Monday, July 24, 2017

HR 3180 Fails in House – FY 2018 Intel Authorization

Today the House failed to pass HR 3180, the FY 2018 Intel authorization bill. It failed on a vote of 241 to 163 with a 2/3 vote (290 Ayes) being required for passage. It was a nearly party-line vote with 10 Republicans voting Nay and 30 Democrats voting Aye. The House Intelligence Committee will have to go back to the drawing board and try to craft a bill that can garner more support from the Democrats if the leadership continues to rely on passing the bill under suspension of the rules.

The other point to remember, however, is that if the bill could not garner the 2/3 vote required under the suspension of the rules process, then it likely would not be able to make it to the floor of the Senate due to the cloture vote requirement (3/5ths vote).


There were no cybersecurity provisions in this bill that would have been of specific interest to readers of this blog.

Committee Hearings – Week of 7-23-27

This week, with both the House and Senate in session we start to see action on spending bills in the Senate while House spending bills start to move to the floor of the House. Additionally, there is two cybersecurity hearing scheduled this week one on insurance and the other a markup hearing.

Spending Bills (Senate Appropriations Committee)


DOD Spending Bill


The House Rules Committee will hold a hearing to formulate the rule for HR 3219 tonight. What was the DOD FY 2018 spending bill is now the Make America Secure Appropriations Act, 2018; a mash-up of four spending bills {HR 3219 (DOD), HR 3162 (Legislative Branch), HR 2998 (Military Construction/VA), and HR 3266 (Energy and Water Development)}.

None of those bills currently have any provisions of specific interest here. The amendment process could certainly change that.

Proposed amendments are supposed to be submitted by later this morning. There were 28 amendments already submitted by 8:00 am EDT. There is only one cyber related amendment (cyber scholarship spending) currently on the list, but that will probably change.

The bill is currently scheduled to come to the floor later this week (Wednesday?).

Cybersecurity Insurance


On Wednesday the House Small Business Committee will be holding a hearing on “Protecting Small Businesses from Cyber Attacks: The Cybersecurity Insurance Option”. The witness list includes:

• Robert Luft, SureFire Innovations;
• Erica Davis, Zurich Insurance;
• Eric Cernak, Munich Re US;
• Daimon Geopfert, Security and Privacy ConsultingRisk Advisory Services

I will be very surprised if control system security issues are even mentioned in passing, but I am certainly open to surprises.

Cybersecurity Markup


The House Homeland Security Committee will be holding a mark-up hearing on Wednesday. Two of the bills may be of specific interest to readers of this blog. The first is HR 3202, Cyber Vulnerability Disclosure Reporting Act, the bill I reviewed yesterday. I certainly hope the Committee adds provisions requiring public posting of the unclassified report.

The second is a new (not yet introduced) bill by Chairman McCaul (R,TX) that would establish the Cybersecurity and Infrastructure Security Agency to replace the current National Protection and Programs Directorate. A committee print of the bill is available and a quick review of the provisions shows that it still relies on the IT-centric definition of ‘cybersecurity risk’ found in 6 USC 148(a). I would really like to see this bill change that definition to one based on the ‘information system’ definition found in 6 USC 1501(9). More on this bill later.

On the Floor of the House


In addition to HR 3219 mentioned above there are two other bills of potential interest currently on the schedule for consideration on the floor of the House. The first is HR 3180, the Intelligence Authorization Act for Fiscal Year 2018. While there are some cyber related provisions in the unclassified portion of the bill, none are of specific interest to readers of this blog. The bill will be considered today under the suspension of the rules, so no amendments will be possible.


The second is an as of yet unintroduced “Russia, Iran, and North Korea Sanctions Act”. It will be considered tomorrow, so it will be introduced today. A very quick review of the committee draft of bill does show mention of cybersecurity related sanctions. I’ll review those in more detail later. Interestingly, this bill is also being considered under the suspension of the rules provisions indicating that the leadership thinks this bill will receive substantial bipartisan support to meet the 2/3 majority vote required for passage.

Sunday, July 23, 2017

HR 3202 Introduced – Cybersecurity Reporting

Earlier this month Rep. Jackson-Lee (D,TX) introduced HR 3202, the Cyber Vulnerability Disclosure Reporting Act. The bill would require a report to Congress on procedures that DHS has developed in regards to vulnerability disclosures.

Section 2 of the bill requires DHS (within 240 days of passage of the bill) to report to Congress that describes “the policies and procedures developed for coordinating cyber vulnerability disclosures, in accordance with section 227(m) of  the Homeland Security Act of 2002 (6 U.S.C. 148(m) [Link Added; Note: it is §148(l) at this link, an amendment changing that para to (m) has not yet been published])” {§2(a)}.

Moving Forward


Jackson-Lee is an influential member of the House Homeland Security Committee, the committee to which the bill was assigned for consideration. It is very likely that she has enough influence to have this bill considered in Committee. There is nothing in the bill that would draw the ire of any organization. Since it just requires a very legitimate report to Congress it is likely that this bill would have enough bipartisan support to allow it to be considered under the suspension of the rules procedures in the House. If it were to be considered in the Senate, it would likely be considered under their unanimous consent procedure.

Commentary


Since the bill specifies that the main report will be unclassified (with a potential classified annex) I would have liked to have seen the bill include a provision for DHS to post a copy of the unclassified version of the report to the NCCIC web site. That would allow these policies and procedures to become public knowledge, as they should be. Without that sort of provision we may never see this report; it certainly will not show up on a congressional web site.


Saturday, July 22, 2017

Trump Administration Updates Unified Agenda – DHS

This week the Trump Administration’s Office of Information and Regulatory Affairs (OIRA) published an Update to the Unified Agenda. This provides a look at the results of the review of on-going regulatory actions previously addressed by the Obama Administration and new regulatory initiatives started by the new administration. The last Obama update of the Unified Agenda (Fall 2016 Unified Agenda) took place in November, 2016.

Trump’s OIRA described the current Unified Agenda this way:

“The Agenda represents ongoing progress toward the goals of more effective and less burdensome regulation and includes the following developments:
“Agencies withdrew 469 actions proposed in the Fall 2016 Agenda;
“Agencies reconsidered 391 active actions by reclassifying them as long-term (282) and inactive (109), allowing for further careful review;
“Economically significant regulations fell to 58, or about 50 percent less than Fall 2016;
“For the first time, agencies will post and make public their list of "inactive" rules-providing notice to the public of regulations still being reviewed or considered.”

DHS Active Rulemaking


As usual, I have gone through the list of active DHS rulemaking activities and came up with a list that may be of specific interest to readers of this blog. Table 1 lists those rulemaking activities.

OS
Proposed Rule
Chemical Facility Anti-Terrorism Standards (CFATS)
USCG
Proposed Rule
Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners
TSA
Proposed Rule
Surface Transportation Vulnerability Assessments and Security Plans
Table 1: Items on Current Unified Agenda

This is down from eight that were on the Fall 2016 Agenda. One (1601-AA56) action has been completed with the final rule being published last December. Four items (1601-AA76, 1625-AB94, 1652-AA55, and 1652-AA69) have been moved to the long-range portion of the Agenda (see below).

The pages for each of the rulemakings have been substantially changed in this update. This version does not include a regulatory history (listing of when various stages of the rulemaking process have been completed including a link to the Federal Register for each publication noted). The update also does not provide an expected date for the publication of the next stage in the rulemaking process. In the past those have proven to be grossly inadequate guesses, so there is really not much lost by not including that information.

Long-Term Actions


The long-term action section of the Unified Agenda contains the listing of on-going rulemaking efforts that the Administration does not expect to see reach the next publication stage for at least 12 months. The long-term action section for DHS is quite lengthy. The list includes the rulemakings shown in Table 2 that may be of specific interest to readers of this blog.


OS
Ammonium Nitrate Security Program
OS
Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Sensitive Information (HSAR Case 2015-001)
OS
Updates to Protected Critical Infrastructure Information
USCG
Amendments to Chemical Testing Requirements
USCG
2013 Liquid Chemical Categorization Updates
Maritime Security--Vessel Personnel Security Training
TSA
Protection of Sensitive Security Information
TSA
Security Training for Surface Transportation Employees
TSA
Vetting of Certain Surface Transportation Employees
Table 2: Long-Term Actions for DHS

This list is longer than the one found in the Fall 2016 Unified Agenda. I have already noted that three items were moved here from the active agenda. Additionally, the Trump Administration added a new rulemaking (1625-AC36) that has been placed on the long-term action list. Finally, OIRA removed a rulemaking (1625-AB21) that had actually been completed (final rule published) well prior to the publication of the Fall 2016 Unified Agenda. The Obama OIRA apparently kept it on the list because the effective date was not until 2018.

Inactive Items


It is interesting to see the Trump Administration introduce the concept of the ‘Inactive Items’ list; rulemakings that have dropped off the Unified Agenda, but are still in the working files of the agency involved and action could possibly be expected at some future date. This list is also odd in that it is a .PDF document rather than an HTML table.

There are four rulemakings on the DHS portion of the list that may be of specific interest to readers of this blog. I have included in the list below a link to the last time that the rulemaking showed up in the Unified Agenda. It is very clear that the administration officials took their mandate to identify such latent rulemakings very seriously.

• 1625-AA12 – USCG – Marine Transportation--Related Facility Response Plans for
Hazardous Substances (Fall 2013);
• 1625-AA13 – USCG – Tank Vessel Response Plans for Hazardous Substances (Fall 2013);
• 1652-AA16 – TSA – Transportation of Explosives from Canada to the United States Via Commercial Motor Vehicle and Railroad Carrier (Fall 2011)
• 1652-AA50 – TSA – Drivers Licensed by Canada or Mexico Transporting Hazardous Materials to and Within the United States (Fall 2015)

Commentary


While Trump vociferously campaigned on a stand against new regulations, this publication of the Unified Agenda update makes it clear that we can still expect to see regulatory actions being taken by this administration. In fact, with respect to those types of regulations that would be of specific interest here, there has been absolutely no indication of a reduction in the change in the number of regulatory actions being undertaken.


It is not entirely clear at this point that the one new rulemaking added to the Unified Agenda Long-Term Agenda in this update (1625-AC36) is really a new regulatory action initiated by the Trump Administration. This has been an on-going issue since the 2010 amendments to the Standards of Training, Certificate, and Watchkeeping Convention and Code, but this is the first time that it has been officially noted in the Unified Agenda.

NIST Cybersecurity Workforce RFI Comments – 07-22-17

This is the first in a series of blog posts looking at the comments that NIST has received on their request for information (RFI) on cyber workforce development. The comments are posted to the NIST National Initiative for Cybersecurity Education (NICE) web site. Comments posted this week came from:


 One commenter specifically responded to questions posed by NIST in their RFI. The others were long form explications of viewpoints about specific issues. One was a copy of an article published on CIODive.com addressing some different non-traditional cybersecurity-training activities that have been tried. Another suggested that we need to start looking at specialization training for cybersecurity personnel rather than generalist training. And the last one addressed the need for rapid changes in cybersecurity training programs to reflect changes in the environment.


The comments from Eric Baechle provided specific responses for the NIST questions. The views from Eric paint a very bleak picture of how cybersecurity specialists are utilized at one, unnamed agency (presumably government agency, but that is not exactly clear). Not unexpectedly they paint a picture of an agency management that does not understand the complexities of the cybersecurity problems being addressed by the specialized workforce nor the work actually being done by their cybersecurity team. While this is not directly a workforce development issue (other than apparently there is no effort in this organization being made to continue developing the skills of the team being employed) it does help to explain why there may be retention issues and employee burnout affecting cybersecurity operations.

HR 3198 Introduced – FAA R&D

Last week Rep. Knight (R,CA) introduced HR 3198, the FAA Leadership in Groundbreaking High-Tech Research and Development (FLIGHT R&D) Act. The bill sets forth the research and development agenda for the Federal Aviation Administration. It includes provisions for cybersecurity research, including:

§31. Cyber Testbed.
§32. Cabin communications, entertainment, and information technology systems
cybersecurity vulnerabilities.
§33. Cybersecurity threat modeling.
§34. National Institute of Standards and Technology cybersecurity standards.
§35. Cybersecurity research coordination.
§36. Cybersecurity research and development program.

Most of these provisions address cybersecurity for the FAA flight control system and general FAA IT systems. Two sections (§32 and §36) deal more directly with aircraft cybersecurity.

Cabin Cybersecurity


Section 32 requires the FAA to “evaluate and determine the research and development needs associated with cybersecurity vulnerabilities of cabin communications, entertainment, and information technology systems on civil passenger aircraft” {§32(a)}. The evaluation will address:

• Technical risks and vulnerabilities;
• Potential impacts on the national airspace and public safety; and
• Identification of deficiencies in cabin-based cybersecurity.

Within 9 months of passage of this bill the FAA would be required to report back to Congress on the results of the evaluation and “provide recommendations to improve research and development on cabin-based cybersecurity vulnerabilities” {§32(b)(2)}.

Future Cybersecurity Program


Section 36 directs the FAA to “establish a research and development program to improve the cybersecurity of civil aircraft and the national airspace system” {§36(a)}. There is no specific guidance as to what that plan should include beyond mandating that a study of the topic be conducted by the National Academies. A report to Congress is required in 18 months.

Moving Forward


Knight and his two co-sponsors {Rep. Smith (R,TX) and Rep. Babin (R,TX)} are members of the House Science, Space, and Technology Committee, one of the two committees to which this bill was assigned for consideration. Babin is also a member of the House Transportation and Infrastructure Committee, the other committee. This means that both committees could actually consider this bill. With Chairman Smith as a cosponsor, it will almost certainly be considered in the Science, Space and Technology Committee.

There are no monies authorized to be spent by this bill and there are no provisions (mainly due to the lack of specificity in the requirements) that would draw the specific ire of anyone, so there should be no organized opposition to the bill. I suspect that it will be recommended for adoption by the Space, Science and Technology Committee and if it makes it to the floor of the House for consideration (probably under the suspension of the rules procedures) it will pass with substantial bipartisan support.

Commentary



It is strange that the cybersecurity of avionics control systems is never mentioned in this bill. The provisions of §32 and §36 are clearly intended to address the issue, but they never directly say that. I suspect that this is done so as not to raise the specific objection from aircraft vendors (and their avionics system suppliers) that no one has ever demonstrated a vulnerability of those control systems. The weasel wording allows those concerned to ignore the specific provisions and thus not oppose the entire bill. This is politics.

Friday, July 21, 2017

HR 3191 Introduced – Russia Cybersecurity

Last week Rep. Boyle (D,PA) introduced HR 3191, the No Cyber Cooperation with Russia Act. The bill would disallow the expenditure of any federal funds for any joint US – Russian cybersecurity initiative. This is a response to the announcement by President Trump after he returned from the G20 Summit that he and Putin had discussed forming a joint cyber-security unit to protect against election hacking.

Section 2 of the bill says simply:

“No Federal funds may be used to establish, support, or otherwise promote, directly or indirectly, the formation of[,] or any United States participation in[,] a joint cybersecurity initiative involving the Government of Russia or any entity operating under the direction of the Government of Russia.”

There are no qualifying definitions or explanations.

Moving Forward


Boyle is a rather junior member of the House Foreign Affairs Committee to which this bill was assigned for consideration. Three of his 13 Democratic cosponsors are also members of that Committee. In normal circumstances, this could provide for the possibility of the bill being considered in Committee. In this case, party membership probably trumps committee membership, so there is very little possibility of this bill being considered in Committee.

Commentary


Even assuming that this is not a completely knee-jerk reaction to a “policy” announcement by Trump (as we frequently saw from Republicans during the Obama Administration) and that there are legitimate reasons to object to the specific policy proposal, the blunt wording of this proposal contains the seeds of many potential unintended consequences.

For example, if Interpol formed a task-force to take down criminal gangs operating botnets, and that unit included police from Russia (where at least some of these botnet operations are headquartered) then this bill would prohibit US participation in the effort. I highly doubt that that is what the crafters intended.


I suspect, however, that this bill (and the two others, HR 3259 and S 1544, that have not yet been printed by the GPO) was written to provide Democrats the opportunity to proclaim that they have introduced legislation opposing Trumps inopportune proposal. Even if the bill were to somehow be considered and approved by the House and Senate, it would certainly be vetoed by the President, if the unit had been a serious policy proposal in the first place (and that is an open question since the unit was proposed in a TWEET®).
 
/* Use this with templates/template-twocol.html */