S 2629 Passed in House – Cybercrime Metrics

This evening, the House completed their consideration of S 2629, the Better Cybercrime Metrics Act by a moderately bipartisan vote of 37 to 48. They held their debate on the bill yesterday under the House suspension of the rules process.

Normally, the debate on a bill being considered under the suspension of the rules process is mainly congratulating the Committee leadership on the bipartisan process that led to successful development and adoption of the legislation. While there was a certain amount of that in this debate, there was some actual opposition voiced in yesterday’s debate. Rep Bentz (R,OR) complained about the lack of hearings on either this bill or it’s companion legislation HR 4977 in the House. Both bills were considered in their respective committee’s and reported favorably without written report. This means that there is no record of investigational hearings on the record for either bill.

In response, Rep Jackson-Lee added four articles to the record:

Cybercrime Predictions for 2022: Deepfakes, Cryptocurrencies, and Misinformation - by Maya Horowitz,

HO, HO, HO, HOLIDAY SCAMS! - by Beth Anne Steele,

Without Major Changes, More Americans Could be Victims of Online Crime - by Rep. Abigail Spanberger (D–VA),

U.S. Military Has Acted Against Ransomware Groups, General Acknowledges - by Julian E. Barnes

The bill now goes to the President, who will almost certainly sign the bill.

Committee Hearings – Week of 3-27-22

This week with both the House and Senate in session, there is a nearly normal hearing schedule. The FY 2023 spending process starts with the presentation of the President’s budget. There will be one markup hearing that includes cybersecurity legislation. There will also be two hearings of interest here, one on critical infrastructure cybersecurity and one on DHS counter-drone operations.

FY 2023 Budget Hearings

• Tuesday – House Budget Committee

• Wednesday – Senate Budget Committee

Cybersecurity Markup

On Wednesday, the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting. In addition to eight nominations to consider, the Committee will take up eleven postal naming bills and eleven ‘normal’ pieces of legislation. One of the later is S 3511, the Satellite Cybersecurity Act. Do not expect much discussion, whatever issues exist in this Committee are normally dealt with behind closed doors, but amendments are possible.

Cyber Threat Hearing

On Wednesday, The House Homeland Security Committee will hold a hearing on “Mobilizing Our Cyber Defenses: Securing Critical Infrastructure Against Russian Cyber Threats”. The witness list includes:

• Adam Meyers, Crowdstrike,

• Mr. Steve Silberstein, CEO, Financial Services-ISAC 

• Kevin Morley, American Water Works Association

It will be interesting to here the private sector point of view on this topic after all of the warnings from various Federal agencies over the last couple of weeks.

Counter-Drone Operations

On Thursday, there will be a joint hearing of two Subcommittees of the House Homeland Security Committee looking at “Assessing the Department of Homeland Security's Efforts to Counter Unmanned Aircraft Systems”. The witness list includes:

• Samantha Vinograd, Office of Strategy, Policy, and Plans,

• Rear Admiral Scott W. Clendenin, USCG,

• Austin Gould, TSA,

• Dennis J. Michelini, U.S. Customs and Border Protection

The last witness was added by the Republicans. They will be using Michelini’s testimony to attack the President’s ‘lack of action on the Southern Border’. Just a reminder, DHS has very limited authority to conduct counter-drone operations.

On the Floor

The major bill in the House this week will be HR 3617, the Marijuana Opportunity Reinvestment and Expungement (MORE) Act. It will come to the floor later in the week, so the House will have time to consider a total of 17 bills under their suspension of the rules process. Those bills include:

S 2629 – the Better Cybercrime Metrics Act, and

HR 6865 – the Don Young Coast Guard Authorization Act of 2022,

The Senate is scheduled to finish up action on HR 4521 this evening. While many things could happen to delay the final vote, I suspect that the Senate will adopt the substitute language this evening. Then the conference process will begin to iron out the major differences in the two bills. The final bill will be larger than either of the two alternatives and will almost certainly contain both sets of cybersecurity provisions.

S 2629 Reported in Senate - Cybercrime Reporting

Earlier this week the Senate Judiciary Committee reported S 2629, the Better Cybercrime Metrics Act favorably without a written report. The Committee met on November 18^th, 2021, to consider the bill and ordered it reported at that time without amendment. The bill is now cleared for possible consideration by the full Senate.

The bill would require DOJ to establish a taxonomy for classifying cybercrime in the National Incident-Based Reporting System (NIBRS) and would require the reporting of cybercrimes according to that taxonomy. The bill provides for $1 million to support the development of the taxonomy, including a study on the topic by the National Academy of Sciences. It would have no effect on cybercrime reporting by victims.

Reporting a bill without a written report is usually an indication that an effort is going to be made to bring the bill to the floor for consideration. With the strong bipartisan support seen for this bill in Committee, it is possible that the bill could be offered under the Senate’s unanimous consent process.

Committee Hearings – Week of 11-14-21

With both the House and Senate back in Washington for a week between holidays, we have a nearly full slate of congressional hearings. Of interest here will be two ransomware hearings and markup of a cybersecurity bill.

Ransomware Hearings

On  Tuesday, the House Oversight and Reform Committee will hold a hearing on “Cracking Down on Ransomware: Strategies for Disrupting Criminal Hackers and Building Resilience Against Cyber Threats”. The witness list includes:

• Jen Easterly, CISA,

• Chris Inglis, National Cyber Director, and

• Bryan Vorndran, FBI

On Wednesday, two subcommittees of the House Homeland Security Committee will hold a joint hearing on “A Whole-of-Government Approach to Combatting Ransomware: Examining DHS’s Role”. The witness list includes:

• Rob Silvers, DHS,

• Jeremy Sheridan, Secret Service, and

• Brandon Wales, CISA

Neither hearing is expected to do more than mention controls system security in passing.

Cybersecurity Markup

On Thursday, the Senate Judiciary Committee is holding a business meeting. In addition to a number of nominations, it will take-up S 2629, the Better Cybercrime Metrics Act. This bill would add law enforcement cybercrime reporting requirements, but does not address private sector reporting cybercrimes to law enforcement or federal agencies.

On the Floor

This week the House is scheduled to take up HR 5376, the Build Back Better Act. I have not yet reviewed the most likely version of the bill to appear before the House, I have been awaiting last minute changes.

The Senate will likely take up HR 4350, the FY 2022 National Defense Authorization Act. The Senate will ignore the House language, taking up instead substitute language based upon S 2972. Readers will have seen my posts about the large number of amendments that have been proposed. More will likely be coming this week. It will be interesting to see which amendments actually make it to the floor for consideration. This will not be quick and the final vote may be delayed until after the Thanksgiving recess.

 

Review - S 2629 Introduced - Better Cybercrime Metrics

Earlier this month, Sen Schatz introduced S 2629, the Better Cybercrime Metrics Act. The bill would require DOJ to establish a taxonomy for classifying cybercrime in the National Incident-Based Reporting System (NIBRS) and would require the reporting of cybercrimes according to that taxonomy. The bill provides for $1 million to support the development of the taxonomy, including a study on the topic by the National Academy of Sciences.

While Schatz is not a member of the Senate Judiciary Committee to which this bill was assigned for consideration, his three co-sponsors {Sen Tillis (R,NC), Sen Cornyn (R,TX), and Sen Blumenthal (D,CT)} are members. This means that there is a good chance that there is enough influence to see this bill considered in Committee. Other than the relatively small funding authorized by this bill, I do not see anything that would engender significant opposition to this bill. The bill would probably be approved by a significantly bipartisan majority in Committee.

I suspect that the bill would receive sufficient bipartisan support to allow it to pass the cloture process if the bill were considered by the Senate. Having said that, I cannot see the Senate leadership taking up limited legislative time for the consideration of this bill. The most likely path forward for this legislation is to be included as an amendment in a spending or authorization bill.

For more details about the provisions of the bill, and my analysis of its shortcomings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2629-introduced - subscription required.

Bills Introduced – 8-5-21

Yesterday, with just the Senate in Washington, there were 58 bills introduced. Two of those bills may receive additional coverage in this blog:

S 2629 A bill to establish cybercrime reporting mechanisms, and for other purposes. Sen. Schatz, Brian [D-HI]

S 2666 A bill to address threats relating to ransomware, and for other purposes. Sen. Rubio, Marco [R-FL]

I will be watching both bills for language and definitions that include industrial control system within their scope.