House Passes Four Homeland Security Bills

As I noted this morning the House addressed a number of bills today under suspension of the rules. Four of them were mentioned as being of probably interest to readers of this blog:

• HR 2952 - The Critical Infrastructure Research and Development Act;

• HR 3107 - The Homeland Security Cybersecurity Boots-on-the-Ground Act;

• HR 3202 - The Essential Transportation Worker Identification Credential Assessment Act; and

• HR 3696 - The National Cybersecurity and Critical Infrastructure Protection Act.

All four bills, as expected, passed with impressive bipartisan support. Two of the bills (HR 2952 and HR 3696) passed by voice votes. The other two bills passed in voice votes; HR 3107 (395 to 8) and HR 3202 (400 to 0). Interestingly, HR 3107 was incorporated into HR 3696 before the bill was reported by the Homeland Security Committee.

I suspect the four bills could also garner similar bipartisan support in the Senate. There is a possible problem for HR 3696. This bill is as close at things will get in the near future to being a comprehensive cybersecurity bill. ‘Comprehensive bills’ have been routinely held up by Sen. Reid (D,NV) as the various affected committees in the Senate tried to craft their own bills. I suspect that Reid will do the same for this bill as the leadership tries to craft a deal to pass S 2588, the Cybersecurity Information Sharing Act of 2014. It is not really a competing bill, but Reid seems to figure that he can only pass one significant cybersecurity bill each session.

Congressional Hearings – Week of 7-27-14

This is the start of the last week currently scheduled for the House and Senate to be in Washington until after the Labor Day Weekend. There is only one hearing currently scheduled that is of specific interest to readers of this blog; a Senate markup hearing that looks at a number of interesting bills including CFATS.

Senate Markup Hearing

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting to cover a wide range of nominations and legislation. Included in the list of bills to be addressed are:

• HR 4007, the Chemical Facility Anti-Terrorism Standards Program Authorization and Accountability Act of 2014;

• S 2547, the RESPONSE Act of 2014; and

• S 2664, a public alert and warning system bill yet to be published.

HR 4007 is, of course, the bill of biggest interest here. The Committee leadership has been talking about writing their own bill since the first of the year, but has failed to reach a consensus on that language. There has been recent talk about Chairman Carper (D,DE) wanting to see language added that would allow Tier 4 facilities to ‘self-certify’ compliance with the site security plan requirements. That amendment would probably be acceptable to the House. Anything more complicated than that might derail passage of this bill.

House Floor

Today the House will consider a number of bills under suspension of rules. Four of them will be of interest to readers of this blog:

• HR 2952 - The Critical Infrastructure Research and Development Act;

• HR 3107 - The Homeland Security Cybersecurity Boots-on-the-Ground Act;

• HR 3202 - The Essential Transportation Worker Identification Credential Assessment Act; and

• HR 3696 - The National Cybersecurity and Critical Infrastructure Protection Act.

The House leadership has determined that these bills have enough bipartisan support to ensure their passage with a 2/3 vote. I’m kind of surprised that HR 3696 made that cut considering the number of organizations that still have problems with privacy issues in the bill. We will see if they get surprised on this vote; it does happen periodically.

House Committee Amends and Adopts HR 3696 – Cybersecurity

Yesterday the House Homeland Security Committee conducted a markup hearing for HR 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013. An amendment in the form of a substitute was offered by Chairman McCaul (R,TX) and fourteen other amendments were offered by other committee members. The revised language and twelve of the amendments were adopted by voice votes. The two remaining amendments were withdrawn.

Major Changes

Most of the major changes made to the bill by yesterday’s committee action were structural instead of policy changes. The original §106 (Assessment of Cybersecurity Workforce) was removed when similar provisions were added in the new §301. The language in that section (Homeland Security Cybersecurity Boots-on-the-Ground Act) comes from the bill already reported by the Committee in HR 3107).

Section 107 was also moved to the new TITLE III (Homeland Security Cybersecurity Workforce) as §302 and §108 was renumbered §106.

A new §205 (Prohibition on Collection Activities to Track Individuals’ Personally Identifiable Information.) was added by the substitute language. Two other new sections were added (National Research Council Study on the Resilience and Reliability of the Nation’s Power Grid; and Cybersecurity Scholars) in the amendment process.

Definition Changes

The bill revises the Definitions section of the Homeland Security Act of 2002 (6 USC 101) and yesterday’s actions modified some of those changes. Three of the originally proposed definitions were removed:

• The term ‘cybersecurity provider’

• The term ‘cybersecurity system’

• The term ‘protected private entity’

One new definition were added:

The term ‘cybersecurity mission’ means activities that encompass the full range of threat reduction, vulnerability reduction, deterrence, incident response, resiliency, and recovery activities to foster the security and stability of cyberspace.

And one definition was revised:

The term ‘private entity’ means any individual or any private or publically-traded company, public or private utility (including a utility that is a unit of a State or local government, or a political subdivision of a State government) [added], organization, or corporation, including an officer, employee, or agent thereof.

None of these changes really mean much to anyone beyond litigators.

Cybersecurity Framework

As I mentioned in the initial blog post about this bill, §201 essentially codifies the cybersecurity framework portion of the President’s cybersecurity executive order (EO 13636). The substitute language made some interesting changes to §201. The new language now amends the Homeland Security Act of 2002 by adding §230 instead of §230B; that is an administrative change only.

The language, however, describing what is essentially the authoring language for the cybersecurity framework was removed from the proposed section §230 while remaining in §201 of the bill. The best I can assume is that this makes some obscure change in the legal status of the provisions of §201(a).

The revised language also adds a new sub-paragraph to §201(a):

“(a)(2) LIMITATION.—Information shared with or provided to the Director of the National Institute of Standards and Technology or the Secretary of Homeland Security for the purpose of the activities under paragraph (1) may not be used by any Federal, State, or local government department or agency to regulate the activity of any private entity.”

This is just another example of where this bill goes out of its way to make sure that the cybersecurity provisions it establishes are completely voluntary in nature.

Inconsequential Changes

The remaining changes to the bill are essentially inconsequential wording changes, some of which are made for purely political reasons.

A good example of an inconsequential change is the wholesale language substitution in Title I where the phrase “such a system or network” where the phrase “an information system or network of information systems” appears a second time in a sentence. This makes the wording sound better but it does not alter the intent of the bill.

Moving Forward

This bill is certainly high on Chairman McCaul’s priority list and the broad support that it has within the Committee certainly indicates that it would have the votes necessary to pass on the floor of the House and the Senate. I expect that we will see the bill on the floor of the House within weeks instead of months. Then the question will be whether or not Sen. Reid (D,NV) will continue to ignore House cybersecurity bills while waiting on the Senate to come up with acceptable language for a comprehensive cybersecurity bill.

Since this bill does not address information breaches in the private sector, I have a feeling that the current pressure for a private sector breach notification bill will hold up Senate consideration of this bill. And that is a shame. This bill may not have any strong cybersecurity mandates, but it is the most comprehensive cybersecurity bill currently before Congress.

Congressional Hearings – Week of 2-2-14

This week with both the House and Senate in session again, there will be two hearings held that might be of specific interest to readers of this blog; a hearing on the Coast Guard homeland security mission and a markup of cybersecurity legislation.

Coast Guard

On Tuesday the Border and Maritime Security Subcommittee of the House Homeland Security Committee will hold a hearing on the “Future of the Homeland Security Missions of the Coast Guard.” The only witness currently scheduled will be the Commandant, Admiral Papp. MTSA issues may certainly be raised.

Cybersecurity Legislation

On Wednesday, the House Homeland Security Committee will be holding a markup hearing of the Chairman’s cybersecurity bill, HR 3696. This is the bipartisan National Cybersecurity and Critical Infrastructure Protection Act of 2013 and it is looking increasingly like it may have a good chance of passage this year. The Committee will consider substitute language that I haven’t yet had a chance to review.

On the Floor

Not much happening in the House this week. HR 1791 is being considered today. It is an emergency response grant bill that will certainly pass with broad bipartisan support.

The Senate will be finishing up their consideration of HR 2642, the Agriculture authorization bill.

House Panel Passes HR 3696

Today the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of the House Homeland Security Committee held a markup hearing to address HR 3696, the National Cybersecurity and Critical Infrastructure Protection (NCCIP) Act of 2013. After adopting six of the seven amendments considered the amended version of the bill was adopted by the Subcommittee in a voice vote.

Only two of the amendments made substantive changes to the bill. Amendment 2A, offered by Rep. Clarke (D,NY) added Title III – Homeland Security Cybersecurity Boots-on-the Ground. Amendment 6, offered by Rep. Daines (R,MT), added a Federal agency breach reporting requirement where personally identifiable information (PII) is compromised.

The Title III amendment is essentially HR 3107 that had already been approved by the Homeland Security Committee in a markup hearing back in October and reported by the Committee in December. It looks like adding the language to this bill will increase the chance of the provisions being considered by the House in a floor vote.

The breach reporting amendment would add a requirement to the new §228. Paragraph (d) would have a new subparagraph (11) added that would require the National Cybersecurity and Communications Integration Center (NCCIC) to implement policies and procedures that would:

• Require Federal civilian agencies to send reports and information to the Center about all personally identifiable information breaches that occur on Federal civilian information systems not later than two business days after the discovery of such a breach {§228(d)(11)(B)}; and

• Require Federal civilian agencies to notify all potential victims of a data breach involving personally identifiable information not later than two business days after the date on which such an agency sends a report and information to the Center {§228(d)(11)(C)}.

The full Committee will take action on this bill sometime after the House comes back to Washington after a one week ‘District Work’ session.

Bills Introduced – 12-11-13

While the Senate is still stuck in Wednesday session as of 4:20 am CST and thus their bills introduced yesterday have not yet been listed there is one bill from the House that needs to be listed for readers of this blog.

HR 3696 Latest Title: To amend the Homeland Security Act of 2002 to make certain improvements regarding cybersecurity and critical infrastructure protection, and for other purposes. Sponsor: Rep McCaul, Michael T. (R,TX)

This bill is a bipartisan bill introduced by McCaul, Rep. Mehan (R, PA), Rep. Thompson (D,MS) and Rep. Clarke (D,NY). A House Homeland Security Committee draft copy is available as a staff summary. I’ll have a detailed look at the bill later, but it does specifically address industrial control systems through the definition of ‘information system’ being added to 6 USC 101:

“The term ‘information system’ means the underlying framework and functions used to process, transmit, receive, or store information electronically, including programmable electronic devices, communications networks, and industrial or supervisory control systems [emphasis added] and any associated hardware, software, or data.”

Since this definition is being added to the entire Homeland Security Act of 2002, this may have more far reaching consequences than the remainder of this bill if passed.