HR 2980 Markup
Cybersecurity Vulnerability Remediation Act
Last week the House Homeland Security Committee held a markup hearing that considered seven bills, including four cybersecurity related bills. One of those cyber bills was HR 2980, the Cybersecurity Vulnerability Remediation Act. The bill was ordered favorably reported after substitute language was approved. Both actions were taken under unanimous consent.
Substitute Language
Rep Jackson-Lee offered substitute language for this bill which was adopted by unanimous consent. There were two significant changes to this bill. The first change of concern is found in the language in the new subsection (o) that the bill proposes to add to 6 USC 659. It adds the phrase “to information systems and industrial control systems” to clarify what ‘cybersecurity vulnerabilities’ CISA may be expected to “identify, develop, and disseminate actionable protocols to mitigate”.
Secondly, a similar language addition is made in §4 of the bill. That section allows DHS S&T to establish a competition relating to cybersecurity vulnerabilities. The substitute language adds the following language to again describe the cybersecurity vulnerabilities being targeted:
“…information systems (as such term is defined in such section 2209) and industrial control systems, including supervisory control and data acquisition systems.”
There were two other changes made in the substitute language of note, but of less significance. The original language had §2 of the bill amending §659 by adding a subsection (n). A subsection (n) already exists (Coordinated vulnerability disclosure), so the amendment was changed to subsection (o). This led to a change in the reporting requirements of §3(a)(2) of the bill, expanding the reporting requirements to include activity about the new subsection (o) as well as the existing subsection (n).
Finally, of administrative interest only, a new §4 was added to the bill by the substitute language making the same section numbering changes to Subtitle A, of Title XXII of the Homeland Security Act of 2002 that I described in my post about HR 3223. Similar language was also included in HR 3138 making it more likely that at least one of these bills will make it to the President’s desk and get the problem corrected. Even making administrative changes to the US Code require the full legislative process.
Moving Forward
Once the Committee Report on this bill is published, the bill is very likely to move quickly to the floor of the House where it will be considered under the suspension of the rules process. This would mean limited debate, no floor amendments and would require a supermajority to pass. The bill would almost certainly pass with strong bipartisan support.
There is a possibility that this bill could then be considered in the Senate under their unanimous consent process. But, as always a single Senator could prevent that consideration and that action would not necessarily have anything to do with the merits of this bill. This bill would not make it to the floor of the Senate under regular order. It is just not important enough to consume the time of the Senate in the debate and amendment process.
Commentary
It is interesting that the second addition of ICS language includes the reference to SCADA systems and the first does not. It probably does not make a whole bunch of difference here since neither term is defined in the US Code. It is likely, however, to show up in some court action where a defense attorney argues that his client was not affected by some CISA action because they operated a SCADA system and not an industrial control system. Whether or not that claim worked would depend in large part upon the judge involved.
I would very much rather seen a revision to the definition of ‘information system’ or even the addition of a definition of ‘control system’ (see my discussion here), but adding that level of complication to this bill may make it harder to move to the President’s desk. But this is still a topic that needs to be addressed by Congress.
Curious what the 'competition' is? is this a new protocol or family of standard protocols with security? a hackfest? a capture the flag competition?