Review - S 885 Introduced – Civilian Cyber Reserve

Earlier this week, Sen Rosen (D,NV) introduced S 885, the Department of Homeland Security Civilian Cybersecurity Reserve Act. The bill would authorize DHS to establish a pilot program for a civilian cybersecurity reserve. No additional funding would be authorized by the bill.

This bill is nearly identical to the version of S 1324, the Civilian Cybersecurity Reserve Act, that was also introduced by Rosen and passed in the Senate under the unanimous consent process during the last session. No action was taken on the bill in the House.

Moving Forward

As I noted yesterday, the Senate Homeland Security and Governmental Affairs Committee is scheduled to take up this bill tomorrow along with 27 other bills. Typically, this means that there is broad support within the Committee for this bill, though there may be amendments that the Committee will consider. I suspect that there will be substantial bipartisan support for the bill. Last session, this version of the bill was able to pass the full Senate under the unanimous consent process, so it may be able to do so again.

Commentary

S 1324 passed late in the last session and never really had a chance to be taken up in the House. I suspect that if it were to make it to the floor for a vote that it would probably pass. The problem is going to be getting it to the floor because this is another unfunded program that is going to run afoul of the budgeting and spending restrictions planned for this session in the Republican controlled House. This would be another program where the spending hawks would be competing with the cybersecurity hawks in the Party and there will only be so many of those fights that either side wants to get into in the lead up to the 2024 elections. I am not sure that this would be a hill the cybersecurity hawks would want to die on.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-885-introduced - subscription required.

Review - S 1324 Reported in Senate – Civilian Cybersecurity Reserve

Last month the Senate Homeland Security Committee published their report on S 1324, the Civilian

Cybersecurity Reserve Act. Back in July of last year, the Committee held a business meeting where they adopted substitute language for the bill approved subsequent amendments. The final version of the bill was adopted by voice vote. Significant changes were made to the scope and administration of the proposed Civilian Cybersecurity Reserve pilot program. The revised bill removes authorization for appropriating funds to support the program.

The original bill would have provided authority for both DOD and DHS to establish separate pilot Civilian Cybersecurity Reserve (CCSR) programs. The changes made to the bill remove that authority for a DOD pilot and moved the DHS program to CISA. Additionally, the bill now specifically spells out the purpose of the program; “to enable the Agency to effectively respond to significant incidents.”

The bipartisan support that this bill received in Committee would seem to predict similar support in the Full Senate if this bill were to make it the floor for consideration. It is unlikely that the Senate would take up this bill under regular order as it has too many higher priority pieces of legislation to consider heading into the last seven-months of the session. There remains a possibility that this bill could make to the floor under the unanimous consent process, but it is more likely to make it to the President’s desk as part of a larger bill.

For more details about the changes made to the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1324-reported-in-senate - subscription required.

Review - HR 4818 Introduced - National Digital Reserve Corps

 Last month, Rep Gonzales (R,TX) introduced HR 4818, the National Digital Reserve Corps Act. The bill would establish within the General Services Administration (GSA) a ‘National Digital Reserve Corps’, to help address the digital and cybersecurity needs of Executive agencies. The bill would add a new Chapter 103 to 5 USC. The bill would authorize $30 million for this new program. This bill would establish a more extensive organization than the one envisioned in either HR 2894 or S 1324.

While Gonzales is not a member of the House Oversight and Reform Committee to which this bill was assigned for consideration, one of his five cosponsors {Rep Kelly (D,IL)} is a member. That means that it is possible that there is sufficient influence to see this bill considered in Committee. While I see nothing in this bill that would engender any specific organized opposition, it seems to me that there could be a lack of support for the bill due to some missing critical provisions (see my commentary). I am not sure if this bill could pass, as written, in Committee.

I will have to wait and see how the bill performs (and/or is amended) in Committee before I can make any prognostications on how it might move to the floor of the House for consideration.

 

For more details about the bill, as well as my analysis of its shortcomings and possible fixed, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4818-introduced - subscription required. 

Committee Hearings – Week of 7-11-21

This week the Senate is meeting in Washington and the House will be conducting remote hearings. We will see a number of markups of FY 2022 spending bills, two cybersecurity related markup hearings and two DHS oversight hearings.

Spending Bills

7-12-21 Energy and Water Development, and Related Agencies - Subcommittee

7-12-21 Commerce, Justice, Science, and Related Agencies - Full Committee

7-12-21 Transportation, Housing and Urban Development and Related Agencies Subcommittee

7-13-21 Homeland and Defense - Subcommittee

7-16-21 Energy and Water Development, and Related Agencies, and Transportation, Housing and Urban Development, and Related Agencies – Full Committee

Cybersecurity Markups

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting. They will consider 15 pieces of legislation including the following cybersecurity related bills.

• S 1917, K-12 Cybersecurity Act of 2021, and

• S 1324, Civilian Cyber Security Reserve Act,

On Wednesday the Senate Energy and Natural Resources Committee will hold a business meeting on a new bill, the Energy Infrastructure Act, to invest in the energy and outdoor infrastructure of the United States to deploy new and innovative technologies, update existing infrastructure to be reliable and resilient, and secure energy infrastructure against physical and cyber threats, and for other purposes. I will try to complete at least a brief review of that bill before the hearing.

DHS Oversight

On Thursday the House Homeland Security Committee will hold a hearing on “Securing the Homeland: Reforming DHS to Meet Today's Threats”. This hearing is related to the recent introduction of HR 4357. The witness list includes:

• Tom Warrick, Atlantic Council,

• Carrie Cordero, Center for a New American Security, and

• Katrina Mulligan, Center for American Progress

On Friday the  Emergency Preparedness, Response, & Recovery Subcommittee of the House Homeland Security Committee will hold a hearing on “Examining the U.S. Department of Homeland Security Countering Weapons of Mass Destruction Office”. The witness list includes:

• Gary Rasicot, DHS, and

• Christopher P. Currie, GAO

HR 2894 Introduced - Civilian Cyber Security Reserve Act

Back in March, Rep Panetta (D,CA) introduced HR 2894, the Civilian Cyber Security Reserve Act. “The bill would authorize DOD and DHS to each establish a separate Civilian Cyber Security Reserve pilot project “to address the cyber security needs of the United States with respect to national security”. This bill is very similar to S 1324 (subscription required) that was introduced earlier in March.

Differences

There are three differences between this and the Senate bill. The first is a purely editorial difference; definitions in the Senate bill are found in §2(a) and in this bill they are found in §2(i). The two remaining differences are found in the two paragraphs that were left out of the House bill.

In the Senate bill §2(b)(4) would ensure that they ‘reservists’ appointed to temporary positions were not replacing current employees performing cybersecurity duties. This would prevent future budget cutting efforts from replacing full time employees with lower cost temporary employees.

Finally, the Senate version included §2(b)(5) that would have required the Department of Labor to publish appropriate employment rules to protect cyber reservists called up for federal service in much the same way that 38 USC Chapter 43 protects the civilian employment rights of military reservists.

Moving Forward

Panetta is a member of the House Armed Services Committee, one of the two committees to which this bill was assigned for consideration. He may have enough influence to see this bill considered in Committee. The main problem for this bill is the potential for it to undercut the recruitment of departing military personnel for National Guard and Reserve cybersecurity units. Thus I suspect that there might be some significant opposition in that Committee to this bill moving forward.

There are no sponsors for this bill from the House Homeland Security Committee, to which this bill was also assigned. That Committee would be more likely to overlook the military’s recruiting problems to enhance the surge capacity of DHS. If this bill is going to move forward, Panetta is going to have to get cosponsors from that Committee to see the bill considered and potentially moved to the floor for consideration. Even that bypass may not be effective if the leadership of the Armed Services Committee objects to this bill.

Commentary

I think that the idea of a non-military cybersecurity reserve organization for DHS has more than a little merit. Having said that, the two missing provisions that I described above would ill serve anyone signing up for such service if the House version of this bill is advanced.

S 1324 Introduced - Civilian Cyber Security Reserve Act

Earlier this month Sen Rosen (D,NV) introduced S 1324, the Civilian Cyber Security Reserve Act. The bill would authorize DOD and DHS to each establish a separate Civilian Cyber Security Reserve pilot project “to address the cyber security needs of the United States with respect to national security”. The pilot project authorization would end seven years after they were established. Such sums as may be necessary for these projects would be authorized by this bill.

Personnel in either of the CCSR could be activated and they would be given a noncompetitive appointment to temporary positions in the competitive or excepted service. Those appointments would be for no more than six months. While in those temporary positions, they would be considered Federal civil service employee under 5 USC 2105.

Moving Forward

Rosen is a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that she could have enough influence to see this bill considered in Committee. I suspect that there would be some level of bipartisan support for the bill. If considered, I would expect to see it favorably reported.

This bill is not important enough to make it to the floor of the Senate for consideration. The time necessary to go through the debate and amendment process means that a bill only comes to the floor when it is important enough in the eyes of the Senate leadership to consume those limited resources. I would suspect that there would be enough opposition to the bill to prevent it from being considered under the unanimous consent process.

Commentary

There is an ongoing problem in the government (and of course in industry as well) of finding enough people with cybersecurity expertise to fill all of the positions necessary to maintain an adequate level of cybersecurity knowledge to be able to respond to the daily grind of protecting the governments cyber systems. This bill is not really designed to address that general issue.

What Rosen and her sole cosponsor {Sen Blackburn (R,TN)} are attempting to do with this bill is to provide some level of surge capacity at DOD and DHS to deal with large scale incidents like the SolarWind attacks or the Microsoft email server problems. Having trained and experienced personnel available to be called up on short notice would certainly make that kind of incident response much easier.

A more detailed analysis of this bill is available at CFSN Detailed Analysis, subscription required.

HSGA Business Meeting – 5-12-21

Today the Senate Homeland Security and Governmental Affairs Committee met and considered 14 bills. This included four cybersecurity related pieces of legislation. Three of the four cybersecurity bills were ordered reported favorably by voice votes, two after substitute language was adopted. The fourth was held over pending additional work on amendments.

The approved bills were:

• S. 1097, Federal Rotational Cyber Workforce Program Act,

• S 1316, Cyber Response and Recovery Act, as amended,

• S 1350, National Risk Management Act of 2021, as amended.

The bill that was held over was S. 1324, Civilian Cyber Security Reserve Act.

The GPO printed official versions of all four bills this morning. I will be reviewing the introduced language in the coming days. The substitute language approved today will not be available for some time.

Update for Senate HSGA Markup – 5-12-21

The Senate.gov website now lists the bills that will be marked up by the Senate Homeland Security and Governmental Affairs Committee on Wednesday. The thirteen bills scheduled include four cybersecurity related measures:

• S 1097, to establish a Federal rotational cyber workforce program for the Federal cyber workforce {Sen. Peters, (D,MI)}

• S 1316, to amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to make a declaration of a significant incident {Sen. Peters, (D,MI)},

• S 1324, to establish a Civilian Cyber Security Reserve as a pilot project to address the cyber security needs for the United States with respect to national security {Sen Rosen (D,NV)}, and

• S 1350, to require the Secretary of Homeland Security to establish a national risk management cycle {Sen Hassan (D,NH)},

The GPO has not yet published official versions of any of these bills, nor can I find them posted to the HSGA web site. Hassan’s web site does have a submission draft copy posted for S 1350, the ‘National Risk Management Act of 2021. I will have a detailed review of that bill, based upon that draft available later this evening. We may see S 1097 published this evening, but I doubt the GPO will get to S 1316 or S 1324 before Wednesday morning.

Bills Introduced – 4-22-21

Yesterday, with both the House and the Senate preparing to depart Washington for the weekend, there were 168 bills introduced. Three of those bills may receive additional coverage in this blog:

S 1316 A bill to amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to make a declaration of a significant incident, and for other purposes. Sen. Peters, Gary C. [D-MI] 

S 1324 A bill to establish a Civilian Cyber Security Reserve as a pilot project to address the cyber security needs for the United States with respect to national security, and for other purposes. Sen. Rosen, Jacky [D-NV]

S 1359 A bill to establish the Foundation for Energy Security and Innovation, and for other purposes. Sen. Coons, Christopher A. [D-DE] 

I will be watching S 1316 for language and definitions that specifically include cybersecurity incidents in potential ‘significant incident’ declaration authority.

I will be watching S 1324 for language and definitions that would specifically include industrial control systems in the ‘cybersecurity needs’ of the United States.

I suspect that S 1359 is a green-energy bill with ‘energy security’ equating to energy supply needs. I will be watching for anything that addresses cybersecurity issues.