Legislative Activity

House Homeland Security Committee Will Mark up Cyber-Related Legislation

On Wednesday, the House Homeland Security Committee will mark up the Department of Homeland Security Cybersecurity Strategy Act of 2015 (H.R. 3510), which would direct the Department of Homeland Security (DHS) to develop an internal cybersecurity strategy. The bill is in response to DHS’s plans to reorganize the Department and make changes to the cybersecurity divisions within DHS without prior Congressional authorization. Many members of the Committee have expressed their concern about DHS’s attempted reorganization without seeking approval from Congress or the White House. The bill unanimously passed out of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies earlier this month.

In addition, the Committee will also mark up the Strengthening State and Local Cyber Crime Fighting Act (H.R. 3490) and the DHS Science and Technology Reform and Improvements Act (H.R. 3578), which would expand the Science and Technology Division’s cybersecurity research and development initiatives.

This Week’s Hearings:

  • Tuesday, September 29: The House Armed Services Subcommittee on Emerging Threats and Capabilities will hold a hearing titled “Outside Perspectives on the Department of Defense Cyber Strategy.”
  • Tuesday, September 29: The Senate Armed Services Committee will hold a hearing titled “United States Cybersecurity Policy and Threats.”
  • Wednesday, September 30: The House Foreign Affairs Committee will hold a hearing titled “Cyber War: Definitions, Deterrence, and Foreign Policy.”
  • Wednesday, September 30: The House Armed Services Committee will hold a hearing titled “Implementing the Department of Defense Cyber Strategy.” The hearing will feature Admiral Michael Rogers, Commander of U.S. Cyber Command, and other Department of Defense officials.
  • Wednesday, September 30: The House Homeland Security Committee will marked up several DHS-related bills, including the Department of Homeland Security Cybersecurity Strategy Act of 2015 (H.R. 3510).

Executive Branch Activity

Obama Reaches Cyber Deal with China

During Chinese President Xi Jinping’s visit last week, President Obama announced that the U.S. and China had reached a cybersecurity agreement that expressed that neither country would conduct cyber theft of intellectual property, including trade secrets or other confidential business information, against each other with the intent of providing competitive advantage to private sector businesses and industries within their countries. The deal is based on a promise that both heads of state made to address the cyber tensions that have existed between the two countries in recent years, particularly in light of the recent Office of Personnel Management (OPM) data breach. The agreement also includes a commitment that both countries will work closely to respond to law enforcement requests for information investigating cybercrimes. The U.S. and China will also form a working group on cybercrime, which the Departments of Justice and Homeland Security will lead.

While many Members of Congress and outside stakeholders have said that the goals of the agreement are moving the two countries in the right direction, most have expressed doubts that China will live up to its end of the bargain. Prior to President Xi’s visit, many Members of Congress had called for the President to issue sanctions against China in response to the OPM hack but the Administration ultimately decided against it. President Obama reported told President Xi that the U.S. may still impose sanctions or utilize other tools to punish Chinese cyber criminals if the situation does not improve or if China violates the agreement.

NIST Releases Draft Framework for Cyber-Physical Systems

On September 18, the National Institute of Standards and Technology (NIST) released its Draft Framework for Cyber-Physical Systems and is giving the public 45 days to comment on the document. The Cyber-Physical Systems Public Working Group, an open public forum that NIST established, prepared the document after hosting numerous stakeholder discussions that were focused on developing the framework. Cyber-physical systems and other related systems, such as the Internet of Things, are regarded as having great potential to enable innovative applications and impact economic sectors in the future. Given the potential, the document seeks to develop new standards to ensure that these systems can operate safely within compromised conditions if needed.

NIST Considers Updating the Cybersecurity Framework

The original NIST Cybersecurity Framework was released almost two years ago following President Obama’s 2013 Executive Order calling for a voluntary set of standards for critical infrastructure owners and operators to use to improve their cybersecurity. NIST officials have indicated that they may be launching a process soon that would allow stakeholders to discuss further revisions to the Cybersecurity Framework to address needed updates based on the experiences of entities that have used the Framework. For example, NIST is looking at possibly updating the cybersecurity controls references in the document and wants to discuss how companies use their risk management frameworks with the Cybersecurity Framework. They will also likely focus on how organizations are using the Framework in a cost effective manner.