fighting Act;

HR 3503, the Department of Homeland Security Support to Fusion Centers Act of 2015;

HR 3510, the Department of Homeland Security Cybersecurity Strategy Act of 2015;

HR 3573, the DHS Science and Technology Reform and Improvement Act of 2015;

HR 3583, the Promoting Resilience and Efficiency in Preparing for Attacks and Responding to Emergencies (PREPARE) Act;

HR 3586, the Border and Maritime Coordination Improvement Act; and

HR 3584, the Transportation Security Administration Reform and Improvement Act of 2015.

HR 3350 was adopted without amendments on a voice vote.

HR 3490

HR 3490 was amended and adopted by a voice vote. Rep. Ratcliffe (R,TX) proposed substitute language reflecting the changes made to the bill in a Subcommittee markup which was adopted by a voice vote. Two amendments were offered by Rep. Jackson-Lee (D,TX). The first dealt with chain-of-custody training. The second dealt reaffirmed the supremacy of the fourth and fifth amendments with respect to the provisions of this bill. Both amendments were adopted by voice vote.

HR 3503

HR 3503 was amended and adopted by a voice vote. Two amendments were introduced by Rep. Loudermilk (R,GA). The first dealt with a requirement for DHS to conduct an assessment for accessibility and interoperability of the information systems used to share homeland security information between the Department and fusion centers. The second required DHS to enter into a memorandum of understanding about what types of information fusion centers would share with DHS. Both amendments were adopted by voice vote.

HR 3510

HR 3510 was amended and adopted by a voice vote. Rep. Clawson (R,FL) introduced one amendment which dealt with privacy concerns. That amendment was adopted by a voice vote.

HR 3578

HR 3578 was amended and adopted by a voice vote. Eight amendments, including alternative language offered by Rep. Ratcliffe, were offered and all were adopted on voice votes. The alternative language made no substantive changes of particular interest to readers of this blog. Of the remaining seven amendments only one of specific.

That amendment by Rep. Langevin (D,RI) that modifies the new §322 the bill adds to the Homeland Security Act of 2002. That section addressed cybersecurity R&D and this amendment adds a new activity to be addressed by DHS S&T; “support, in coordination with the private sector, the review of source code that underpins critical infrastructure information systems” {new §322(b)(4)}.

HR 3583

This bill was amended and adopted by a voice vote. Of the seven amendments offered and adopted only one would be of specific interest to readers of this blog. It was offered by Rep. Payne (D,NJ), the Ranking Member of the Committee.

The amendment modifies 6 USC 321e(c)(1); adding a new duty to job of Department Chief Medical Officer. That new requirement is specifically requiring the provision of advice on “how to prepare for, protect against, respond to, recover from, and mitigate against the medical effects of terrorist attacks or other high consequent events utilizing chemical, biological, radiological, or nuclear agents or explosives”. This wording still limits that advice to ‘chemical agents’ so it would not include advice on response to industrial chemical incidents unless they were used as part of a terrorist attack.

HR 3586

The bill was amended and adopted by a voice vote. Rep. Miller (R,MI) offered an amendment in the form of a substitute. That substitute language softened much of the language in the bill but did not make any substantive changes of particular interest to readers of this blog. None of the other ten amendments that were adopted on this bill were of specific interest to readers of this blog.

HR 3584

This bill was amended and adopted by a voice vote. None of the eight amendments adopted on this bill substantially affected areas of specific interest to readers of this blog.

Moving Forward

All of these bills are apparently on Chairman McCaul’s (R,TX) agenda for moving to the floor of the House. I expect that there is a good chance that they will all make it to the floor prior to the end of the year and there is a chance that they will all arrive on the same day. With the broad bipartisan support seen in Committee I expect that they will all be considered under suspension of the rules with limited debate and not floor amendments. All of these bills should pass with substantial bipartisan support.

I do not see any of these bills as being a high priority for getting consideration in the Senate. Any of these bills could easily pass and none would have significant opposition; it is just a matter of legislative priorities about which of these might make it to the floor of the Senate.

Commentary

Not surprisingly, none of the suggestions that I have made here in this blog for improving any of these bills were included in the amendments that were adopted. Oh well, that is always the problem with being a voice crying in the wilderness; the few people that do hear you are not necessarily ones that can do anything about it.

There was that one odd amendment by Langevin on HR 3578 that kind of interests me. It does not cover control systems since this new section uses the definition of ‘information systems’ from 44 USC 3502 which interestingly only applies to Federal IT systems.

I’m not sure what Langevin was trying to accomplish with this ‘review of source code’. Okay I suppose that I could guess that he wants someone to check these IT programs for bugs, but reviewing the source code is not probably the most effective method of doing that. And the terminology ‘that underpins critical infrastructure information systems’ was obviously not written by a programmer. Now the vendor should already be conducting a source code review prior to publishing the software, so I am not sure what Langevin is expecting this to accomplish.

The real interesting thing about this amendment is not actually what it does or tries to do, but the fact that it is part of a new trend in legislation over the last month or so where there are bits of cybersecurity language being added to bills that are not overtly cybersecurity bills. In many ways this is probably a more practical way to cybersecurity provisions passed. Large, all-encompassing bills are going to always draw somebodies ire and we will see few of them actually become law. Small targeted provisions (even if poorly written like this one) in a bill that is not going to draw substantial opposition are much more likely to get passed.

The problem is, of course, how to you keep the ineffective or even offensive small cybersecurity provisions out of otherwise good legislation? Amendments like Langevin’s are not posted in advance for public review and I doubt anyone on the Committee (members or staff) are tech savvy enough to understand how ineffective this provision actually is. And once an amendment is adopted in full committee it is unlikely to get removed in the remaining portions of the legislative process.

Small cybersecurity provisions that are written into original legislation are likely to be seen by reviewers like me, but will generally be overlooked by most people. This means that only the most objectionable are likely to draw the kind of opposition that will have them removed from the bill or modified to make them more workable.

This new approach of adding small, limited cybersecurity provisions to other types of legislation is going to start to make things interesting in the legislative process.

HR 3503 Introduced – DHS Fusion Center Support

Two weeks ago Rep. McSally (R,AZ) introduced HR 3503, the Department of Homeland Security Support to Fusion Centers Act of 2015. It would require DHS to examine the level of support that it was providing to fusion centers around the country and address security clearance issues for fusion center analysts.

Support Requirements

Section 2 of the bill would require the DHS Secretary to “conduct a needs assessment of Department personnel assigned to fusion centers” {§2(a)} in accordance with the requirements of 6 USC 124h(c). The bill requires specific attention be given to the need for additional personnel from:

• US Customs and Border Protection, US Immigration and Customs Enforcement, and the Coast Guard for fusion centers located near border and coastal areas; and

• Transportation Security Administration for fusion centers located in jurisdictions with large and medium hub airports.

The Secretary is given 120 to complete the needs assessment and 60 days thereafter to provide a report to Congress on the plan for fulfilling the needs identified.

Section 3 of the bill would require the Under Secretary for Intelligence to “shall establish a program to provide eligibility for access to information classified as Top Secret” for State and local analysts located in fusion centers. A report to Congress on the progress of implementation of this would be required in two years.

Moving Forward

McSally is a junior (but very influential; she is Chair of the Emergency Preparedness, Response, and Communications Subcommittee) member of the House Homeland Security Committee so she does have political pull to move this bill along through Committee. Add to that the fact that Committee Chair and the Counterterrorism and Intelligence Subcommittee Chair are cosponsors and we can see why this bill was considered in a subcommittee markup last week; less than a week after it was introduced. The bill was recommended to the full Committee without amendments on a voice vote.

This bill will almost certainly come to the full Committee next month where it will pass with a substantial bipartisan vote. Whether and when it comes to the House floor will depend on how the bill is prioritized by Chairman McCaul (R,TX). Due to its non-controversial nature and bipartisan support it would be considered under suspension of the rules without further amendments. If considered by the House it would pass with substantial bipartisan support.

Commentary

While there is nothing in the bill that is the least bit controversial there are some things that are clearly missing. There is nothing in this bill (or the underlying statute) that would provide additional intelligence capabilities for other specialized potential threats.  For example there is no mention of major ground transportation hubs or areas with large chemical manufacturing concentrations. Both of these areas would be high-threat areas with specific intelligence analysis requirements.

I suspect that a large part of reason for the mention of these areas is that there are no large organizations that would have the people necessary to spare to man such posts. The TSA ground folks and the CFATS folks are woefully undermanned and underfunded and have not been provided with a real intelligence analysis component in any case.

It would be helpful if this bill were to include a needs analysis requirement to examine the potential need for specialized intelligence analysis capability in these two areas to support fusion centers as well as a requirement to identify other specialized intelligence categories that might be needed by fusion centers.

The need for access to Top Secret intelligence information at the fusion center level is probably justified. I don’t think that there would be a high volume of such information, but the TS clearance process is so involved that there is no quick way to approve such clearances if a real specific need does arrive.

The problem the Congress continues to ignore, however, when directing DHS and other agencies to share classified intelligence with non-Federal agencies and organizations is that there is a steep cost associated with the communications facilities and storage requirements for classified information.  I think that it would be appropriate in this legislation for DHS to report on the specific costs to fusion centers for adding the capability to transmit, receive and store Top Secret materials.

Bills Introduced – 09-11-15

With just the House actually in session yesterday there were only sixteen bills introduced. Two of those may be of specific interest to readers of this blog:

HR 3490 To amend the Homeland Security Act of 2002 to authorize the National Computer Forensics Institute, and for other purposes. Rep. Ratcliffe, John [R-TX-4]

HR 3503 To require an assessment of fusion center personnel needs, and for other purposes. Rep. McSally, Martha [R-AZ-2]

I doubt that HR 3490 will have any specific language for control system forensics, but you never can tell.

With McSally’s interest in emergency response there may be specific language in HR 3503 pertaining to the incorporation of emergency response planners in fusion centers, but I’m not going to hold my breath.