Senate HSGAC Committee Amends and Adopts Bills – 09-26-18

Earlier this week the Senate Homeland Security and Governmental Affairs Committee held a business meeting at which a number of bills were considered, amended and ordered favorably reported. As is typical of the Senate committee operations, there are no public copies of the amendments provided before or after hearings. We will have to wait to see the reported version of the bill to see exactly what changes have been made.

S 3405 – CFATS Reauthorization

Sen. Johnson (R,WI) offered substitute language on the bill which was subsequently modified by two amendments by Sen. McCaskill (D,MO). All three amendments were adopted by voice votes as was the final bill.

There was some interesting back and forth between Johnson and McCaskill about this bill. McCaskill was concerned about the lack of bipartisan effort in the writing of this bill. She went so far as to complain about ‘industry being in driver’s seat’ in writing the bill [35:07 in the video]. She gave an example of this continuing during the substitute language development where whistleblower protections were added to last week’s draft of the language but were subsequently removed before this week’s hearing.

At the end of that discussion McCaskill made the comment that the bill “will not get my consent on the floor unless we get the whistleblower protections back in the bill” [39:26]. This referred back to an off-mike discussion between Johnson and the staff where he was apparently reminded that the bill will have to be considered on the Senate floor under the unanimous consent process rather than the ‘normal’ debate and amend process. This is due to the lack of time remaining in the session.

McCaskill had two amendments that were offered, considered, and adopted by voice vote. The first had to do with the recognition program. She noted that that changes were made to recognition program [40:04] and her first amendment would modify that language to authorize a DHS mechanism to recognize stewardship programs.

McCaskill’s second amendment to the bill had something to do with the revised explosive exemption language in the bill. Again, she thought [42:38] that either the original language or the revised language (it is not clear) went too far in bending to the desires of the explosives industry.

McCaskill did not have language ready to put whistleblower language back in the bill. As I noted above she vowed to object to the bill if it came to the floor for consideration without the language. We may see the material added to the bill between the time the report is published and the time that it comes to the floor for a vote.

Other Bills of Interest

There were a total of about 40 bills considered in the hearing this week. Most of them were considered en bloc near the end of the hearing, being passed with a single voice vote. These included:

S 278, the Support for Rapid Innovation Act of 2017 – Substitute language;

S 3085, the Federal Acquisition Supply Chain Security Act of 2018 – Substitute language and additional amendment; and

S 3309, the DHS Cyber Incident Response Teams Act of 2018 – Substitute language and additional amendment;

Commentary

Johnson made a point early in the hearing (in relation to a bill that did not end up being considered) about how the Committee works together in a ‘non-partisan’ manner. This is certainly the normal course of events in the Committee. This makes S 3405 very much an oddity in the process as it was written without the input of the Democrats on the Committee (or the Minority Staff). McCaskill’s displeasure with the process was evident in this week’s hearing, but she will go along with Johnson; as long as her party’s minimum requirements are met (whistleblower language). It is not clear that other Democrats in the Senate (not on the Committee; those McCaskill will almost certainly keep in line) will play along.

One Democrat that will have to be watched with respect to this bill is Sen. Markey (D,MA). With his recent attempts to frame himself as a cybersecurity expert, he might be expected to object to the removal of the cybersecurity risk-based performance standards from the CFATS program. Another senator with an interest in cybersecurity that also might object is Sen. Blumenthal (D,CT). That is, of course, if those provisions remain in the bill as amended.

Homeland Security Mark-up Hearing – 09-13-18

This morning the House Homeland Security Committee announced that it would be conducting a mark-up hearing for five pieces of legislation including:

• H.R 6620, Protecting Critical Infrastructure Against Drones and Emerging Threats Act;

• HR 6735, To direct the Secretary of Homeland Security to establish a vulnerability disclosure policy for Department of Homeland Security internet websites, and for other purposes; and

• S 1281, Hack the Department of Homeland Security Act of 2017

The official copy of HR 6620 just recently became available and I have just glanced through it at this point; hopefully I’ll get a chance to review it here before Thursday. The quick glance that I have done indicates that this is a ‘collect information and report to Congress’ type of bill, rather than something that will authorized any sort of action similar to S 2836.

The official copy of HR 6735 is not yet available, but a Committee Print is. There is not much in this bill of specific interest to readers of this blog beyond the fact that it uses the definition of ‘security vulnerability’ from 6 USC 1501 which is, in turn, based upon the ICS-inclusive definition of information system while the bill uses the IT-restrictive definition of ‘information system’ from 44 USC 3502.

House Subcommittee Marks-Up Energy Security Bills

On Wednesday the Subcommittee on Energy, of the House Committee on Energy and Commerce, held a markup hearing on five energy bills. Four of the bills have been covered in this blog and those bills passed on voice votes; two of them were amended with substitute language from the original offerors. The four the bills that have been addressed in this blog:

• HR 5174, Energy Emergency Leadership Act;

• HR 5175, Pipeline and LNG Facility Cybersecurity Preparedness Act (amended);

• HR 5239, Cyber Sense Act (amended); and

• HR 5240, Enhancing Grid Security through Public-Private Partnerships Act

HR 5175 Changes

The one change made to HR 5175 in the substitute language is relatively minor. It adds a phrase to §2(1) to expand the coordination requirement by adding: “including through councils or other entities engaged in sharing, analysis, or sector coordinating”.

HR 5239 Changes

The changes to HR 5239 are mainly grammatical and would have little to do with the operation of the Cyber Sense program that is proposed by this bill. There is one potentially significant change; §2(b)(7) from the original bill was removed. That paragraph had provided a requirement for the Secretary of Energy to “establish procedures for disqualifying products that were tested and identified as cyber-secure under the Cyber Sense program but that no longer meet the qualifications to be identified cyber-secure products”. There is nothing in the revised program that would prohibit that disqualification.

Moving Forward

The bipartisan support received in the subcommittee will almost certainly be duplicated when these bills are taken up by the whole committee. The question then will be to see if the sponsors and the Committee leadership have enough influence (or are willing to expend the effort to influence) to bring these bills before the full House. I firmly expect that we will see some version of these bills reach the floor under the suspension of the rules procedure in the House. Again, that means limited debate and no floor amendments. I would not be surprised to see all five bills considered on a single day.

Commentary

The removal of the language in HR 5239 providing for the establishment of a process to disqualify products that no longer meet the Cyber Sense standards brings up an interesting legal situation. As I said earlier, there is nothing in the bill that would specifically prohibit the Secretary from establishing such rules. But, having said that, a good lawyer could argue before a friendly judge that the removal of the specific authority to establish such a disqualification process from the language in the bill establishes a congressional intent that such authority can no longer be exercised by the Secretary absent specific authorization by Congress.

What this very well could end up meaning is that once a vendor becomes authorized to use the ‘Cyber Sense’ label on their product, they will no longer have to work to maintain the ‘Cyber Sense’ standards because the Secretary would not have the authority to require the vendor to remove the ‘Cyber Sense’ labeling. If the vendor flaunting of the ‘Cyber Sense’ standards becomes wide spread, the efficacy of the whole program would be called into question, destroying the process.

If this problem is to be addressed, it will almost certainly have to be done during the Energy and Commerce mark-up hearing that will probably be conducted in the next couple of weeks. After that, if the bill moves forward, it would almost certainly be under processes in both the House and Senate that would not allow for amendments to the bill from the floor.

House Homeland Security Committee Marks-up Legislation – 03-07-18

Today the House Homeland Security Committee held a markup hearing to look at 10 homeland security related bills (one of the scheduled bills HR 4627 was not considered). All of the bills passed by unanimous consent. Four of the bills were amended before passing.

Bills of potential specific interest to readers of this blog included:

• HR 5074, the DHS Cyber Incident Response Teams Act, was adopted without amendment;

• HR 5081, the Surface Transportation Security and Technology Accountability Act of 2018, was adopted without amendment; and

• HR 5089, the Strengthening Local Transportation Security Capabilities Act of 2018, was adopted without amendment.

I suspect that all ten bills will make it to the House floor under the suspension of rules process that allows for limited debate and no floor amendments. Each of these bills should pass with broad bipartisan support; most of them without a roll-call vote.

Homeland Security Bills Marked Up

Yesterday the House Homeland Security Committee held a markup hearing at which seven bills were approved (some after amendment) by voice votes. Only two of those bills (HR 3875 and HR 3878) may be of specific interest to readers of this blog.

HR 3875 – CBRNE Office

Rep. McCaul (R,TX) offered an amendment in the form of a substitute for this bill. It removed some of the language that I mentioned in my earlier post that made it seem that this bill was primarily a biosecurity bill. It also added new language to the proposed Title XXII of the Homeland Security Act of 2002 that created four Divisions within the proposed CBRNE Office; the Chemical Division, the Biological Division, the Nuclear Division and the Explosive Division.

The revised language still does not include the chemical security folks from the DHS Infrastructure Security Compliance Division (ISCD), but it did add specific language providing for a continuation of the Chemical Defense Program (that I first mentioned here) under the Chemical Division.

An amendment to the revised language was offered by Rep. Thompson (D,MS). It made a number of word changes to clarify certain issues, but there were no modifications to the intent of the bill.

Both amendments were agreed to by voice votes.

HR 3878 – Port Cybersecurity

Rep. Torres (D,CA) offered substitute language for the bill which was essentially a complete re-write of the original language, if not the general intention, of the bill. A new §2 of the bill would require the development and implementation of “a maritime cybersecurity risk assessment model” {§2(1)}. Additionally the section would also require the establishment of guidelines “for voluntary reporting of maritime-related cybersecurity risks and incidents” {§2(4)}.

The new language also removes all specific mention of the Maritime Information Sharing and Analysis Center; substituting more generic language (“at least one information sharing and analysis organization” representing the maritime community). The other information sharing provisions have had minor wording changes.

An amendment to the revised language was offered by Rep. Donovan (R,NY). It would add an additional section to the bill that would amend portions of 46 USC regarding maritime security plans under the Maritime Transportation Security Act. First it would modify §70101(b)(1)(C) to add ‘cybersecurity’ as one of the areas of weakness to be evaluated in facility and vessel vulnerability assessments. Second it would modify §70103(c)(3)(C) to add ‘cybersecurity’ as one of the required provisions of a vessel or facility security plan. Area security plans were not addressed by this amendment.

The Torres language on cybersecurity provisions on area and facility site security plans was revised slightly by the Donovan amendment, but it still only applies those requirements to plans approved after the development of the new cybersecurity risk assessment model required by the bill has been completed. Thus existing security plans would not be required to be changed to reflect the cybersecurity requirements until their next five year renewal.

Both amendments were approved.

Moving Forward

Both of these bills appear to be on Chairman McCaul’s fast track for consideration. It is very likely that these will be considered on the floor of the House before the end of the year. Neither bill has any provisions that will spark any serious opposition so they will both probably be considered under suspension of the Rules.

Commentary

The changes to the CBRNE Office bill that were made yesterday make a lot of sense to me. The establishment of the five offices reflecting the different attack vectors seems like it has the potential to centralize the Departments disparate efforts at reducing the probability of a high-consequence CBRNE attack. It would also place CBRNE on a bureaucratic par with Cybersecurity within the Department.

I still would have preferred to see ISCD added to the Chemical Defense Office, but I suspect that if the Senate does not make that move (a low probability event, I doubt that any amendments will be made to the bill as it will probably be considered under unanimous consent provisions at the end of a daily session) I suspect that this would be one of the changes that would be recommended by the Secretary in his initial report to Congress required by the bill.

The revised language on the port cybersecurity bill are also a substantial step forward. Even before the Donovan amendment the changes that were made bring the language within the current information sharing meme that is wending its way through conference committee. This internal consistency of language is important from a bureaucratic point of view.

For critical infrastructure like ports I would have preferred to see some mandatory level of cybersecurity reporting. Using the general concepts used in the recent NRC cybersecurity reporting rule, this bill should have mandated reporting of cybersecurity events that had a cyber-physical impact (or at least those that affected the handling of hazardous chemicals) and specifically encouraged reporting cybersecurity events that affected safety security, or emergency response.

I was very happy to see the Donovan amendment make the statutory changes necessary to make the changes to vulnerability assessments and security plans. I am not sure, however, if the failure to include maritime area security plans in those changes was deliberate or an oversight. I suspect that it was deliberate and I would tend to agree that requiring cybersecurity security plan coverage at the vessel and facility level is probably more important than trying to deal with it at the area level.

Congressional Hearings – Week of 10-20-13

The House returns to work tomorrow while the Senate remains in their States for another week of keeping in touch with voters and contributors. The House does not currently have a real heavy hearing schedule this week and only one hearing that might be of specific interest to readers of this blog, a mark-up hearing that was originally scheduled for 10-2-13.

The House Homeland Security Committee will be meeting on Thursday to consider six different bills; four of which may be of specific interest here:

• HR 1204, The Aviation Security Stakeholder Participation Act of 2013;

• HR 1791, The Medical Preparedness Allowable Use Act;

• HR 2952, The Critical Infrastructure Research and Development Advancement Act of 2013; and

• HR 3107, The Homeland Security Cybersecurity Boots-on-the-Ground Act.

Revised language will be introduced for three of these bills:

• HR 1204;

• HR 2952; and

• HR 3107

Among other things the revisions to HR 1204 would tend to re-emphasize that the TSA is to take the recommendations of the Advisory Committee very seriously; reporting to Congress when the TSA does not follow those recommendations. The changes in the language for HR 2952 are essentially non-substantive political changes. The same can be said of the proposed changes to HR 3107.