CFSN Detailed Analysis

Share this post

CFSN Detailed Analysis
HR 9769 Introduced
Copy link
Facebook
Email
Notes
More

HR 9769 Introduced

Chinese Cyber Threats

Patrick Coyle
Oct 15, 2024

Share this post

CFSN Detailed Analysis
HR 9769 Introduced
Copy link
Facebook
Email
Notes
More
1
Share

Last month, Rep Lee (R,FL) introduced HR 9769, the Strengthening Cyber Resilience Against State-Sponsored Threats Act. The bill would require CISA to establish an interagency task force to “detect, analyze, and respond to the cybersecurity threat posed by State-sponsored cyber actors, including Volt Typhoon, of the People’s Republic of China”. The task force would submit annual classified reports to Congress. No new funding is authorized by this legislation.

Definitions

Section 2(k) provides definitions for ten key terms used in the legislation. Five of the terms are defined by reference to existing statutory definitions. There is one technical term , ‘Volt Typhoon’, included.

Task Force

Within 120-days of the enactment of this bill, CISA is charged with the responsibility of establishing the interagency task force. The task force will consist of representatives from:

  • CISA (Chair),

  • FBI (Vice Chair),

  • Sector Risk Management Agencies

The task force would be specifically exempted from the administrative requirements of 5 USC Chapter 10 (Federal Advisory Committee Act) and 44 USC Chapter 35 (Paperwork Reduction Act).

Section 2(h) provides for the automatic termination of the task force “60 days after the final briefing required under subsection (h)(4).” Unfortunately, there is no paragraph (4) in subsection (h). This is a typographical error and apparently should refer to “(f)(4)”.

Reports to Congress

Section 2(f) requires five annual reports to Congress on the activities of the task force. The reports will include:

  • An assessment at the lowest classification feasible of the sector-specific risks, trends relating to incidents impacting sectors, and tactics, techniques, and procedures utilized by or relating to State-sponsored cyber actors, including Volt Typhoon, of the People’s Republic of China.

  • An assessment of additional resources and authorities needed by Federal departments and agencies to better counter the cybersecurity threat posed by State-sponsored cyber actors, including Volt Typhoon, of the People’s Republic of China.

  • A classified assessment of the extent of potential destruction, compromise, or disruption to United States critical infrastructure by State-sponsored cyber actors, including Volt Typhoon, of the People’s Republic of China in the event of a major crisis or future conflict between the People’s Republic of China and the United States.

  • A classified assessment of the ability of the United States to counter the cybersecurity threat posed by State-sponsored cyber actors, including Volt Typhoon, of the People’s Republic of China in the event of a major crisis or future conflict between the People’s Republic of China and the United States, including with respect to different cybersecurity measures and recommendations that could mitigate such a threat.

  • A classified assessment of the ability of State-sponsored cyber actors, including Volt Typhoon, of the People’s Republic of China to disrupt operations of the United States Armed Forces by hindering mobility across critical infrastructure such as rail, aviation, and ports, including how such would impair the ability of the United States Armed Forces to deploy and maneuver forces effectively.

  • A classified assessment of the economic and social ramifications of a disruption to one or multiple United States critical infrastructure sectors by State-sponsored cyber actors, including Volt Typhoon, of the People’s Republic of China in the event of a major crisis or future conflict between the People’s Republic of China and the United States.

  • Such recommendations as the task force may have for the Homeland Security Enterprise, the intelligence community, or critical infrastructure owners and operators to improve the detection and mitigation of the cybersecurity threat posed by State-sponsored cyber actors, including Volt Typhoon, of the People’s Republic of China.

  • A one-time plan for an awareness campaign to familiarize critical infrastructure owners and operators with security resources and support offered by Federal departments and agencies to mitigate the cybersecurity threat posed by State-sponsored cyber actors, including Volt Typhoon, of the People’s Republic of China.

Moving Forward

On September 25th, the House Homeland Security Committee conducted a business meeting where twenty pieces of legislation were considered. Among them was HR 9769, which was passed by a voice vote. This means that there is substantial bipartisan support for the bill. This will probably clear the way for the bill to be considered by the full House under the suspension of the rules process; limiting debate, prohibiting floor amendments and requiring a super majority vote for passage.

Commentary

There are two major shortcomings with this legislation. First, there is no mention of the intelligence community in either the composition of the task force or provision of intelligence information in support of the Task Force’s information collection. While CISA and the FBI will have some internally developed information on the topic of Chinese cybersecurity threats, the bulk (and widest scope) of such information will be held by the intelligence community. I suspect that this was deliberately overlooked by the crafters of the bill to avoid sharing congressional oversight with the House Intelligence Committee.

The second problem is the very limited requirement to share information with the critical infrastructure communities. The requirement in §2(f)3(H) for a one-time awareness campaign on the Federal support available to counter the identified Chinese cybersecurity threats was crafted to avoid the problems associated with trying to share all of the classified information that the task force is required to share with Congress. This is a common problem with risks associated with State-level threats that Congress is going to have to address for critical infrastructure to be able to adequately respond to such threats.

The combination of these two problems means that there is no mandate to share the really critical information (the actionable intelligence like indicators of compromise, lists of organizations or people likely to be targeted, etc) with the targeted organizations in critical infrastructure, or especially those outside of that category. While CISA and the FBI have been fairly forthcoming with information about many such attacks, it is almost certain that they are watching other early attacks where publicizing the information would compromise on going investigations. This is particularly concerning where smaller companies are supporting critical infrastructure, but do not themselves fall into that category. They are far down the notification process and frequently do not have the tools or personnel needed to adequately respond when they are informed.

Share this post

CFSN Detailed Analysis
HR 9769 Introduced
Copy link
Facebook
Email
Notes
More
1
Share

Discussion about this post

No posts

Ready for more?

© 2024 Patrick Coyle
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More