Patrick Coyle writes the Chemical Facility Security News blog and tweets @pjcoyle. His blog is my go to resource for all things chemical security, and Patrick also does the hard work of tracking all of the control system security legislation. Patrick was kind enough to write up a blog entry on what you should be paying attention to and forecasting what will happen.
—– Begin Patrick’s Entry —–
Congress is currently in an extended summer recess, they won’t come back to work until the middle of September. When they return to Washington, there is little doubt that the upcoming elections in November will have an increasingly obstructive effect on the legislative process. That could have a serious impact on their ability to send any sort of cyber security legislation to the President for signature.
Congress has become increasingly aware of the ever more complex cyber security threat that is potentially affecting both government and industry. There have been a large number of bills introduced in the 111th Congress addressing various aspects of this issue. Over at Chemical Facility Security News I have been watching nine bills that will have some effect on industrial control system (ICS) security if they become law. Dale has asked me to provide his readers with a quick look at the legislative prospects for any of these bills actually reaching the President’s desk.
No Action to Date
One of the main things that most people don’t realize about Congress is that most bills that are introduced are never acted upon. For instance in the last two years over 6,000 bills have been introduced in the House and over 3,000 in the Senate. Less than 1% ever make it through the process. We can see this reflected in ICS security legislation; of the nine bills that I have been watching since they were introduced, six have had no action taken since they were introduced.
In the current legislative environment there is almost no chance that any of these six bills will make it into law before the November elections and little chance that they will be considered even in a post election session that is currently being discussed.
Action that has been taken
Of the three remaining bills one has been passed in the House (HR 4061) and the other two (S 3480 and S 773) have been passed in committee in the Senate. Of the three bills, HR 4061 is the least controversial (it passed in the House 422-5) and it has the best possibility of passing is it makes it to the Senate floor. It is currently being held up in the Senate in the Committee on Commerce, Science, and Transportation. If this Committee takes action on the bill when it comes back from the Summer Recess then this bill has a chance of passage before the election.
HR 4061 does not really do anything to regulate cyber security. It does provide funds for a variety of programs to study cyber security issues, establishes a variety of tuition assistance programs for students studying cyber security, and directs NIST director to coordinate US representation on international technical standards organizations related to cyber security.
The two remaining bills are more controversial, establishing cyber security offices and providing authority for cyber security regulations. There are relatively minor ICS security provisions in each of these bills. The main effect would be to allow cyber security regulation of facilities designated as critical infrastructure; but no specific regulatory provisions are outlined.
While Sen. Lieberman (S 3480) and Sen. Rockefeller (S 773) have publicly touted their respective bills, neither of their committees (they are both Chairmen of their respective committees) have published the amended versions of their legislation that were actually passed in committee. Until these reports are filed, no further action can take place on either of these bills. Because of some controversial provisions in each of these bills, it is unlikely that they will be able to pass in the Senate in the time remaining before election.
No Action Expected
While no one can guarantee what Congress will (or will not) do, it seems unlikely that there will be significant cyber security legislation passed before the elections this fall. If something does pass, it will almost certainly be HR 4061 and that does little more than provide funds for cyber security research and education.
—– End Entry —–
Patrick also has created a Legislation Status page on his web site.