Committee Hearings Week of 9-25-22

This week with both the House and Senate in session (and the FY spending deadline approaching quickly), there is a relatively light hearing schedule, particularly on the House side of the Hill. We do have a markup hearing of interest, and a hearings on UAS integration.

Homeland Security Markup

The Senate Homeland Security and Governmental Affairs Committee will be holding a business meeting today. It will include nine nomination votes, 22 pieces of legislation and four facility naming bills. Of particular interest here:

S ___, Strengthening Agency Management and Oversight of Software Assets Act of 2022,

S 4913, Securing Open Source Software Act of 2022,

S 4882, Fire Grants and Safety Act,

S ___, Protecting the Border from Unmanned Aircraft Systems Act,

HR 7777, Industrial Control Systems Cybersecurity Training Act,

HR 6824, President’s Cup Cybersecurity Competition Act, and

HR 6873, Bombing Prevention Act of 2022

UAS Integration

The Subcommittee on Aviation Safety, Operations and Innovation of the Senate Commerce, Science, and Transportation Committee will be holding a hearing on “FAA Reauthorization: Integrating New Entrants into the National Airspace System”. The witness list includes:

• Lisa Ellman, Commercial Drone Alliance,

• Gregory Davis, Eviation,

• Stephen P. “Lux” Luxion, FAA Center of Excellence for Unmanned Aircraft Systems (ASSURE),

• Stéphane Fymat, Honeywell Aerospace, and

• Edward M. Bolen, National Business Aviation Association

Counter drone operations may come up in the discussion.

On the Floor

The 900-lb gorilla this week is the spending bill, or rather a continuing resolution that ‘must’ pass by midnight on Friday. A weekend final vote is not beyond possible.

The House is scheduled to take up 32 bills in this short week under the suspension of the rules process. With spending bill pending, we can expect Republican bomb throwers to demand votes on many if not most of these bills, just to gum up the process. Bills of potential interest here include:

• S 4900 – SBIR and STTR Extension Act of 2022,

• HR 8956 – FedRAMP,

Review - S 4913 Introduced – CISA and Open-Source Software

Last week, Sen Peters (D,MI) introduced S 4913, the Securing Open Source Software Act of 2022. The bill establishes several areas of responsibility for CISA regarding open source software security. No funding is authorized in the bill. The Senate Homeland Security and Governmental Affairs Committee is scheduled to take up the bill today.

Moving Forward

Peters is the Chair of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This explains why that Committee is taking up the bill tomorrow in a markup hearing. The bill is one of 24 that will be considered in that hearing, so little discussion is expected. Amendments may be considered, with most having been worked out in advance so that the Committee will be able to adopt most of the amendments proposed.

I do not see anything in this bill that should engender any organized opposition. I suspect that there will be bipartisan support for the bill since it provides the appearance of doing something about open-source software security. The big problem is that there is little time to move this bill beyond the Committee markup, unless the bill can be successfully considered under the unanimous consent process or added to one of the must pass bills that have yet to be taken up.

Commentary

The unique problem with open-source software is not that it is ‘poorly written' (the multiple vulnerabilities from poor coding practices are found in software from ‘closed sources’ as well as open-sourced software). No, the problem with many of the smaller libraries that are source for so many vulnerabilities, is that there is little support for correcting the problems when they are identified.

What might be more helpful is that if CISA were given the authority to fund internships with open-source creators of selected critical open-source components that have minimal support available. Identifying the critical components will become easier as SBOM requirements become more common but identifying the authors that would be willing to accept government sponsored interns might be a challenge. Oversight of such internships would also be a challenge. But this could provide immediate support for challenged authors, as well as broadening the scope of those familiar with the details of the critical software.

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4913-introduced - subscription required.

Bills Introduced – 9-21-22

Yesterday, with both the House and Senate in Washington, there were 46 bills introduced. Two of those bills will receive additional coverage in this blog:

S 4908 A bill to improve the visibility, accountability, and oversight of agency software asset management practices, and for other purposes. Peters, Gary C. [Sen.-D-MI]

S 4913 A bill to establish the duties of the Director of the Cybersecurity and Infrastructure Security Agency regarding open source software security, and for other purposes. Peters, Gary C. [Sen.-D-MI] 

I do not expect that either bill will directly address control system security, but they will almost certainly have longer range impacts on software security issues that will ultimately apply to control systems.

Note in Passing

I would like to point out an interesting concept found in the description of S 4914 that was also introduced yesterday. Here is how the purpose of the bill was officially described: “A bill to direct the Secretary of State to designate certain Mexican drug cartels as foreign terrorist organizations, and to submit a report to Congress justifying such designations in accordance with section 219 of the Immigration and Nationality Act.”

Now I have no problems with labeling Mexican drug cartels as ‘terrorist organizations’. The definition does not really fit, but the potential sanctions would probably be helpful. The interesting thing here is that  Congress would be directing the State Department to do something and then require the Department to justify taking that mandated action. The most obvious response would be to report: “You told us to do this, so we had to do it. We could not have done it if you had not required us to do it.”