Tuesday, January 31, 2017

S Res 23 Introduced – Select Committee on Cybersecurity

Last week Sen. Gardner (R,CO) introduced S Res 23, Establishing the Select Committee on Cybersecurity. The resolution would establish a new committee in the Senate tasked with the oversight of cybersecurity matters in the Federal government.

Membership


The Committee would consist of the Chair and the Ranking Member (or their designees) from the {§1(c)}:

• Committee on Appropriations;
• Committee on Armed Services;
• Committee on Banking, Housing, and Urban Affairs;
• Committee on Commerce, Science, and Transportation;
• Committee on Foreign Relations;
• Committee on Homeland Security and Governmental Affairs;
• Committee on Intelligence; and
• Committee on the Judiciary.

Five additional members from the Senate would be appointed; three by the Majority Leader and two by the Minority Leader.

Jurisdiction


The resolution would authorize the Select Committee to{§1(b)}:

• To oversee and make continuing studies of and recommendations regarding cybersecurity threats to the United States; and
• Report by bill or otherwise on matters within its jurisdiction.

The resolution would require bills to be referred to the Select Committee for consideration if they relate to {§1(e)}:

• Domestic and foreign cybersecurity risks (including state-sponsored threats) to the United States;
• The activities of any department or agency relating to preventing, protecting against, or responding to cybersecurity threats to the United States, and relevant incidents or actions;
• The organization or reorganization of any department or agency to the extent that the organization or reorganization relates to a function or activity involving preventing, protecting against, or responding to cybersecurity threats to the United States, and relevant incidents or actions; and
• Authorizations for appropriations, both direct and indirect, for preventing, protecting against, or responding to cybersecurity threats to the United States, and relevant incidents or actions.

Moving Forward


Neither Gardner nor his sole cosponsor {Sen. Coons (D,DE)} are members of the Committee on Rules and Administration (the committee to which the resolution was referred for consideration), so it is extremely unlikely that that Committee will take action on the bill. While some of the most affected committees in the Senate would be represented on the Select Committee, the formation of this Committee would serve to dilute (at least to some extent) the power of all of the existing committee chairs and ranking members. That will probably provide for sufficient opposition to the bill to prevent it from being considered by the whole Senate even if the bill did make it out of committee.

Commentary


Industrial control systems are not specifically mentioned in the resolution. The key definition in this resolution is a ‘new’ term; ‘cyberspace’. That term is defined as “the global domain within the information environment consisting of the interdependent network of information systems infrastructures (including the Internet, telecommunications networks, computer systems, and embedded processors and controllers)” {§1(a)(3)}.

While that definition would seem to exclude industrial control systems, that is probably not as important as it would be in legislation pertaining to the Executive branch operation or the regulation of the private sector. What bills are referred to a committee is not exactly a legal matter, it is more of a political decision. Matters related to industrial control system security would almost certainly come under the actual purview of the Select Committee.

The important thing to remember here is that the Select Committee would not have exclusive jurisdiction over matters relating to cybersecurity. Where existing committees already have jurisdiction (for example the Homeland Security and Governmental Affairs Committee) over related matters, that jurisdiction would now be shared. For example, a cybersecurity bill giving DHS regulatory authority would be referred to both the HSGA Committee and the Select Committee for consideration and either could effectively kill the bill by failing to consider it.

The one upside to this resolution would be that the professional staff (and the political staff probably) would almost certainly contain a much higher concentration of cybersecurity professionals than any other committee in the Senate. This could allow for a much better technical analysis of (and hopefully influence on) cybersecurity issues. Where that underpaid staff would come from is an interesting question; most would probably come directly out of graduate schools.


Weighing the pros and cons of this bill, I would support the establishment of the Select Committee. I think that the existence of a professional staff with a strong cybersecurity background could end up being enough of a benefit to outweigh the formation of a new political silo in the Senate.

No comments:

 
/* Use this with templates/template-twocol.html */