S 245 Introduced – FY 2019 Intel Authorization

Last month Sen. Burr (R,NC) introduced S 245, the Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. Intel authorization bills were introduced last session (HR 6237 and S 3153), but only the House bill received any action; it passed by a vote of 363 to 54. No action was taken in the Senate on either bill.

Cybersecurity Provisions

There are a number of cybersecurity related provisions in this bill, but only one of potential specific interest to the industrial control system community. The cybersecurity sections of note include:

§303. Modification of special pay authority for science, technology, engineering, or mathematics positions and addition of special pay authority for cyber positions.

§307. Consideration of adversarial telecommunications and cybersecurity infrastructure when sharing intelligence with foreign governments and entities.

§308. Cyber protection support for the personnel of the intelligence community in positions highly vulnerable to cyber attack.

§309. Modification of authority relating to management of supply-chain risk.

§422. Establishment of Energy Infrastructure Security Center.

§701. Limitation relating to establishment or support of cybersecurity unit with the Russian Federation.

EISC

The potentially interesting ICS provision is, of course, §422 establishing the EISC. A nearly identical provision (different section/paragraph numbers is the only difference) was included in HR 6237. I covered that issue in my post on the introduction of the earlier bill.

Missing Provision

Last year Burr’s authorization bill included a section on energy sector cybersecurity. This was taken almost in whole cloth from last session’s S 79. A bill similar to S 79 was introduced earlier this session; S 174. It is not clear if Burr left this out because he felt that S 174 had a good chance to pass on its own (not likely in my opinion) or whether he got push-back from including the costly provisions in last year’s intel bill.

Moving Forward

Burr’s bill will move forward in Committee, he is after all the Chair of the Senate Select Committee on Intelligence. Getting it to the floor of the Senate may prove to be a bigger problem; he has not had an intel authorization bill on the floor since the FY 2017 bill passed.

Commentary

This used to be considered one of the ‘must pass’ annual authorization bills, but since Trump came to town that does not seem to be the case. Spending bills continue to be approved, but the general Congressional oversight provided through the authorization bills seems to be less important as the community status has waned under Trump. This is doubly unfortunate given the cybersecurity troubles being seen in the world.

S 3153 Introduced – FY 2018/19 Intel Authorization

Last month Sen. Burr (R,NC) introduced S 3153, the Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. Both the bill and the accompanying Committee Report pay special attention to control system security issues.

Energy Sector Cybersecurity

Section 732 of the bill would require the Secretary of Energy to establish a 2-year pilot program to study control system security in the energy sector. The pilot program would be funded at $10 Million for the 2-year study. This section is essentially the same as S 79 which was reported in the Senate earlier this year by the Energy and Natural Resources Committee.

ICS Security and the Intelligence Community

On page 17 of the Committee Report, the matter of industrial control system security is directly addressed. The Report notes:

“The Committee is aware of significant threats to our critical infrastructure and industrial control systems posed by foreign adversaries. The sensitive nature of the information related to these threats make the role of the IC of vital importance to United States defensive efforts. The Committee has grave concerns that current IC resources dedicated to analyzing and countering these threats are neither sufficient nor closely coordinated. The Committee includes provisions within this legislation to address these concerns.”

Section 732 of the bill (described above) is the only place that I can find in the unclassified portions of the bill and annexes that directly mentions activities related to ICS security.

Moving Forward

The House passed HR 6237, the House version of this bill earlier this month. While the House bill did receive a large measure of bipartisan support, the Senate will still take up this version of the bill as an amendment to HR 6237 when it comes to the floor of the Senate. I expect that to happen sometime after the Senate returns from the abbreviated summer recess next month. There will be some contentious political amendments offered for the bill when it makes it to the floor, but eventually a version of the bill will be passed and then a conference committee will meld the two versions together into a workable whole.

Commentary

It is interesting to see the language from S 79 appear in this bill. Sen. King (I,ME) has been trying to get this bill to move forward through two sessions of Congress now, so it is not unexpected that he would use his position on the Intelligence Committee to try to advance the bill when it was apparently stalled after being approved in the Energy and Natural Resource Committee.

The association between this bill and the intelligence community is vague to say the least. The working group to be established would be under the Department of Energy which does have some tenuous ties to the IC, but that has been mainly in support of nuclear weapons program, not power generation. King has always included a representative of the IC in the working group {§732(c)(2)(F) in this bill}, but that always seemed to me to be a pro forma inclusion as a source of information rather than an actual participant.

It will be interesting to see where the funds come from to support this program. If they come out the intelligence spending bill, then I expect that the role of the IC will be much more important in the activities of the working group and the resulting study.

One political fact is certain however. Since the authorization for the program (if it makes it to the final bill that reaches the President’s desk) comes from the Intelligence Committee, it will be that Committee (and it’s House counterpart) that will provide the oversight for the program, that alone will color many of the decisions made as the program proceeds.

OOPS – Big Mistake on Previous Post

I do not know how it happened (probably too tired to read straight), but I linked to (and got wrong) the incorrect roll-call vote and reported it as being on HR 6237. The actual vote was 363 to 54 which is substantially bipartisan and should reflect enough bipartisan support for the bill to be considered in the Senate in its current form.

House Passes HR 6237 – FY 2018/19 Intel Authorization

Today the House passed  HR 6237, the Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019, on a nearly party-line vote of 233 to 184 (6 Republican Noes and 9 Democrat Ayes). Twelve amendments were considered, but none were of specific interest to readers of this blog.

The bill has now been tossed to the Senate. Unfortunately, with the party-line vote in the House, there is not much of a chance that the Senate will take up the bill in its current form. There has not been a Senate version of the bill to substitute for the House language like we have seen in the spending bills, so that is probably not an option for consideration of HR 6237 in the Senate.

The intel community can survive without an authorization bill as long as the spending bills continue to pass. The big problem with the lack of authorization is that this reinforces the fact that Congress really has no stomach for maintaining oversight of the grey areas that surround the IC. Congress as a whole is perfectly content to allow a small number of Senators and Representatives to exercise the oversight out of sight and mind. Until, of course, something blows up….

See next post (Updated 07:30 EDT 7-13-18)

Committee Hearings – Week of 07-08-18

With both the House and Senate in session this week we start to see movement on other things than just spending bills. We have two cybersecurity hearings of potential interest and HR 6237, the FY 2018/19 intel authorization bill.

Spending Bills

• Wednesday – House – Committee - Labor, Health and Human Services, Education, and Related Agencies

• Wednesday – House – Rules Committee – HR 6147 (LHHE)  Amendment Deadline

Cybersecurity

On Wednesday the House Homeland Security Committee will be holding a hearing on “DHS’s Progress In Securing Election Systems And Other Critical Infrastructure”. The witness list includes:

• Christopher Krebs, DHS; and

• Nellie Gorbea, State of Rhode Island

While securing the election process is certainly important it is generally outside of the scope of this blog. I am mentioning this hearing though because of the following statement on the hearing web site:

“The hearing will also provide Members an opportunity to hear about DHS’s role working across all 16 critical infrastructure sectors because a cyber threat to elections may pose a similar threat to other critical infrastructure sectors.”

It will be interesting to hear what questions the Committee has for Krebs.

On Wednesday the Senate Commerce, Science, and Transportation will hold a hearing on “Complex Cybersecurity Vulnerabilities: Lessons Learned from Spectre and Meltdown”. The witness list includes:

• Donna Dodson, NIST;

• José-Marie Griffiths, Dakota State University;

• Joyce Kim, ARM;

• Art Manion, Carnegie Mellon University; and

• Sri Sridharan, University of South Florida

This is potentially too complex a topic for a congressional hearing. I hope the witnesses take this into account and concentrate on policy type issues instead of the technical details. It will be interesting to see what questions are posed by the Senators; this will reflect on the quality of the technical support the committee has.

Intelligence Authorization Act

On Wednesday the House Rules Committee will hold a hearing to set the rule for the consideration of HR 6237, the Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. Thirty-seven amendments have been submitted to the Committee for consideration for inclusion in the debate on HR 6237. None of those amendments should be of specific interest to readers of this blog.

Last year’s version of the bill, HR 3180, finally passed the House under a closed rule (limited debate, no amendments), but was never considered in the Senate. It will be interesting to see how the Committee deals with this bill this year. The bill is scheduled to come to the floor on Thursday.

On the Floor

In addition to HR 3180, the House will also take up HR 5729, the Transportation Worker Identification Credential Accountability Act of 2018. That bill will be considered tomorrow under the suspension of the rules process; limited debate, no amendments, and a super-majority to pass. The bill will almost certainly pass with wide bipartisan support.

As I noted in my post on S 3094, the companion bill to HR 5729, from reading the Committee Report on the bill it is clear that the impetus for proposing this bill was to ‘punish’ DHS and the Coast Guard for ignoring the dictates of Congress. That will not, however, be the basis for the wide spread support for the bill. It provides a wide variety of congress critters a chance to vote against the TWIC program (for an equally wide variety of reasons) without taking any real action to affect the program. They get a show vote for certain constituencies without having to negatively effect a security program. You cannot get a better bill for politicians.

HR 6237 Introduced – Intel Authorization

Last month Rep. Nunes (R,CA) introduced HR 6237, the Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. The bill contains the two Divisions reflecting authorizations for both fiscal years. There are two reports of interest and a requirement to establish an Energy Infrastructure Security Center mentioned in the unclassified portion of the bill. Additionally, the Committee Report discusses a topic with a potential for impact on cybersecurity information sharing.

Reports

Section 1506 of the bill requires the Director of National Intelligence (DNI) to submit a report to Congress on “the potential establishment of a fully voluntary exchange program between elements of the intelligence community and private technology companies” {§1501(a)}. The report would address intelligence community (IC) to private sector and private sector to IC sharing of cybersecurity qualified personnel.

Section 1510 of the bill would require the DNI to prepare a report to Congress on how each element of the IC implements the Vulnerabilities Equities Policy and Process. The report would address who at each agency is responsible for determining whether “a vulnerability must be submitted for review under the Vulnerabilities Equities Process” {§1510(a)(1)(A)(i)} and the process used for making that determination. A subsequent report would be required when changes are made at an agency. The required report would be unclassified (but generally unavailable to the public) but, could potentially include classified annexes. Additionally, the section would require an annual classified report to congress on {§1510(b)(1)}:

• The number of vulnerabilities submitted for review under the Vulnerabilities Equities Process;

• The number of vulnerabilities described in subparagraph (A) disclosed to each vendor responsible for correcting the vulnerability, or to the public, pursuant to the Vulnerabilities Equities Process; and

• The aggregate number, by category, of the vulnerabilities excluded from review under the Vulnerabilities Equities Process, as described in paragraph 5.4 of the Vulnerabilities Equities Policy and Process document

Energy Infrastructure Security Center

Section 2422 amends 42 USC 7144b by inserting a new paragraph (d) which requires the Secretary to establish the Energy Infrastructure Security Center within the DOE’s Office of Intelligence and Counterintelligence (the old Office of Counterintelligence as revised by this bill). The EISC will coordinate and disseminate intelligence relating to the security of the energy infrastructure of the United States. This mission will include {new §7144b(d)(2)}:

• Establishing a primary organization within the United States Government for analyzing and integrating all intelligence possessed or acquired by the United States pertaining to the security of the energy infrastructure of the United States;

• Ensuring that appropriate departments and agencies have full access to and receive intelligence support needed to execute the plans or activities of the agencies, and perform independent, alternative analyses;

• Establishing a central repository on known and suspected foreign threats to the energy infrastructure of the United States, including with respect to any individuals, groups, or entities engaged in activities targeting such infrastructure, and the goals, strategies, capabilities, and networks of such individuals, groups, or entities; and

• Disseminating intelligence information relating to the security of the energy infrastructure of the United States, including threats and analyses, to the President, to the appropriate departments and agencies, and to the appropriate committees of Congress.

Committee Report

On page 48 of the Committee Report the Committee notes that “businesses without ownership of a Sensitive Compartmented Information Facility (SCIF), which includes many small businesses, find it very difficult to perform classified work”. They go on to note that “Construction and accreditation of SCIF spaces may be cost-prohibitive for small business and non-traditional government contractors.”

After briefly discussing the apparently unrelated idea of innovation hubs, the Committee suggests that such hubs might be a model to solve the problem of providing small businesses access to SCIFs. They then call for a report to Congress that addresses:

• Potential approaches to allow for SCIF spaces to be certified and accredited outside of a traditional contractual arrangement;

• Options for classified co-use and shared workspace environments such as: innovation, incubation, catalyst, and accelerator environments;

• Pros and cons for public, private, government, or combination owned classified neutral facilities; and

• Any other opportunities to support companies with appropriately cleared personnel but without ownership of a SCIF effective access to a neutral SCIF.

Moving Forward

This bill was approved by a unanimous vote of the Committee. That would normally mean that bipartisan support for the bill could be expected when the bill gets to the floor in the coming weeks. Unfortunately, as we saw with HR 3180 (the FY 2018 version of this bill) that is not necessarily true. That bill was finally passed in the House by a near party-line vote and was thus not able to receive consideration in the Senate.

This bill also contains a number of provisions (see the ‘Minority Views’ section of the Report starting on page 164) that might draw opposition from Democrats, especially in an election year. We will have to wait and see how this bill fairs on the House floor before we can predict its chance of final passage.

Commentary

The establishment of the EISC is certainly a measure of the congressional recognition of the potential foreign threats to the energy infrastructure in this country. I am concerned, however, with bill’s failure to address the need for sharing the intelligence information produced by the EISC with private sector entities responsible for the operation of that infrastructure. I suppose it could be argued that the Federal Energy Regulatory Commission (FERC) would be the appropriate agency through which that information might be expected to flow, but I still would have expected to see specific private sector information sharing requirements in the EISC language.

Of course, congressional intent to share intelligence information with appropriate private sector entities is not always successful as we have seen with the DHS automated information sharing (AIS) program. Part of that is the failure of the intelligence community to prepare unclassified briefs on intelligence information, but that is not always possible to do. The larger problem is the inability of many private sector organizations to handle classified information. This is where the Report’s attention to SCIFs may end up being more important than the Committee intended.

They were specifically looking at expanding the access to classified information to small contractors, but the larger use of non-traditional SCIFs may be for the sharing and processing of classified information by organizations that cannot justify the cost of establishing their own SCIF so that they may be able to process classified intelligence reports that may or may not be made available to them.

Bills Introduced – 06-27-18

Yesterday with both the House and Senate in session there were 35 bills introduced. Of these, one may be of specific interest to readers of this blog:

HR 6237 To authorize appropriations for fiscal years 2018 and 2019 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Rep. Nunes, Devin [R-CA-22]

Of course, the good stuff will be in the classified annex to the bill, but I will be watching the public version of the bill for cybersecurity language. The text of the bill is already available, and it is rather unusual in that it has two titles, the first is the authorization act for FY 2018 and the second for FY 2019. A quick look at the table of contents for each title shows some potentially interesting sections in each. More later.