Review - Committee Hearings – Week of 11-17-24

This is week 2 of the lame duck session of the 118^th Congress. Significantly more hearing action this week. There will be two homeland security threat hearings, two cybersecurity hearings and one markup hearing. Nothing of particular interest here scheduled for floor action.

Homeland Security Threats

Both Homeland Security committees (House and Senate)will hear this week from the administration security folks about current threats.

Cybersecurity Hearings

Tomorrow the Transportation and Maritime Security Subcommittee of the House Committee on Homeland Security will hold a hearing on “Impacts of Emergency Authority Cybersecurity Regulations on the Transportation Sector”.

Also on Tuesday, the Subcommittee on Privacy, Technology, and the Law of the Senate Judiciary Committee will hold a hearing on “Big Hacks & Big Tech: China’s Cybersecurity Threat”.

Markup Hearing

On Wednesday, the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting to consider five nominations, 22 bills (including three cybersecurity related bills), and seven postal service facility naming bills.

 

For more information about these hearings, including witness lists and commentary, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-11-17 - subscription required.

Committee Hearings – Week of 11-13-22

This week the 117^th Lame Duck session begins, with both the House and Senate meeting in Washington. We have two homeland security hearings to watch and confirmation hearings for the CSB.

Homeland Security

On Tuesday, the House Homeland Security Committee will hold a hearing on “Worldwide Threats to the Homeland”. The witness list includes:

• Alejandro Mayorkas, DHS,

• Christopher Wray, FBI

• Christine Abizaid, ODNI

Cybersecurity issues will definitely be discussed.

On Wednesday, the Senate Judiciary Committee will hold a hearing on “Oversight of the Department of Homeland Security”. No witness list is currently available.

I expect that cybersecurity regulations at TSA and CISA may be briefly addressed.

CSB Nominations

On Thursday, the Senate the Environment and Public Works Committee will hold a nomination hearing for two CSB nominees: Stephen A. Owens to be Chairperson of the Chemical Safety and Hazard Investigations Board and Catherine J.K Sandoval to be Member. Owens is currently a Member of the Board and acting as Chair. Sandoval was nominated by President Biden back in June. Sandoval is a law professor at Santa Clara University in California and has served on the California Public Utilities Commission. She has accident investigation experience from her time at CPUC.

There are currently three vacancies on the five-member Chemical Safety Board.

Committee Hearings – Week of 9-19-21

This week with the House and Senate both in Washington, and lot of controversial stuff on the legislative agenda for the next two weeks, the hearing agenda is relatively lite. We do have two hearings on the homeland security threat, an important Rules Committee Hearing, one cybersecurity hearing, and a confirmation hearing for three CSB nominees this week.

Homeland Security Threat

On Tuesday the Senate Homeland Security and Governmental Affairs Committee will hold a hearing on “Threats to the Homeland: Evaluating the Landscape 20 Years After 9/11”. The witness list includes:

• Alejandro N. Mayorkas, DHS,

• Christopher A. Wray, FBI, and

• Christine Abizaid, National Counterterrorism Center

On Wednesday, the House Homeland Security Committee will hold a hearing on “Worldwide Threats to the Homeland: 20 Years After 9/11”. The witnesses will be the same as above.

While cybersecurity and right-wing extremists will certainly be mentioned, I expect that in both of these hearings we will see the most sound and fury in discussions about the al Qaeda threat from Afghanistan.

Rules Committee

Today the Rules Committee will meet to formulate the rule for three measures that will be taken up by the House this week, two of those will be of interest here:

• HR _____— An act making continuing appropriations for the fiscal year ending September 30, 2022, and for providing emergency assistance, and for other purposes

• HR 4350— National Defense Authorization Act for Fiscal Year 2022

There is no text currently available for the Continuing Resolution. This is coming early enough, though, that I expect that the Democrats will try to load it up some since they can always come back next week with a cleaner, less controversial version that could pass in the Senate next week and still not worry about shutting down the government.

The reported language for HR 4350 is available, and I will have more on that later today. At least 852 amendments have been submitted for consideration, I am not even going to bother trying to look at those in any detail. The Rules Committee will sort and pare that down to a more reasonable number to be considered on the floor of the House.

Cybersecurity Hearing

On Thursday, the Senate Homeland Security and Governmental Affairs Committee will hold a hearing on “National Cybersecurity Strategy: Protection of Federal and Critical Infrastructure Systems”.

The witness list includes:

• Chris Inglis, National Cyber Director

• Jen Easterly, CISA,

• Christopher DeRusha, OMB

While it will be fairly wide ranging, I expect to hear significant discussion about mandatory breach notification rules.

Confirmation Hearing

On Wednesday, the Senate Environment and Public Works Committee will hold a business meeting. The meeting will include votes on three nominations for the US Chemical Safety and Hazard Investigation Board (CSB). The nominees are:

• Stephen A. Owens,

• Jennifer B. Sass, and

• Sylvia E. Johnson

HR 6381 Introduced – Homeland Security Improvements

Earlier in the lame duck session Rep. McCaul (R,TX) introduced HR 6381, the ‘DHS Reform and Improvement Act. This is essentially a DHS authorization bill, except that it only specifically authorizes funds for some of the programs described in the bill, not for the Department as a whole. The bill has been cobbled together from a wide variety of previously introduced (and in some cases amended) bills.

The bill is as wide ranging as is the coverage of DHS. Sections within this bill that may be of specific interest to readers of this blog include:

Sec. 101. Drone assessment and analysis;

Sec. 212. Transportation Worker Identification Credential waiver and appeals process;

Sec. 533. Medical Countermeasures Program;

Sec. 601. Cybersecurity and Infrastructure Protection Agency;

Sec. 701. Improving cybersecurity risk assessments, information sharing, and Coordination;

Sec. 702. Cybersecurity enhancements to maritime security activities;

Sec. 703. Vulnerability assessments and security plans;

Sec. 801. Authorization of the National Computer Forensics Institute of the Department of Homeland Security;

Sec. 901. CBRNE Office;

Sec. 902. Chemical Division;

Sec. 1901. [Cybersecurity] Information sharing;

Sec. 1902. Homeland security [cybersecurity] grants;

Sec. 2101. Cybersecurity research and development projects;

Sec. 3001. State and local coordination on cybersecurity with the National Cybersecurity and Communications Integration Center;

Sec. 3231. Surface Transportation Inspectors; and

Sec. 3234. Security training for frontline transportation workers;

I am not going to attempt to describe the provisions of all of the above sections; I’ve dealt with each of them in discussing their source legislation. Suffice to say there is nothing new here and I have not been able to find any significant changes in any of the provisions.

It looks like McCaul is making one last attempt to get Congress to address all of these homeland security issues. Addressing the individual bills piecemeal in the lame duck session is simply not possible, even under suspension of the rules. There is a remote chance that this bill could be considered, but first McCaul has to convince nine other Committee Chairs to sign-off on the bill before it comes to the floor.

I suspect that the bill could pass with some bipartisan support. The question is whether or not there is enough bipartisan support to allow the bill to be considered under suspension of the rules. If not, the bill is unlikely to be considered in the House and would never be considered in the Senate before the end of the session.

Bills Introduced – 11-18-16

Yesterday with only the House in a very short session there were 12 bills introduced. One of those bills may be of specific interest to readers of this blog:

HR 6381 To provide for certain homeland security improvements, and for other purposes. Rep. McCaul, Michael T. [R-TX-10]

This looks like it could be a very wide ranging bill as it was referred to ten committees for consideration. This could be interesting.

HR 3283 Introduced – Public Alert System

As I noted in an earlier blog post Rep. Bilirakis (R,FL) introduced HR 3283, the Integrated Public Alert and Warning System Modernization Act of 2013, a bill that proposes to update the federal public alert and warning systems to the digital era. The bill would add a new section to Title V of the Homeland Security Act of 2002 (6 USC 311 et seq.); §526 (§321o) National Integrated Public Alert and Warning System Modernization

Section 2 of this bill lists a long list of Congressional Findings about the current outdated system of alerting the public to a wide range of natural and manmade emergencies. It closes with the comment that” although significant Federal integration efforts are underway, the aggregation, dissemination, and reporting system necessary for effective public alert and warning will require an integrated national network for reliable, secure, and authentic dissemination of emergency alerts and warnings by Federal, State, local, and tribal entities that are authorized to issue alerts to the public” {§2(5)}

National Integrated Public Alert and Warning System

Section 526(b) would require the Homeland Security Secretary to implement and modernize a public alert and warning system. In doing so the Secretary would be required to:

• Establish or adapt, as appropriate, common alerting and warning protocols, standards, terminology, and operating procedures {§526(b)(1)};

• Include the capability to adapt the dissemination of homeland security information and other information and the content of communications on the basis of geographic location, risks, or personal user preferences {§526(b)(2)};

• Include the capability to alert, warn, and provide the equivalent amount of information to individuals with disabilities and access and functional needs {§526(b)(3)};

• Ensure the conduct of training, tests, and exercises for the public alert and warning system {§526(b)(4)};

• Ensure that ongoing training is provided to State, local, tribal, and other homeland security stakeholders involved in the transmission of such messages {§526(b)(5)};

Ensure that the public alert and warning system uses the National Terrorism Advisory System {§526(b)(6)};

• Conduct, at least once every 3 years, periodic nationwide tests of the public alert and warning system {§526(b)(7)}; and

• Consult, coordinate, and cooperate, to the extent practicable, with other Federal agencies and departments and with State, local, and tribal governments, the private sector, and other key stakeholders  to leverage existing alert and warning capabilities {§526(b)(8)}.

Advisory Committee

The new language added would require the Homeland Security Secretary to establish the Integrated Public Alert and Warning System Advisory Committee (IPAWSAC) {§526(d)} to make recommendations on how to modernize and implement the national integrated public alert and warning system. The Advisory Committee would include State, tribal and local government agencies (including emergency response and emergency planning agencies), a variety of private sector representatives as well as representatives of a variety of affected federal agencies including:

• FCC

• NOAA

• DOC

• DHS S&T; and

• FEMA

The Advisory Committee would be required to prepare an annual report on the ‘continuation and improvement of an integrated public alert and warning system’ that would address:

• Recommendations for common alerting and warning protocols, standards, terminology, and operating procedures {§526(d)(7)(A)};

• An assessment of the accomplishments and deficiencies of the public alert and warning system {§526(d)(7)(B)};

• Recommendations for increasing participation in the system {§526(d)(7)(C)}; and

• Recommendations for improvements to the system {§526(d)(7)(D)}.

Those improvements would include:

• The capability to adapt the distribution and content of communications on the basis of geographic location, risks, multiple communication systems and technologies or personal user preferences {§526(d)(7)(D)(i)};

• The capability to alert and warn individuals with disabilities and access and functional needs and individuals with limited English proficiency {§526(d)(7)(D)(ii)};

• Incorporates multiple communications technologies {§526(d)(7)(D)(iii)};

• Is designed to adapt to, and incorporate, future technologies {§526(d)(7)(D)(iv)};

• Encourages proper use by State and local governments of the public alert and warning system through training programs and other means {§526(d)(7)(D)(v)};

• Is designed to provide alerts to the largest portion of the affected population feasible, including nonresident visitors and tourists, and improve the ability of remote areas to receive alerts {§526(d)(7)(D)(vi)};

• Promotes local and regional public and private partnerships to enhance community preparedness and response {§526(d)(7)(D)(vii)};

• Promotes the participation of representatives from underserved and underrepresented communities{§526(d)(7)(D)(viii)}; and

• Provides redundant alert mechanisms where practicable so as to reach the greatest number of people{§526(d)(7)(D)(ix)}.

Moving Forward

This is another motherhood and apple pie bill that will certainly receive bipartisan support if it ever reaches the floor of the House and Senate. The question is will it receive enough leadership support to move out of committee (it has been referred to both the Homeland Security and the Transportation and Infrastructure Committees) and then to the floor. This could sneak through as one of those little debated bills considered under suspension of the rules.

Congressional Hearings – Week of 9-8-13

Well Congress actually came back to work yesterday, three days before their scheduled return from the summer recess because of the problems with Syria and use of chemical munitions. That will continue to dominate the news, but there are other things of import going on in Washington including two hearings that might be of interest to the chemical and cyber security communities; both deal with the Homeland Security enterprise.

Homeland Security Enterprise

On Tuesday the House Homeland Security Committee will hold a hearing to take a look at the “Crisis in Syria: Implications for Homeland Security”. The witnesses include:

• Reuel Marc Gerecht , Foundation for Defense of Democracies;

• Joseph I. Lieberman, Former Senator from the State of Connecticut;

• General Robert H. Scales Jr. , Former Commandant of the US Army War College; and

• Christopher Shays, Former Representative in Congress from the 4th District of Connecticut

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will be holding a hearing to look at “DHS at 10 Years: Examining Challenges and Achievements and Addressing Emerging Threats”. The witnesses include:

• Thomas J. Ridge, Former Secretary of DHS;

• Jane Harman, Former Representative from the State of California;

• Admiral Thad W. Allen, Former Commandant of the U.S. Coast Guard; and

• Stewart A. Baker, Former Assistant Secretary for Policy at the DHS

The subject of Syria and the topic of asymmetric response will almost certainly be raised in both hearings. If the Congress authorizes the use of military force against Syria, potential response could include attempts at serious cyber-attacks against the homeland by either Syria or Iran and the possibility of chemical attacks (either with smuggled CW or improvised CW or industrial CW) on US interests abroad or possibly here at home. The first will probably receive some attention in these hearings, but I suspect the second will conveniently be ignored.

FY 2014 Budget

It looks like the leadership in the House and Senate has officially given up on passing any of the FY 2014 spending bills. The House Majority Leader’s web site notes that the later in the week the House will consider “H.J.Res. __ - Continuing Appropriations Resolution, 2014 (Subject to a Rule) (Sponsored by Appropriations Committee)”. This CR has apparently not yet been drafted, but it will almost certainly continue the authorization for the CFATS program through the life of the CR (no later than December 20^th).  It will almost certainly continue program funding across the board at FY 2013 levels. I’ll keep an eye out for the Rules Committee Hearing on this CR.

It is unusual for a CR to be introduced this early in the month, but the House Leadership knows that there is no guarantee that they will have the votes necessary to pass the bill. Introducing it this early will allow them a second and maybe third chance before October 1^st.

Comments on Proposed Revisions to NIPP – 6-22-13

This is the first in a series of blog posts about the public comments posted to the DHS proposed revisions to the National Infrastructure Protection Plan (NIPP).

We are now a little over a week into the one month comment period and four comments, all from individuals, have been posted to the Federal eRulemaking Portal for this docket. None of them is particularly responsive to the proposed revisions to the NIPP. We do have suggestions for:

• Building sea water canals into the interior of Western Africa to help prevent hurricanes along the East Coast and Gulf Coast of the United States;

• Providing more public availability of severe weather warnings;

• Placing educational institutions in their own Critical Infrastructure Sector (okay this comes close to what the NIPP is all about); and

• Making it a federal criminal offense to undertake a variety of criminal actions on, at or against Critical Infrastructure facilities (it takes Congress to enact criminal statutes).

The main problem with these suggestions is that they actually propose specific actions to be taken by the Federal Government. Anyone that has managed to stay awake long enough to read the current NIPP (and I am not one of that very limited number) would understand that this is a bureaucratic statement of general policy that is flexible enough to cover just about any action the Federal Government takes or doesn’t take with regards to Homeland Security.

I suspect that in the coming weeks we will see comments from a number of NGOs and contractors suggesting additions that would favor their pet projects. That is what we saw during the comment period for the last update in 2008.

HSIN Advisory Committee Meeting – 6-25-13

DHS published a meeting notice in Monday’s Federal Register (78 FR 34665-34666, available on line today) for a public teleconference of the Homeland Security Information Network Advisory Committee (HSINAC) to be held on June 25^th, 2013. The major topic of the meeting will be the implementation of Release 3 of the Homeland Security Information Network (HSIN).

HSIN R3

Specific topics to be addressed will be:

• Review the HSINAC members' HSIN Release 3 (R3) registration experiences;

• Discuss the results of the HSIN Policy/HSIN Development informal analysis and capture feedback from the HSINAC members;

• Identity Proofing (IDP) Process;

• HSIN Legacy to HSIN Release 3 Migration Process; and

• HSIN Release 3 Value Proposition.

Identity Proofing

Since one of the main purposes of the HSIN is the dissemination of sensitive but unclassified (SBU) information the system must have a means of verifying personal identity. According to this notice, HSIN R3 will use “knowledge-based questions pertaining to their [individual’s] personal financial history, credit history, etc. in order to successfully verify their identity before gaining access into HSIN Release 3”.

Now, for reasons pertaining my gadfly status (you have to agree not to release SBU information) I have not and will not seek access to the restricted information portions of HSIN, so this does not apply to me. Still, I would be very leery of sharing this information with DHS and would be concerned if DHS was collecting this information from other sources to ‘verify my identity’. I’m certainly not a privacy activist, but you do have to draw the line somewhere.

There are other ways of verifying identity for the level of security necessary to protect SBU. The CFATS program, for example, has a fairly effective method of providing access to their Chemical Security Assessment Tool (CSAT), a communications network for the sharing of Chemical-Terrorism Vulnerability Information (CVI), a specific subset of SBU. Surely the folks at the DHS Office of Operations Coordination and Planning can come up with a better method than collecting financial information on participants.

Public Participation

Public participation in this teleconference is being solicited by DHS. The public can monitor the teleconference via phone ( 1-800-320-4330 Conference Pin: 673978) or at a meeting room in Washington. Public comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2013-003). There is a 15-minute period near the end of the meeting set aside for oral public comments’ registration is required (Michael.brody@hq.dhs.go).

BTW: The notice does indicate that a more detailed agenda will be published on the HSIN web site. Don’t hold your breath; they still have not added the minutes from an August, 2010 meeting and there are no minutes/agendas for any meetings in 2011, 2012, or 2013. 

Cybersecurity Threat Landscape

Cliff Gregory started an interesting discussion yesterday on the Cyber Security in Real-Time Systems group (membership required) on LinkedIn. He asks an interesting question considering that it is the start of the 113^th Congress; does the US need a Critical Infrastructure Protection Act? To start off that discussion he gives a pretty good short summary of the history of hacking.

With Cliff’s discussion as a starting point, I think that we can all agree that there has been a significant change in the threat environment over the last decade or so. There are now a wide variety of actors in the cyber-threat space with an even wider variety of motivations, goals and capabilities.

Civil Issues

The first thing that we must realize is that some of these cyber-threats are not issues to be solely resolved by governmental action. A certain level of responsibility for protection of cyber assets rests with the owners and operators of cyber related enterprises. This is going to have to include some sort of minimum standards for the protection of cyber assets, both physical and informational.

These standards are going to be risk-based much the same way that homeowners with pools are required to have more anti-trespassing measures in place than someone with just a patio in their backyard. Higher levels of protection are going to have to be required where the information or systems protected are more valuable.

Another area in the civil realm will be the use of civil courts to allow individuals who are affected by cyber-crimes to look for redress from those entities that were entrusted with the protection of personal information or assets. Class action suits against entities that allow personal information entrusted to their care to be stolen may be the most effective way to ensure that the information handling meets minimum standards of protection.

Law Enforcement Issue

Many of these threat actors are simply law breakers that ought to be dealt with through the criminal justice system. Identity theft, electronic funds theft, computer fraud, web page defacing, and a certain level of hacktavisim are all generally equivalent to offenses in the physical sphere that are routinely handled by law enforcement personnel. The cyber-versions of these crimes should also be handled by law enforcement personnel and the courts.

This is certainly going to require the development of cyber-police capabilities to investigate these simply criminal acts. Legislators at all levels are going to have to review current criminal statutes to ensure that the current definitions of crimes are broad enough to encompass their cyber-equivalents. And the courts will have to establish the appropriate changes to the evidentiary requirements to deal with the prosecution of these criminal acts.

Because of the transnational nature of many of the criminals involved the Federal government is going to have a large role in the law enforcement realm over and above their necessary involvement in enforcing criminal statutes for crimes that cross state boundaries.

Homeland Security Issue

The Department of Homeland Security in the United States was established as an organization in 2002 to deal with threats to the country that fell somewhere between the strictly law enforcement and military realms. These threats include areas such as counter-terrorism, border protection, immigration and large scale disaster relief. It is clear that some of the cyber-threats that we face fall within these areas of operation.

In these areas it is clear that the Congress, DHS and the Federal Courts take similar action with the respect to these cyber-threats as State and local governments will have to take with the purely law enforcement actions described above.

It must not be forgotten that DHS has responsibility, mainly through FEMA, to help State and local officials respond to natural and man-made disasters that are too large, or cross political boundaries. Similar activities must be addressed for the closely related cyber-disasters as seen last year in the aftermath of Sandy. Congress and DHS need to firmly establish the necessity for responding to cyber-disasters and provide the technical and financial wherewithal to provide the appropriate response.

Military Issue

While DHS has border protection responsibilities it is clear that there is a difference between border protection and border defense. The later clearly falls into the military realm. While it may be relatively easy to differentiate between the responsibility for stopping terrorists at the border and stopping an invading army, it will not be as easy to determine which agency has responsibility for preventing, detecting and responding to cross border cyber-attacks.

With Iran reportedly conducting state-sponsored denial-of-service (DOS) attacks against banks in the United States in response to the supposed (no proof or admission at this point) US involvement in the Stuxnet attack, it is clear that we need to have the political discussion about where the line is drawn between homeland protection and national defense in the cyber-realm. It does seem clear that the line will not be clear-cut so that there will have to be more than the usual coordination and cooperation between DHS and DOD in this area.

More Discussion

Now this has clearly been a broad look at the different areas of how these three areas are delineated. I’ll try to look at them in more detail in future posts.

Congressional Hearings – Week of 3-7-11

This week there are four hearings on Capitol Hill that might end up being of some interest to the chemical security community; nothing directly about chemical security, but they might end up touching on related issues. They will be two House committee hearings and two in the Senate.

Homeland Security

The House Homeland Security Committee will be holding a hearing on “The Extent of Radicalization in the American Muslim Community and that Community's Response” on Thursday, March 10th, and 9:30 am EST. This hearing highlights the conflict that we will probably see develop between Chairman King (R, NY) and Ranking Member Thompson (D, MS). Thompson has complained that the focus on Muslim radicalization ignores other potential terrorist threats.

The Senate Judiciary Committee is scheduled to hold an oversight hearing for DHS on Wednesday, March 9th at 10:00. No word yet on the issues that the Committee will address in this hearing, but Secretary Napolitano is the only witness currently listed.

Budget

The focus of the FY 2012 budget hearing before the House Appropriations Committee starts to look at agencies within departments. The Homeland Security Subcommittee will hold a hearing this week to look at the President’s budget request for the Coast Guard. The March 10th hearing at 2:00 pm EST might touch on TWIC issues, particularly the TWIC Reader implementation, or the harmonization of CFATS and MTSA; but these are relatively low level issues.

The Senate Committee on Commerce, Science, and Transportation will look at the FY 2012 budget request for the Department of Transportation. Not too much in the way of security issues expected to come up in this hearing. It will be interesting to see if the rumors of huge increases in the PHMSA fees for special permits will be addressed.