House Passes STSAC Authorization and ICS Security Bills

Yesterday the House passed two bills that have been covered in this blog; HR 5081, the Surface Transportation Security and Technology Accountability Act of 2018, and HR 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018. Both bills were considered under the suspension of the rules process and were approved by voice votes.

I do not often mention the ‘floor debate’ about bills considered under the suspension of the rule process because that debate is normally congratulations about the bipartisan effort to develop the bill in committee. While we certainly saw a good measure of this in the debate on ICS cybersecurity bill, we also saw a potentially important mention of the DHS ICS-CERT.

In his brief speech supporting the bill, Rep. Langevin (D,RI) talked at some length about the important work being done by ICS-CERT. He started by explaining his amendment adopted by the House Homeland Security Committee on vulnerability disclosures (pg H5631):

“During the committee consideration, I was also proud to offer an amendment to codify ICS-CERT’s coordinated vulnerability disclosure program [emphasis added] that ensures ICS vulnerabilities can be reported securely, promptly, and responsibly.”

He goes on to note (pg H5632):

“The coordinated vulnerability [disclosure] program does just that by helping critical infrastructure owners and operators who receive notices from ICS-CERT about discovered vulnerabilities and effective patches before malicious actors have a chance to exploit any flaws. Mr. Speaker, this bill would empower ICS-CERT to carry out this mission fully and effectively [emphasis added].”

While I have been critical of the bill’s failure to mention both ICS-CERT and US-CERT as the organizations that carry out the specified work of the National Cybersecurity and Communications Integration Center (NCCIC), the specific mention of the role of ICS-CERT in the congressional debate on this bill will go a long way is preserving the existence of, and defining the role of, that organization.

Committee Hearings – Week of 06-24-18

With both the House and Senate in session this week it looks to be a busy week for Committee work. We are still seeing spending bills being marked-up and we have three cybersecurity related authorization bills. There will also be a Senate mark-up of the TWIC Reader Delay bill in that body.

Spending Bills

Monday – House Rules Committee – HR 6157 DOD;

Tuesday – House Rules Committee – HR 6157 DOD;

Tuesday – House Committee – LHHS;

Tuesday – Senate Sub-Committee – DOD;

Tuesday – Senate Sub-Committee – LHHS;

Thursday – Senate Committee – DOD;

Thursday – Senate Committee – LHHS

The Senate will finish work on HR 5895, the FY 2019 EWR spending bill Monday evening. The House will take up HR 6157, the FY 2019 DOD spending bill, either late Tuesday or on Wednesday.

Cybersecurity Authorization Bills

The three authorization bills with a cybersecurity nexus are for the National Telecommunications and Information Administration (NTIA), the National Institute of Science and Technology (NIST) and the intelligence community.

On Tuesday the Communications and Technology Subcommittee of the House Energy and Commerce Committee will hold a hearing on their draft of an authorization bill for NTIA. The witness list includes:

• Michael D. Gallagher, Entertainment Software Association;

• John Kneuer, JKC Consulting; and

• Joanne S. Hovis, CTC Technology and Energy

The draft bill includes two ‘Sense of Congress’ sections on cybersecurity threats and supply chain vulnerabilities, and on preservation of domain name system and WHOIS service.

On Wednesday the House Science, Space, and Technology Committee will hold a mark-up hearing for three as of yet unintroduced bills. One of those is the draft of the NIST authorization bill. The draft includes a section on general cybersecurity and a separate section on IoT with cybersecurity language included.

On Thursday the House Intelligence Committee will hold the inevitably closed-hearing on their mark-up of the as of yet unpublished FY 2019 Intelligence Authorization Act. The draft is not publicly available and, of course, the good stuff will be in the classified annex to the bill.

TWIC Reader Rule

On Wednesday the Senate Commerce, Science, and Transportation Committee will hold a mark-up hearing on eight bills, including S 3094. The text of that bill has not yet been published by the GAO, but it sounds like it should be a companion bill to HR 5729, the Transportation Worker Identification Credential Accountability Act of 2018. After having reviewed the Coast Guard NPRM on their proposed selective delay of the implementation of the TWIC Reader Rule, it seems unlikely that the two legislative delay attempts and the CG delay are very closely related to the same issues.

On the Floor

In addition to the two spending bills on the floor this week, we will also see the House take up two bills of potential interest to readers of this blog. Later today the House will consider HR 5081, the Surface Transportation Security and Technology Accountability Act of 2018, and HR 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018. Both bills will be taken up under the suspension of the rules provisions. This means limited debate and no floor amendments. It also means that the leadership expects serious bipartisan support for both bills since a super-majority is required for passage.

The House is also scheduled to take up a motion to go to conference on HR 5515, the FY 2019 DOD authorization bill, that passed in the Senate last week.

Committee Marks-Up Homeland Security Bills

Yesterday the House Homeland Security Committee met to mark-up 10 pieces of legislation. Two of those bills deal with topics of specific interest to readers of this blog; industrial control system security (HR 5733) and Transportation Workers Identification Credentials (TWIC; HR 5729). Both bills were amended and then adopted by unanimous consent.

ICS Security

Rep. Langevin (D,RI) proposed the single amendment to HR 5733. It added a new subparagraph to the proposed amendment to 6 USC 148 that outlines the responsibilities of the National Cybersecurity and Communications Integration Center (NCCIC) to address industrial control system security issues. The new sub-paragraph reads:

“(4) collect, coordinate, and provide vulnerability information to the industrial control systems community by, as appropriate, working closely with security researchers, industry end-users, product manufacturers, and other industrial control systems stakeholders; and”

TWIC Reader Rule Delay

Rep. Jackson-Lee (D,TX) proposed the single amendment to HR 5729. The amendment added an ‘every 90-day’ reporting requirement on the status of the continued delays in the DHS implementation requirement to conduct an evaluation of the efficacy of the TWIC program. That delay is the underlying reason for delaying the implementation of the TWIC Reader Rule.

Moving Forward

The ‘unanimous consent’ provided for the adoption of both of these bills (as amended) is a strong measure of the bipartisan support they have in Committee. This means that they will probably be taken up by the whole House under the suspension of rules provision with no further amendments and they will certainly receive the super-majority required to pass bills under those provisions. The only question now is when they will make it to the floor of the House.

Commentary

The new language added to HR 5733 certainly affirms the current activities of the ICS-CERT to coordinate and publish industrial control system security alerts and advisories. The lack of a formal definition of ‘industrial control system’ beyond the vague “including supervisory control and data acquisition systems” {new §148(f)(1)} does nothing to affirm the ICS-CERT responsibility for activity for medical devices or transportation systems which are arguably not ‘industrial’.

As I noted in my post about the introduction of this bill, HR 5733 would have been an ideal place to deal with the IT-centric definition of ‘information systems’ and to provide a proactive definition of ‘industrial control system’ that could be used throughout DHS. Unfortunately, the lack of such action yesterday almost ensures that this bill will not be the vehicle for establishing that definition.

Committee Hearings – Week of 06-03-18

This week with both the House and Senate back from their extended Memorial Day Weekend spending bills will be the major topic on the Hill. There will also be two other hearings of potential interest to readers of this blog. The first will be a committee markup of a number of homeland security related bills. The second will be a hearing dealing with drone defense and S 2836.

Spending Bills

In addition to the Rules Committee hearings and floor consideration of HR 5895 that I mentioned in an earlier post, there will be some additional spending bills marked up this week:

• Tuesday – Senate – Subcommittee - Transportation, Housing and Urban Development (THUD), and Related Agencies;

• Tuesday – Senate – Subcommittee - Military Construction, Veterans Affairs, and Related Agencies;

• Wednesday – House – Committee - Interior, Environment, and Related Agencies;

• Thursday – House – Subcommittee – DOD;

• Thursday – Senate- Committee – THUD;

Markup Hearing

On Wednesday the House Homeland Security Committee will be holding a markup hearing to look at 10 bills. Of those, three may be of specific interest to readers of this blog:

• HR 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018;

• HR 5729, the Transportation Worker Identification Credential Accountability Act of 2018; and

• HRes 898 Directing the Secretary of Homeland Security to transmit certain documents to the House of Representatives relating to Department of Homeland Security policies and activities relating to homeland security information produced and disseminated regarding cybersecurity threats posed by the ZTE Corporation, headquartered in Shenzhen, China.

The resolution is effectively a subpoena to be issued by Congress. It was introduced by Rep. Thompson (D,MS). It is a straightforward listing of the types of documents that Thompson expects to be provided by DHS without any of the politically loaded ‘Congressional findings’ that frequently accompany such documents. Practically speaking, since Thompson is the Ranking Member of the Committee, he should be influential enough in his own right to have this resolution considered by the Committee, but I suspect that there will be at least some bipartisan support for the resolution.

Drone Defense

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will hold an informational hearing on S 2836 and Countering Malicious Drones. The witness list includes:

• David J. Glawe, Department of Homeland Security;

• Hayley Chang, Department of Homeland Security;

• Scott Brunner, Federal Bureau of Investigation; and

• Angela H. Stubblefield, Federal Aviation Administration

This hearing will be focused on policy and the legal aspects of counter-drone operations. I suspect that the witnesses will be generally supportive of S 2836, but it will be informative looking at how down into the weeds they get into the legal aspects.

I am glad to see Chairman Johnson holding this type of hearing before moving to a markup of his bill. I think that it would also be helpful if the Committee held a hearing looking at the types of technology currently available to conduct counter-drone operations.

Committee Hearings – Week of 05-13-18

With both the House and Senate in session this week we see both bodies working on must complete issues; spending and the National Defense Authorization Act (NDAA). We will also see a markup hearing dealing with our ICS cybersecurity bill.

Spending Bills

The House Appropriations Committee is fully into the spending bill markup process. The Full Committee will mark-up the FY 2019 Energy and Water and Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Bill on Wednesday. Subcommittee mark-ups of possible interest here this week include:

• FY 2019 Interior, Environment, and Related Agencies Appropriations Bill – Tuesday; and

• FY 2019 Transportation, and Housing and Urban Development (THUD), and Related Agencies Appropriations Bill – Wednesday

The Senate Appropriations Committee subcommittees are still looking at the details of the respective budget requests, so they are a tad bit behind the House on the bill writing schedule. That is not a significant problem as the House has to consider spending bills before the Senate can act on them. The Appropriations Committee will have language ready by the time the House bills make it to the Senate even if they do not have their own bill introduced.

NDAA

The House Armed Services Committee finished their mark-ups of HR 5515 last week and ordered the bill reported to the House. I expect to see an official version of the bill published this week. The House Rules Committee has announced that it is accepting proposed amendments to the bill through Thursday morning. This means that it will probably be considered on the floor of the House next week.

The Senate Armed Services Committee is starting the mark-up process for their version of the NDAA (not yet introduced) this week with subcommittee mark-ups. The Subcommittees of potential interest here include:

• Subcommittee on Cybersecurity; and

• Subcommittee on Emerging Threats

Both will hold their mark-ups on Tuesday. Both will be closed hearings.

Cybersecurity Mark-Up

On Wednesday the House Homeland Security Committee will be holding a mark-up hearing to consider nine bills. HR 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018, is one of the bills being considered. No word yet on any possible amendments.

HR 5733 Introduced – ICS Cybersecurity

Last week Rep Bacon (R,NE) introduced HR 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018 (Note: the link is to a Committee draft of the bill not the official GPO version). The bill would amend 6 USC 148 to provide specific requirements for the National Cybersecurity and Communications Integration Center (NCCIC) to address industrial control system security issues.

Section 148 Amendments

The bill would make two specific amendments to §148. First it would add to the list of principles outlined in paragraph (3)(1) the following language: “activities of the Center address the security of both information technology and operational technology, including industrial control systems;”.

Second the bill would add a new paragraph (f) that would require the NCCIC to “maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes.” This would specifically include requirements to:

• Lead, in coordination with relevant sector specific agencies, Federal Government efforts to identify and mitigate cybersecurity threats to industrial control systems, including supervisory control and data acquisition systems;

• Maintain cross-sector incident response capabilities to respond to industrial control system cybersecurity incidents;

• Provide cybersecurity technical assistance to industry end-users, product manufacturers, and other industrial control system stakeholders to identify and mitigate vulnerabilities; and

• Conduct such other efforts and assistance as the Secretary determines appropriate.

Moving Forward

Bacon and both of his cosponsors {Rep. McCaul (R,TX) and Rep. Ratcliff (R,TX)} are members of the House Homeland Security Committee to which this bill was assigned. The bill is currently scheduled to be marked-up by that Committee on Wednesday. While there are no Democratic sponsors for the bill, I expect that it will receive bipartisan support in the Committee and on the floor of the House. It would likely be considered under the suspension of the rules provisions in the House (limited debate, no floor amendments).

Commentary

While I certainly applaud the addition of control system language to this bill, the lack of a definition and changes to other definitions in §148 is likely to cause problems down the road. I would like to offer this definition for addition to §148(a):

Industrial Control System - The term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes including but not limited to; manufacturing, transportation, access control, and facility environmental controls;

Additionally, the following existing definitions need revision:

Cybersecurity Risk - The term ‘cybersecurity risk’ means:

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

Incident - The term ‘incident’ means an occurrence that actually, or imminently jeopardizes, without lawful authority:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

I am disappointed that there was no specific mention of cyber emergency response teams, either US-CERT or ICS-CERT. This bill would have been a good place to add mention of them in §148(d)(1)(C). With the addition of industrial control systems to the areas of NCCIC oversight the mention of ICS-CERT would certainly be appropriate, and that mention could not be made without also including US-CERT.

Finally, I am astounded that this bill did not modify the ‘functions’ of the NCCIC, as outlined in §148(c). If the definitions I suggested above were made, at least part of that problem would be corrected because of the frequent references to ‘cybersecurity risk’ and ‘incidents’. Even so the language of §147(c)(7) would still need to add mention of industrial control systems to ensure that the NCCIC appropriately addresses the cybersecurity issues associated with control systems.

Bills Introduced – 05-09-18

Yesterday with both the House and Senate in session there were 43 bills introduced. Of these, two may be of specific interest to readers of this blog:

HR 5729 To restrict the department in which the Coast Guard is operating from implementing any rule requiring the use of biometric readers for biometric transportation security cards until after submission to Congress of the results of an assessment of the effectiveness of the transportation security card program. Rep. Katko, John [R-NY-24]

HR 5733 To amend the Homeland Security Act of 2002 to provide for the responsibility of the National Cybersecurity and Communications Integration Center to maintain capabilities to identify threats to industrial control systems, and for other purposes. Rep. Bacon, Don [R-NE-2]

The Transportation Workers Identification Credential (TWIC) reader rule was adopted in 2016 with an implementation date of August 23, 2018. With the Coast Guard having submitted a rule to delay the implementation of that rule and now this bill being introduced it would seem that the regulated community seems to be having some problems with the implementation. Katko is the Chair of the Transportation and Protective Security Subcommittee of the House Homeland Security Committee. It will be interesting to see how fast this bill is considered in that Subcommittee. It will have to be quick (next week?) if HR 5729 is to be effective.

I am really looking forward to seeing the text of HR 5733 for two reasons. First I am hoping to see an effective definition of control system that can be used in this and subsequent cybersecurity legislation. Second, since this looks to be an authorization bill, it will be interesting to see if ICS-CERT is specifically mentioned.