S 1589 Reported in the Senate – FY 2018, 2019, and 2020 Intel Authorization

Last week Sen. Burr (R,NC) introduced (and the Senate Intelligence Committee reported – without a written report) S 1589, the Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020. This bill is essentially S 245 (introduced earlier this year) as division B with a relatively short Division A tacked onto the front for FY 2020.

Moving Forward

Okay, I have no clue. The Senate has not taken up an intelligence authorization bill since Trump came into office. This bill has been one of the annual ‘must pass’ bills for as long as I remember, but that is apparently no longer true.

Commentary

There is nothing in the new Division A language that I would care to take time to comment upon. See my comments on S 245 for the cybersecurity provisions in Division B.

HR 6237 Introduced – Intel Authorization

Last month Rep. Nunes (R,CA) introduced HR 6237, the Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. The bill contains the two Divisions reflecting authorizations for both fiscal years. There are two reports of interest and a requirement to establish an Energy Infrastructure Security Center mentioned in the unclassified portion of the bill. Additionally, the Committee Report discusses a topic with a potential for impact on cybersecurity information sharing.

Reports

Section 1506 of the bill requires the Director of National Intelligence (DNI) to submit a report to Congress on “the potential establishment of a fully voluntary exchange program between elements of the intelligence community and private technology companies” {§1501(a)}. The report would address intelligence community (IC) to private sector and private sector to IC sharing of cybersecurity qualified personnel.

Section 1510 of the bill would require the DNI to prepare a report to Congress on how each element of the IC implements the Vulnerabilities Equities Policy and Process. The report would address who at each agency is responsible for determining whether “a vulnerability must be submitted for review under the Vulnerabilities Equities Process” {§1510(a)(1)(A)(i)} and the process used for making that determination. A subsequent report would be required when changes are made at an agency. The required report would be unclassified (but generally unavailable to the public) but, could potentially include classified annexes. Additionally, the section would require an annual classified report to congress on {§1510(b)(1)}:

• The number of vulnerabilities submitted for review under the Vulnerabilities Equities Process;

• The number of vulnerabilities described in subparagraph (A) disclosed to each vendor responsible for correcting the vulnerability, or to the public, pursuant to the Vulnerabilities Equities Process; and

• The aggregate number, by category, of the vulnerabilities excluded from review under the Vulnerabilities Equities Process, as described in paragraph 5.4 of the Vulnerabilities Equities Policy and Process document

Energy Infrastructure Security Center

Section 2422 amends 42 USC 7144b by inserting a new paragraph (d) which requires the Secretary to establish the Energy Infrastructure Security Center within the DOE’s Office of Intelligence and Counterintelligence (the old Office of Counterintelligence as revised by this bill). The EISC will coordinate and disseminate intelligence relating to the security of the energy infrastructure of the United States. This mission will include {new §7144b(d)(2)}:

• Establishing a primary organization within the United States Government for analyzing and integrating all intelligence possessed or acquired by the United States pertaining to the security of the energy infrastructure of the United States;

• Ensuring that appropriate departments and agencies have full access to and receive intelligence support needed to execute the plans or activities of the agencies, and perform independent, alternative analyses;

• Establishing a central repository on known and suspected foreign threats to the energy infrastructure of the United States, including with respect to any individuals, groups, or entities engaged in activities targeting such infrastructure, and the goals, strategies, capabilities, and networks of such individuals, groups, or entities; and

• Disseminating intelligence information relating to the security of the energy infrastructure of the United States, including threats and analyses, to the President, to the appropriate departments and agencies, and to the appropriate committees of Congress.

Committee Report

On page 48 of the Committee Report the Committee notes that “businesses without ownership of a Sensitive Compartmented Information Facility (SCIF), which includes many small businesses, find it very difficult to perform classified work”. They go on to note that “Construction and accreditation of SCIF spaces may be cost-prohibitive for small business and non-traditional government contractors.”

After briefly discussing the apparently unrelated idea of innovation hubs, the Committee suggests that such hubs might be a model to solve the problem of providing small businesses access to SCIFs. They then call for a report to Congress that addresses:

• Potential approaches to allow for SCIF spaces to be certified and accredited outside of a traditional contractual arrangement;

• Options for classified co-use and shared workspace environments such as: innovation, incubation, catalyst, and accelerator environments;

• Pros and cons for public, private, government, or combination owned classified neutral facilities; and

• Any other opportunities to support companies with appropriately cleared personnel but without ownership of a SCIF effective access to a neutral SCIF.

Moving Forward

This bill was approved by a unanimous vote of the Committee. That would normally mean that bipartisan support for the bill could be expected when the bill gets to the floor in the coming weeks. Unfortunately, as we saw with HR 3180 (the FY 2018 version of this bill) that is not necessarily true. That bill was finally passed in the House by a near party-line vote and was thus not able to receive consideration in the Senate.

This bill also contains a number of provisions (see the ‘Minority Views’ section of the Report starting on page 164) that might draw opposition from Democrats, especially in an election year. We will have to wait and see how this bill fairs on the House floor before we can predict its chance of final passage.

Commentary

The establishment of the EISC is certainly a measure of the congressional recognition of the potential foreign threats to the energy infrastructure in this country. I am concerned, however, with bill’s failure to address the need for sharing the intelligence information produced by the EISC with private sector entities responsible for the operation of that infrastructure. I suppose it could be argued that the Federal Energy Regulatory Commission (FERC) would be the appropriate agency through which that information might be expected to flow, but I still would have expected to see specific private sector information sharing requirements in the EISC language.

Of course, congressional intent to share intelligence information with appropriate private sector entities is not always successful as we have seen with the DHS automated information sharing (AIS) program. Part of that is the failure of the intelligence community to prepare unclassified briefs on intelligence information, but that is not always possible to do. The larger problem is the inability of many private sector organizations to handle classified information. This is where the Report’s attention to SCIFs may end up being more important than the Committee intended.

They were specifically looking at expanding the access to classified information to small contractors, but the larger use of non-traditional SCIFs may be for the sharing and processing of classified information by organizations that cannot justify the cost of establishing their own SCIF so that they may be able to process classified intelligence reports that may or may not be made available to them.

Committee Hearings – Week of 06-24-18

With both the House and Senate in session this week it looks to be a busy week for Committee work. We are still seeing spending bills being marked-up and we have three cybersecurity related authorization bills. There will also be a Senate mark-up of the TWIC Reader Delay bill in that body.

Spending Bills

Monday – House Rules Committee – HR 6157 DOD;

Tuesday – House Rules Committee – HR 6157 DOD;

Tuesday – House Committee – LHHS;

Tuesday – Senate Sub-Committee – DOD;

Tuesday – Senate Sub-Committee – LHHS;

Thursday – Senate Committee – DOD;

Thursday – Senate Committee – LHHS

The Senate will finish work on HR 5895, the FY 2019 EWR spending bill Monday evening. The House will take up HR 6157, the FY 2019 DOD spending bill, either late Tuesday or on Wednesday.

Cybersecurity Authorization Bills

The three authorization bills with a cybersecurity nexus are for the National Telecommunications and Information Administration (NTIA), the National Institute of Science and Technology (NIST) and the intelligence community.

On Tuesday the Communications and Technology Subcommittee of the House Energy and Commerce Committee will hold a hearing on their draft of an authorization bill for NTIA. The witness list includes:

• Michael D. Gallagher, Entertainment Software Association;

• John Kneuer, JKC Consulting; and

• Joanne S. Hovis, CTC Technology and Energy

The draft bill includes two ‘Sense of Congress’ sections on cybersecurity threats and supply chain vulnerabilities, and on preservation of domain name system and WHOIS service.

On Wednesday the House Science, Space, and Technology Committee will hold a mark-up hearing for three as of yet unintroduced bills. One of those is the draft of the NIST authorization bill. The draft includes a section on general cybersecurity and a separate section on IoT with cybersecurity language included.

On Thursday the House Intelligence Committee will hold the inevitably closed-hearing on their mark-up of the as of yet unpublished FY 2019 Intelligence Authorization Act. The draft is not publicly available and, of course, the good stuff will be in the classified annex to the bill.

TWIC Reader Rule

On Wednesday the Senate Commerce, Science, and Transportation Committee will hold a mark-up hearing on eight bills, including S 3094. The text of that bill has not yet been published by the GAO, but it sounds like it should be a companion bill to HR 5729, the Transportation Worker Identification Credential Accountability Act of 2018. After having reviewed the Coast Guard NPRM on their proposed selective delay of the implementation of the TWIC Reader Rule, it seems unlikely that the two legislative delay attempts and the CG delay are very closely related to the same issues.

On the Floor

In addition to the two spending bills on the floor this week, we will also see the House take up two bills of potential interest to readers of this blog. Later today the House will consider HR 5081, the Surface Transportation Security and Technology Accountability Act of 2018, and HR 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018. Both bills will be taken up under the suspension of the rules provisions. This means limited debate and no floor amendments. It also means that the leadership expects serious bipartisan support for both bills since a super-majority is required for passage.

The House is also scheduled to take up a motion to go to conference on HR 5515, the FY 2019 DOD authorization bill, that passed in the Senate last week.

HR 6393 Introduced – FY 2017 Intel Authorization

Last week Rep. Nunes (R,CA) introduced HR 6393, the Intelligence Authorization Act for Fiscal Year 2017. This bill is apparently a replacement for both HR 5077 (which passed in the House in a strongly bipartisan vote) and S 3017. Both of those bills have stalled in the Senate. I suspect that Nunes and his Committee staff have coordinated with their Senate counterparts to remove/revise any provisions from the earlier bill that have held up consideration.

The cybersecurity intelligence report on US port operations requirement from HR 5077 remains in the new bill. Interestingly Dr. Andy Ozment, the Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security (DHS), published an opinion piece on CSOOnline.com Monday that describes the ICS-CERT response to a cyberattack on a US port control system earlier this year. Other than failing to note that there are only 13 of the vulnerable systems in use worldwide, the article does describe the ICS-CERT process fairly concisely.

HR 6393 is scheduled to be considered on the floor of the House today under the suspension of rules provisions. This provides for limited debate and no amendments from the floor. This bill should pass with strong bipartisan support. I suspect that the Senate will take up the bill under their unanimous consent procedures before the end of the lame duck session.

HR 4127 Introduced – Intelligence Authorization Act

On Monday Rep. Nunes (R,CA) introduced HR 4127, the Intelligence Authorization Act for Fiscal Year 2016. The bill was then considered by the House yesterday and passed by a largely bipartisan vote of 364 to 58 (22 Republicans voted No).

I noted in a blog post yesterday that there were three sections of the public (unclassified) portion of the bill that might be of specific interest to readers of this blog. All three dealt with reports to Congress. After closer review it looks like only one may be of substantial interest; §313 – Cyber attack standards of measurement study.

The bill would require the Director of National Intelligence (DNI), in conjunction with DHS and DOD, to conduct a study to determine standards that “can be used to measure the damage of cyber incidents for the purposes of determining the response to such incidents” {§313(a)(1)}. The only specific requirement for the study is that it includes “a method for quantifying the damage caused to affected computers, systems, and devices” {§313(a)(2)}.

Moving Forward

With the bill having been considered yesterday under the suspension of rules process it is apparent that Chairman Nunes has done a good job of crafting a bill that has raised no substantial opposition.

This bill is a substitute for HR 2596 that was passed on more partisan lines back in June. The Senate version of the intel authorization bill is S 1705 that was reported out of Committee in July by unanimous vote, but has not been taken up by the Senate. If the Senate takes up HR 4127 they could still substitute the language from S 1705 before voting on the bill. Differences then would be settled by a conference committee.

Commentary

I have some minor concerns about the wording of §313. As currently constructed it would appear to limit the report to the consideration of damage to the actual computer systems attacked, not the consequences of the loss or compromise of data involved in IT system breaches or the cyber physical consequences of an attack on an industrial control system. I think that any consideration of a potential response to a cyber-attack would have to take those consequences into account.

The DNI is not prohibited from including those considerations in his report to Congress, but I would have thought that Congress would have wanted those items to be specifically considered. This is especially true when in any significant cyber attack those consequences would certainly be of higher ‘value’ than any specific damage to just the computer systems.

Since §313 is unlikely to be amended at this point, I suppose that we are going to have to rely on the DNI to expand on the limited congressional guidance provided for this report to include more relevant information than that required by Congress. I suspect, however, that there is little incentive for the DNI to do so.

Bills Introduced – 11-30-15

Both the House and Senate were in session yesterday after returning from their Thanksgiving recess. A total of 18 bills were introduced and only one of those may be of specific interest to readers of this blog:

HR 4127 Intelligence Authorization Act for Fiscal Year 2016. Rep. Nunes, Devin [R-CA-22]

There is actually an official copy of this bill available this morning. While large portions of the bill are classified, a quick perusal of the unclassified portions show that there are three sections that may be of specific interest:

Sec. 313. Cyber attack standards of measurement study.

Sec. 705. Report on effects of data breach of Office of Personnel Management.

Sec. 706. Report on hiring of graduates of Cyber Corps Scholarship Program by intelligence community.

I’ll have a more detailed look at this bill in a later posting.

House Passes HR 1892 – Intelligence Authorization

On Friday the House of Representatives passed HR 1892, the Intelligence Authorization Act for Fiscal Year 2012, by a substantially bipartisan vote of 384 to 14. Needless to say, most of this bill is classified and not subject to public or blogger review, but some of the provision are unclassified.

Normally I wouldn’t address an intelligence authorization bill in this blog, but there are two items in this bill that might indirectly affect the chemical security community. The first makes the DHS intelligence apparatus officially part of the ‘intelligence community’ and second addresses security of railroads.

Intelligence Community

Section 411 of the bill amends §3(4) of the National Security Act of 1947 {50 U.S.C. 401a(4)} by adding the Office of Intelligence and Analysis of the Department of Homeland Security to the list of agencies officially considered to be an ‘element of the Intelligence Community’. If this provision remains in the bill through final passage, it would mean that it took longer than 10 years from the date of the 9-11 attacks to make homeland security officially (if probably still not actually) a fully functioning part of the intelligence community.

Is it any wonder that we still don’t have the full sharing of intelligence information that would help to prevent attacks like those that formally introduced this country to the community of international terrorism?

Actually, this inclusion of OIA in the intelligence community was further enhanced (slightly to be sure) by the adoption of an amendment offered by Rep. Keating (D,MA) by voice vote. That amendment would add a section to Title V of the bill that would express the ‘sense of Congress’ that the intelligence community “should continue to integrate and leverage fusion centers to enlist all of the intelligence, law enforcement, and homeland security capabilities of the United States in a manner that is consistent with the Constitution to prevent acts of terrorism against the United States” (pg 16 of the Rules Committee Report on H. Res. 392).

A ‘sense of Congress’ declaration has no legal standing, but it does provide notice to the intelligence community that the check writers think that the fusion centers and OIA should be taken seriously.

Railroad Security

Another ‘sense of Congress’ amendment was offered by Rep. Carney (D,DE) regarding the ‘priority of railway transportation security’ was adopted by bipartisan vote of 303 to 92. That amendment to Title V of the bill concluded that “railway transportation security (including subway transit security) should continue to be prioritized in the critical infrastructure threat assessment developed by the Office of Intelligence and Analysis and included in threat assessment budgets of the intelligence community” (pg 15).

Given the history of terrorist attacks against transit systems the primary focus of this amendment was almost certainly intended to be on passenger rail systems not freight rail. But, given the extent and importance of freight rail and the inherent risks associated {particularly toxic inhalation hazard (TIH) chemical transport} with it, one would like to think that the intelligence community would certainly include freight rail threat assessments in its consideration of ‘railway transportation security’.

While identifying potential terrorist attacks in the planning stages is generally considered to be the best security against such attacks, it is particularly important in defending against attacks against the rail sector. The physical layout of rail systems makes it practically impossible to use physical security means to protect against attacks on this transportation mode. The only effective method of protection is advance detection and that is the job of the intelligence community.

HR 754 Now Includes Transportation Security Planning

On Friday, the House passed HR 754, the Intelligence Authorization Act for Fiscal Year 2011 by a bipartisan vote of 392-15. An amendment offered on the floor regarding transportation security issues was adopted.

Transportation Security Plans

Amendment 8 offered by Rep. Carney (D, DE) added Sec 501 to the legislation that expressed the non-binding ‘sense of Congress’ that railway transportation (including transit) should:

• Be “prioritized in the development of transportation security plans by the intelligence community”; and

• Be “included in transportation security budgets of the intelligence community”.

Not much to this. A ‘sense of Congress’ listing has even less authority than a House Resolution. It does imply that there is a ‘transportation security plan’ for the intelligence community, but I think that that is probably a misnomer. It is more likely a plan for looking at transportations security indicators; now what most people think about when they hear the words ‘transportation security plan’.

In any case, I’m sure that the Intelligence Community will pay diligent attention to this sense of Congress in developing their plan for looking at transportation security issues. You bet; especially since no money was attached to this ‘requirement’.