HR 3386 Introduced - Smart Cities and Communities Act
Back in May Rep DelBene introduced HR 3386, the Smart Cities and Communities Act of 2021. The bill enhances the Federal Government coordination and outreach with respect to smart city or community technologies. It includes the formation of a federal cybersecurity working group and five cybersecurity ‘in passing’ mentions in four sections of the bill.
Definitions
Section 3 of the bill provides the definitions of nine key terms used in the bill. The most important is the definition of the term ‘smart city or community’. This is a lengthy operational definition which includes a list of ‘inclusions’ that describes activities that exemplify a ‘smart city or community. Included in that list is the example of a city or community that integrates measures “to ensure the resilience of civic systems against cybersecurity threats and physical vulnerabilities and breaches”.
Cybersecurity Working Group
Section 202 requires the Department of Commerce to “convene a multistakeholder working group, to be known as the “Cybersecurity Working Group”, to develop tools for communities to use to evaluate the cybersecurity of smart city or community technologies.” The DOC will consider appointing individuals to the Working Group including:
Representatives of consumer groups and civil liberties organizations,
Representatives of small units of local government, as determined by the Secretary,
Representatives of large units of local government, as determined by the Secretary,
Manufacturers of smart city or community devices, equipment, and software,
Individuals with expertise in communications networks,
Federal, State, and local law enforcement officials,
Individuals with other expertise necessary to carry out the duties of the Working Group, and
Such representatives of the Council as the Secretary determines to be appropriate.
The Working Group will:
Leverage and build on previous activities carried out by the Department of Commerce relating to Internet of Things (IoT) technology,
Develop tools for communities to evaluate the cybersecurity of smart city or community technology being considered by the communities for adoption in those communities,
Develop tools for communities to protect against cybersecurity threats relevant to the technology the community has chosen to adopt, and
Submit to the Council a report that describes the findings of the Working Group.
Additionally, the Working Group will assess whether IoT cybersecurity standards should exist and if they should be voluntary or mandatory.
Cybersecurity in Passing
Section 101 addresses the coordination of smart-city activities among federal agencies. In the list of activities to be prioritized §101(a)(1)(B) includes “safeguard cybersecurity, including by promoting industry practices relating to cybersecurity”. Subparagraph (C) of that section requires that the Federal activities in safeguarding cybersecurity “take into account existing Federal, State, and local frameworks, guidelines, and best practices when considering the application of those frameworks, guidelines, and best practices to smart city technologies.”
Section 102 establishes a requirement for DOC to publish a “resource guide designed to assist States, communities, and cities in the United States in developing and implementing smart city or communit programs.” One of the items that would be allowed to be included in the guide would be “Federal, State, and local best practices for safeguarding cybersecurity and ensuring appropriate data management and data privacy”.
Section 203 establishes a ‘Techhire’ workforce training and development grant program. Subsection (b) sets forth the requirements that grantees must include in their programs. That includes a requirement to “address privacy and cybersecurity considerations”.
Section 301 would require DOC to strongly encourage and support “participation by Federal Government experts in private sector-led, standards-related activities that convene smart city or community stakeholders”. Subsection (b) outlines the activities that DOC is expected to undertake to support that participation. It includes a requirement to “ensure that cybersecurity and privacy are core elements of the recommended performance standards and interoperability standards”.
Moving Forward
While DelBene is not a member of the House Energy and Commerce Committee, the lead committee of the three committees to which this bill was assigned for consideration, one of her two cosponsors {Rep Clarke (D,NY)} is a member, so it is possible that this bill could be considered in Committee. I do not see anything in the bill that should engender any organized opposition to the bill. If it is considered in Committee, I would expect to see at least some level of bipartisan support for the bill.
The stronger the bipartisan support for this bill the more likely it will be to be considered on the floor of the House under the suspension of the rules process. If there is not strong bipartisan support, I do not see the Leadership brining the bill to the floor.
Commentary
I am seeing more and more of these bills being introduced with the ‘cybersecurity in passing provisions’. In one way of looking at this, these abbreviated requirements are good because congressional staffs are recognizing that cybersecurity should be an integral part of quite a few things that go on in the economy. Adding these minor cybersecurity requirements and mentions, while not comprehensive cybersecurity coverage by any means, does serve to ensure that more sectors of the economy become aware of how cybersecurity could affect their operations.
The downside to this is that the cybersecurity terms being employed do not have established definitions in most of the US Code. In this instance the term of concern is ‘cybersecurity’. In the way that it is used in this bill it really means a ‘cybersecurity purpose’. With that knowledge we could add a single definition to Section 3:
(10) CYBERSECURITY.-The term ‘cybersecurity’ means a cybersecurity purpose as that term is defined in 6 USC 1501.
This definition is helpful because it relies on the ICS inclusive definition of ‘information system’ that is used in §1501.