S Res 23 Introduced – Select Committee on Cybersecurity

Last week Sen. Gardner (R,CO) introduced S Res 23, Establishing the Select Committee on Cybersecurity. The resolution would establish a new committee in the Senate tasked with the oversight of cybersecurity matters in the Federal government.

Membership

The Committee would consist of the Chair and the Ranking Member (or their designees) from the {§1(c)}:

• Committee on Appropriations;

• Committee on Armed Services;

• Committee on Banking, Housing, and Urban Affairs;

• Committee on Commerce, Science, and Transportation;

• Committee on Foreign Relations;

• Committee on Homeland Security and Governmental Affairs;

• Committee on Intelligence; and

• Committee on the Judiciary.

Five additional members from the Senate would be appointed; three by the Majority Leader and two by the Minority Leader.

Jurisdiction

The resolution would authorize the Select Committee to{§1(b)}:

• To oversee and make continuing studies of and recommendations regarding cybersecurity threats to the United States; and

• Report by bill or otherwise on matters within its jurisdiction.

The resolution would require bills to be referred to the Select Committee for consideration if they relate to {§1(e)}:

• Domestic and foreign cybersecurity risks (including state-sponsored threats) to the United States;

• The activities of any department or agency relating to preventing, protecting against, or responding to cybersecurity threats to the United States, and relevant incidents or actions;

• The organization or reorganization of any department or agency to the extent that the organization or reorganization relates to a function or activity involving preventing, protecting against, or responding to cybersecurity threats to the United States, and relevant incidents or actions; and

• Authorizations for appropriations, both direct and indirect, for preventing, protecting against, or responding to cybersecurity threats to the United States, and relevant incidents or actions.

Moving Forward

Neither Gardner nor his sole cosponsor {Sen. Coons (D,DE)} are members of the Committee on Rules and Administration (the committee to which the resolution was referred for consideration), so it is extremely unlikely that that Committee will take action on the bill. While some of the most affected committees in the Senate would be represented on the Select Committee, the formation of this Committee would serve to dilute (at least to some extent) the power of all of the existing committee chairs and ranking members. That will probably provide for sufficient opposition to the bill to prevent it from being considered by the whole Senate even if the bill did make it out of committee.

Commentary

Industrial control systems are not specifically mentioned in the resolution. The key definition in this resolution is a ‘new’ term; ‘cyberspace’. That term is defined as “the global domain within the information environment consisting of the interdependent network of information systems infrastructures (including the Internet, telecommunications networks, computer systems, and embedded processors and controllers)” {§1(a)(3)}.

While that definition would seem to exclude industrial control systems, that is probably not as important as it would be in legislation pertaining to the Executive branch operation or the regulation of the private sector. What bills are referred to a committee is not exactly a legal matter, it is more of a political decision. Matters related to industrial control system security would almost certainly come under the actual purview of the Select Committee.

The important thing to remember here is that the Select Committee would not have exclusive jurisdiction over matters relating to cybersecurity. Where existing committees already have jurisdiction (for example the Homeland Security and Governmental Affairs Committee) over related matters, that jurisdiction would now be shared. For example, a cybersecurity bill giving DHS regulatory authority would be referred to both the HSGA Committee and the Select Committee for consideration and either could effectively kill the bill by failing to consider it.

The one upside to this resolution would be that the professional staff (and the political staff probably) would almost certainly contain a much higher concentration of cybersecurity professionals than any other committee in the Senate. This could allow for a much better technical analysis of (and hopefully influence on) cybersecurity issues. Where that underpaid staff would come from is an interesting question; most would probably come directly out of graduate schools.

Weighing the pros and cons of this bill, I would support the establishment of the Select Committee. I think that the existence of a professional staff with a strong cybersecurity background could end up being enough of a benefit to outweigh the formation of a new political silo in the Senate.

Bills Introduced – 01-24-17

With both the House and Senate leaving for an extended weekend (a proforma session for both houses on Friday) there were 152 bills introduced. Of those 9 bills may be of specific interest to readers of this blog:

HR 625 To provide for joint reports by relevant Federal agencies to Congress regarding incidents of terrorism, and for other purposes. Rep. Aguilar, Pete [D-CA-31]

HR 642 To amend the Homeland Security Act of 2002 to enhance the partnership between the Department of Homeland Security and the National Network of Fusion Centers, and for other purposes. Rep. Barletta, Lou [R-PA-11]

HR 666 To amend the Homeland Security Act of 2002 to establish the Insider Threat Program, and for other purposes. Rep. King, Peter T. [R-NY-2]

HR 677 To amend the Homeland Security Act of 2002 to establish chemical, biological, radiological, and nuclear intelligence and information sharing functions of the Office of Intelligence and Analysis of the Department of Homeland Security and to require dissemination of information analyzed by the Department to entities with responsibilities relating to homeland security, and for other purposes. Rep. McSally, Martha [R-AZ-2]

HR 678 To require an assessment of fusion center personnel needs, and for other purposes. Rep. McSally, Martha [R-AZ-2]

HR 686 To ensure appropriate spectrum planning and interagency coordination to support the Internet of Things. Rep. Paulsen, Erik [R-MN-3]

HR 697 To amend the Homeland Security Act of 2002 to improve the management and administration of the security clearance processes throughout the Department of Homeland Security, and for other purposes. Rep. Thompson, Bennie G. [D-MS-2]

HR 701 To direct the Administrator of the National Highway Traffic Safety Administration to conduct a study to determine appropriate cybersecurity standards for motor vehicles, and for other purposes. Rep. Wilson, Joe [R-SC-2] 

S Res 23 A resolution establishing the Select Committee on Cybersecurity. Sen. Gardner, Cory [R-CO]

HR 625 will only be of interest here if it includes specific language addressing cybersecurity, chemical security, or chemical transportation security issues.

Hopefully HR 642 will also address the types of expertise needed at fusion centers.

HR 666 will probably be reintroduced to avoid the religious connotations of the bill number.

HR 677 is probably very similar to HR 2200 introduced in the last session and passed in the House by a nearly unanimous vote. Another bill that was not taken up by the Senate.

HR 678 is probably similar to HR 3503 introduced in the last session and passed by a voice vote. And yet another one.

I suspect that HR 686 is a companion bill to S 88 introduced earlier this month in the Senate.

HR 697 may be similar to HR 3505 introduced in the last session. I did not cover that bill because it did not really address the security clearance process for the private sector organizations to aid information sharing.

Hopefully HR 701 will specifically address the relationship between independent security researchers, NHTSA and auto companies.

Establishing a Select Committee on Cybersecurity sounds like a way to raise the profile of cybersecurity issues. Unfortunately, it will also make law making on the topic more difficult as it will add another committee silo through which cybersecurity related bills will have to pass. Inter-committee politics does almost as much to slow down the legislative process as does partisan politics.