Review - S 3773 Introduced – HHS Cybersecurity Testing

In February, Sen Rubio (R,FL) introduced S 3773, the Strengthening Cybersecurity in Health Care Act. The bill would require the Health and Human Service Department Inspector General to conduct penetration tests and other testing procedures to determine how systems processing, transmitting, or storing mission critical or sensitive data by, for, or on behalf of the Department is currently, or could be compromised. No new funding is provided by the bill.

Moving Forward

While Rubio is not a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration, one of his three cosponsors {Sen Hassan (D,NH)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. I do not see anything that would engender any organized opposition to the bill. I suspect that there would be some level of bipartisan support for the legislation if it were considered.

This bill is not politically important enough to consume the time necessary for consideration in the Senate under regular order. This bill might be able to pass under the Senate’s unanimous consent process, but that process always faces the potential for opposition unrelated to the provisions of the bill. This bill is well suited to being included in the annual HHS spending bill and Rubio, a member of the Senate Appropriations Committee, is well placed to see that happen.

Commentary

HHS has little in the way of internal clinics that might be affected by such testing, so it is unlikely that there will be any medical devices covered by the requirements of this bill. I really mention it here because of the unique requirement for IG cybersecurity testing. This is well within the scope of operations of inspectors general, if probably outside of the existing skill sets for those organizations. While not wishing to CISA’s prominence in government cybersecurity efforts diminished, I think that this might be a good requirement for each inspector general office in the federal government. And it might provide an interesting internal skill set that could be used in other IG investigations.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3773-introduced - subscription required.

Short Takes – 4-25-24 – Space Geek Edition

A NASA rover has reached a promising place to search for fossilized life on Mars. Phys.org article. Pull quote: “Mars sample return remains NASA's highest planetary science priority and is strongly supported by the planetary science community around the world. The samples from Perseverance may revolutionize our view of life in the universe. Even if they don't contain fossils or biomolecules, they will fuel decades of research and give future generations a completely new view of Mars. Let's hope NASA and the US government can live up to the name of their rover, and persevere.”

SpaceX’s Special Starship Cargo Lander Capacity Revealed By NASA Ahead Of Fourth Starship Test. WCCFTech.com article. Pull quote: “In a press release, NASA outlined that the cargo landers, part of the original HLS award will land on the Moon starting from the Artemis 7 mission. The Artemis 7 was slated to land on the Moon in 2030 according to a NASA manifest from 2022 - before the space agency moved its timeline for the Artemis 2 mission forward by a year. Artemis 2 will be the first time humans will venture to the Moon since the Apollo program, and the mission was initially slated to launch this year.”

China's Tiangong space station damaged by debris strike. Space.com article. Pull quote: “"The space station's core module Tianhe had suffered a partial loss of power supply due to the impact of the space debris on the solar wing's power cables," Xinhua reported, paraphrasing CMSA deputy director Lin Xiqiang.”

China on track for crewed moon landing by 2030, space official says. SpaceNews.com article. Pull quote: “Lin added that astronaut training for the mission includes mastering operation of the Mengzhou and Lanyue spacecraft, including in normal and emergency flight conditions. Rendezvous and docking and manually avoiding obstacles during the lander’s descent were noted as part of the training. Other activities include entering and exiting the lander, working in one-sixth of Earth’s gravity, long-range lunar roving, drilling, sampling and other scientific work on the lunar surface.”

Companies offer proposals for Apophis asteroid missions. SpaceNews.com article. Pull quote: “Scientists, though, are interested in sending additional missions to Apophis, particularly those that would fly by or orbit the asteroid before the flyby so that researchers can better the understand what impact tidal forces from the flyby might have on the asteroid. Several such mission concepts were discussed during an April 22–23 workshop at a European Space Agency center in The Netherlands.”

Major changes approved for ClearSpace-1 mission. SpaceNews.com article. Pull quote: ““On 10 August, 2023, a collision involving our original target increased the risk of capture and induced the spinning of the object,” ClearSpace CEO Luc Piguet told SpaceNews by email. “This made it more difficult to capture and added complexity to the mission as the goal is to remove debris completely.””

Short Takes – 4-24-24

E. coli engineered to become methanol addict to make industry feedstocks. ChemistryWorld.com article. A little biochem geeky stuff. Pull quote: “Lead author Julia Vorholt at ETH Zurich says the first step was to get E. coli ‘addicted’ to methanol. ‘If you make a mutation in a certain gene then [E. coli] needs to make a little bit of biomass for some specific compounds from methanol,’ she explains. Leaving the bacteria to grow in a bioreactor with just enough carbon to survive and an abundance of methanol favours those that can use alcohol. Natural selection takes over and bacteria which thrive using methanol outcompete the others until eventually E. coli has evolved the same fixation cycle seen in other methylotrophs.”

America’s crisis of repetition is hurting national security. BreakingDefense.com article. Pull quote: “Finally, the challenge of identifying obstacles to implementation is hard — and frankly, not necessarily interesting. It involves detective work: asking questions, knowing processes across government, and understanding funding streams. It requires persistence and takes time. It’s a lot less exciting than coming up with purportedly “new” ideas.”

Artemis Mission: Making NASA’s New Moon Suits. Makezine.com article. Pull quote: “This carefulness is evident when you walk into their sewing labs. The labs are filled with single needle, double needle, off-arm, post, bar-tack, serger, and zig-zag sewing machines, all used for the creation of the suits. In typical clothing factories, the buzz of machines is constant and fast. Axiom’s sewing lab is almost dead silent. Some of the sewers even turn the machines by hand to achieve the level of precision needed.”

Agency Information Collection Activities: CISA Gateway User Registration. Federal Register CISA 60-day ICR renewal/change notice. Changes: “The collection was initially approved on October 9, 2007, and the most recent approval was on December 19, 2023, with an expiration date of June 30, 2024. The changes to the collection since the previous OMB approval include; updating the title of the collection, decrease in burden estimates and decrease in costs The total annual burden cost for this collection has changed by $3,096.40, from $4,128 to $7,224.40 due to the removal of the utilization survey, and the addition of PCIIMS respondents. For the CISA Gateway, the total number of responses has increased from 350 to 700 due to the updated metrics resulting from the awareness campaign and due to the registration process changing which does not include the training registration. The annual government cost for this collection has changed by $8,340.92 from $5,723 to $14,063.92 due to the removal of the utilization survey, and the addition of PCIIMS respondents. The This is a renewal with changes of an information collection.” Comments due June 24^th, 2024.

National Security Telecommunications Advisory Committee. Federal Register DHS meeting notice. Agenda: “The NSTAC will meet in an open session on Thursday, May 23, 2024, from 3:15 p.m. to 4:30 p.m. EDT to discuss current NSTAC activities and the government's ongoing cybersecurity and NS/EP communications initiatives. This open session will include: (1) an update on the administration's cybersecurity initiatives; (2) a keynote address;(3) an update on current NSTAC activities; and (4) a status update on the NSTAC Principles for Baseline Security Offerings from Cloud Service Providers Study.”

Sorry, Little Green Men: Alien Life Might Actually Be Purple. ScientificAmerican.com article. Pull quote: “Prior to that, microorganisms generated metabolic energy by harnessing sunlight using a purple-pigmented molecule called retinal, whose origin may have predated chlorophyll. If retinal exists on other faraway worlds, scientists think the molecule's unique fingerprint would be discernible by upcoming ground- and space-based telescopes.”

Monkeypox virus: dangerous strain gains ability to spread through sex, new data suggest. Nature.com article. Pull quote: “Although mpox infections have waned globally since 2022, they have been trending upwards in the DRC: in 2023 alone, the country reported more than 14,600 suspected infections and more than 650 deaths. In September, 2023, a new cluster of suspected cases arose in the DRC’s South Kivu province. This cluster especially concerns researchers, as it has been spreading largely among sex workers, suggesting that the virus has adapted to transmit readily through sexual contact.

Remnants of bird flu virus found in pasteurized milk, FDA says. OCRegister.com article. Pull quote: “Because the detection of the bird flu virus known as Type A H5N1 in dairy cattle is new and the situation is evolving, no studies on the effects of pasteurization on the virus have been completed, FDA officials said. But past research shows that pasteurization is “very likely” to inactivate heat-sensitive viruses like H5N1, the agency added.” While I agree with the theory, I am not a big fan of ‘very likely’ as a scientific statement. And what happens if A H5N1 fragments get into someone with an active flu infection; would we see recombination?

Consideration HR 3935 – FAA Reauthorization –

Yesterday, the Senate resumed consideration of the motion to proceed to consideration of H.R. 3935. Sen Schumer (D,NY) entered a motion to close further debate on the motion to proceed to consideration of the bill. The vote on that cloture motion will take place when the Senate returns on March 30^th, 2024, after the vote on the Georgia N. Alexakis nomination.

The Senate actually started this process back in September, but it lead nowhere. At the time there were suggestions that Schumer was going to use the bill as a vessel for consideration of a clean continuing resolution while the House was trying to sort out how to proceed on the spending bills under Rep McCarthy (R,CA). At that time there had been one anti-Ukraine amendment submitted by Sen Vance (R,OH).

No new amendments have been submitted yet for consideration during the actual debate on HR 3935. The first amendment will almost certainly come from Sen Cantwell (D,WA) offering the reported version of S 1939 as substitute language for HR 3935. Additional amendments will be submitted, and some will be considered.

As I noted in a post on S 1939 there is an interesting counter-UAS provision in the Senate bill:

“Section 811 would amend 49 USC Chapter 448 by adding a new § 44813 Unmanned aircraft system detection and mitigation enforcement. The new section would prohibit anyone (other than certain government agencies and employees) from operating “a system or technology to detect, identify, monitor, track, or mitigate an unmanned aircraft or unmanned aircraft system in a manner that adversely impacts or interferes with safe airport operations, navigation, or air traffic services, or the safe and efficient operation of the national airspace system.” The term “adversely impacts or interferes with’ is not defined. Violators would be subject to a civil penalty of not more than $25,000 per violation. This prohibition would terminate on September 30, 2028.”

Review - CSB Updates Accidental Release Reporting Data – 4-19-24

Yesterday in preparation for their quarterly business meeting tomorrow, the CSB updated their published list of reported chemical release incidents. They added 26 new incidents that occurred since the previous version was published in January and inserted eight ‘new’ incidents that occurred before January. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604).

The table below shows the top four states based upon the number of reported incidents since the January update was published.

 

For more details on the new information in the database, including a new top ten chemical incident States list, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-release-reporting-fae - subscription required.

Short Takes – 4-23-24

Russia-linked hacking group claims to have targeted Indiana water plant. CNN.com article. Pull quote: ““While the video is sensational, the actions taken by the threat actor are amateur and would amount to a minor annoyance for plant operators,” Fabela, who is CEO of Infinity Squared Group, a consulting firm, told CNN.”

A powerful volcano is erupting. Here’s what that could mean for weather and climate. CNN.com article. Pull quote: “In comparison, satellite instruments have estimated Mount Ruang has released an around 300,000 tons of sulfur dioxide so far [compared to 17 million tons in 1991 Mount Pinatubo eruption] , though it’s unclear how much of that plume made it into the stratosphere. While that amount is quite massive in its own right, it falls well short of the most extreme case, according to Huey.”

Could Trump Go to Prison? If He Does, the Secret Service Goes, Too.  Pull quote: “Former corrections officials said there were several New York state prisons and city jails that have been closed or partly closed, leaving wings or large sections of their facilities empty and available. One of those buildings could serve to incarcerate the former president and accommodate his Secret Service protective detail.”

FEMA is making an example of this Florida boomtown. Locals call it ‘revenge politics’. GovExec.com article. Pull quote: “Even if Lee County manages to contest the decision, homeowners in Southwest Florida are almost guaranteed to suffer more financial pain as a result of this enforcement effort. If FEMA stays the course and removes the discount, it will raise flood insurance costs for homeowners in unincorporated parts of the county between $14 and $17 million per year, equating to a $300 annual hit for each flood insurance customer in the area. But if Lee County cracks down on the 50% rule and FEMA restores the discount, homeowners who rebuilt in flood zones may have to spend hundreds of thousands of dollars to elevate their homes.”

Stars and Stripes Media Organization. Federal Register DOD proposed rule. Summary: “This rulemaking proposes to update authorities and responsibilities for the Stars and Stripes Media Organization (often abbreviated as Stripes) to reaffirm its editorial independence in providing media products not only to military service members and DoD civilian employees, but to U.S. veterans, families of veterans and current service members, and contractor personnel, particularly those serving overseas, based on changes in the consumption of news and information in a digital age. It additionally proposes to remove internal operational procedures of the Stars and Stripes Media Organization that do not require rulemaking under the Administrative Procedure Act.” Comments due June 24^th, 2024.

DC3 and DCSA Partner to Announce Vulnerability Disclosure Program for Defense Industrial Base. GovDelivery.com press release. Pull quote: “Through operational agreements and strategic partnerships, DC3 and the DCSA routinely collaborate on ways to share information security data. DoD VDP vulnerability reporting is shared with DoD system owners on the Joint Force Headquarters-DoD Information Networks via the Vulnerability Report Management Network (VRMN). A parallel system, DIB VRMN, employs the same efficient and automated approach while ensuring that DIB data is tracked and held separately from DoD data. Implementation of a DIB-VDP is the most effective means of sharing DIB-sourced vulnerabilities with DIB companies. It promotes timely mitigation of identified vulnerabilities on DIB company internet-facing information systems. This enables vulnerability remediation in DIB companies at a much earlier point than in traditional vulnerability management efforts.”

Green Roofs Are Great. Blue-Green Roofs Are Even Better. Wired.com article. Pull quote: “The water levels in the blue-green roof are managed by a smart valve. If the weather forecast says a storm is coming, the system will release stored water from the roof ahead of time. That way, when a downpour comes, the roof refills, meaning there’s less rainwater entering the gutters and sewers in the surrounding area. In other words, the roof becomes a sponge that the operator can wring out as needed. “In the ‘squeezable’ sponge city, you make the whole city malleable,” says Spaan.”

Rooftop solar panels are flooding California’s grid. That’s a problem. WashingtonPost.com article. Pull quote: “But a year ago, the state changed this system, known as “net-metering,” and now only compensates new solar panel owners for how much their power is worth to the grid. In the spring, when the duck curve is deepest, that number can dip close to zero. Customers can get more money back if they install batteries and provide power to the grid in the early evening or morning.”

A rapid shift in ocean currents could imperil the world’s largest ice shelf. ScienceNews.org article. Pull quote: “These findings come at an ominous time. Even as sea ice shrank in the Arctic, it remained stable around Antarctica for decades. But Antarctic sea ice has declined steeply since 2017, especially near the Ross Ice Shelf. Scientists recently reported that the cold, salty waterfall to the Antarctic seafloor is already starting to slow. This is “alarming,” Lowry says. We now know that the ice shelf can easily switch from cold to warm. “The question is, are we observing the switch?””

Review – 2 Updates Published – 4-23-24

Today, CISA’s NCCIC-ICS published updates for two control system security advisories for products from Chirp Systems and Mitsubishi Electric.

Updates

Chirp Systems Update - This update includes additional information on an advisory that was originally published on March 7^th, 2024.

Mitsubishi Update - This update includes additional information on an advisory that was originally published on February 20^th, 2024.

 

For more information on these updates, including a summary of the changes made, and a brief look at the Chirp Systems negative response to the advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-updates-published-4-23-24 - subscription required.