September 26, 2019 - Issue: Vol. 165, No. 156 — Daily Edition116th Congress (2019 - 2020) - 1st Session
All in House sectionPrev40 of 117Next
CYBERSECURITY VULNERABILITY REMEDIATION ACT; Congressional Record Vol. 165, No. 156
(House of Representatives - September 26, 2019)
Text available as:
Formatting necessary for an accurate reading of this text may be shown by tags (e.g., <DELETED> or <BOLD>) or may be missing from this TXT display. For complete and accurate display of this text, see the PDF.
[Pages H8013-H8015] From the Congressional Record Online through the Government Publishing Office [www.gpo.gov] CYBERSECURITY VULNERABILITY REMEDIATION ACT Ms. JACKSON LEE. Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 3710) to amend the Homeland Security Act of 2002 to provide for the remediation of cybersecurity vulnerabilities, and for other purposes. The Clerk read the title of the bill. The text of the bill is as follows: H.R. 3710 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Cybersecurity Vulnerability Remediation Act''. SEC. 2. CYBERSECURITY VULNERABILITIES. Section 2209 of the Homeland Security Act of 2002 (6 U.S.C. 659) is amended-- (1) in subsection (a)-- (A) in paragraph (5), by striking ``and'' after the semicolon at the end; (B) by redesignating paragraph (6) as paragraph (7); and (C) by inserting after paragraph (5) the following new paragraph: ``(6) the term `cybersecurity vulnerability' has the meaning given the term `security vulnerability' in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501); and''. (2) in subsection (c)-- (A) in paragraph (5)-- (i) in subparagraph (A), by striking ``and'' after the semicolon at the end; (ii) by redesignating subparagraph (B) as subparagraph (C); (iii) by inserting after subparagraph (A) the following new subparagraph: ``(B) sharing mitigation protocols to counter cybersecurity vulnerabilities pursuant to subsection (n); and''; and (iv) in subparagraph (C), as so redesignated, by inserting ``and mitigation protocols to counter cybersecurity vulnerabilities in accordance with subparagraph (B)'' before ``with Federal''; (B) in paragraph (7)(C), by striking ``sharing'' and inserting ``share''; and (C) in paragraph (9), by inserting ``mitigation protocols to counter cybersecurity vulnerabilities,'' after ``measures,''; (3) in subsection (e)(1)(G), by striking the semicolon after ``and'' at the end; and (4) by adding at the end the following new subsection: ``(n) Protocols To Counter Cybersecurity Vulnerabilities.-- The Director may, as appropriate, identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.''. SEC. 3. REPORT ON CYBERSECURITY VULNERABILITIES. (a) Report.--Not later than one year after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report on how the Agency carries out subsection (m) of section 2209 of the Homeland Security Act of 2002 to coordinate vulnerability disclosures, including disclosures of cybersecurity vulnerabilities (as such term is defined in such section), and subsection (n) of such section (as added by section 2) to disseminate actionable protocols to mitigate cybersecurity vulnerabilities, that includes the following: (1) A description of the policies and procedures relating to the coordination of vulnerability disclosures. (2) A description of the levels of activity in furtherance of such subsections (m) and (n) of such section 2209. (3) Any plans to make further improvements to how information provided pursuant to such subsections can be shared (as such term is defined in such section 2209) between the Department and industry and other stakeholders. (4) Any available information on the degree to which such information was acted upon by industry and other stakeholders. (5) A description of how privacy and civil liberties are preserved in the collection, retention, use, and sharing of vulnerability disclosures. (b) Form.--The report required under subsection (b) shall be submitted in unclassified form but may contain a classified annex. SEC. 4. COMPETITION RELATING TO CYBERSECURITY VULNERABILITIES. The Under Secretary for Science and Technology of the Department of Homeland Security, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency of the Department, may establish an incentive-based program that allows industry, individuals, academia, and others to compete in providing remediation solutions for cybersecurity vulnerabilities (as such term is defined in section 2209 of the Homeland Security Act of 2002, as amended by section 2). The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from Texas (Ms. Jackson Lee) and the gentleman from Tennessee (Mr. Green) each will control 20 minutes. The Chair recognizes the gentlewoman from Texas. General Leave Ms. JACKSON LEE. Mr. Speaker, I ask unanimous consent that all Members may have 5 legislative days to revise and extend their remarks and to include extraneous material on this measure. The SPEAKER pro tempore. Is there objection to the request of the gentlewoman from Texas? There was no objection. Ms. JACKSON LEE. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, I rise today in support of H.R. 3710, the Cybersecurity Vulnerability Remediation Act, and I thank Chairman Bennie Thompson for his work in securing the Nation against terrorist threats, including cybersecurity vulnerabilities that target critical infrastructure, civilian agency networks, and private-sector cyber resources. I also thank subcommittee Chairman Richmond and the Committee on Homeland Security staff for working with my staff and me on H.R. 3710. I thank the ranking member of the full committee, Mr. Rogers from Alabama, and the ranking member of the subcommittee. Mr. Speaker, just a few weeks ago, we saw technology in the form of drones be utilized to attack, with explosives, refineries in Saudi Arabia. I think the basis of my legislation speaks to the point that it is crucial that this Congress and this Nation prepare itself for new forms of technology. We have not had that incident here in the United States, but if we recall, in 9/11, no one could fathom using loaded airplanes, fully filled with the material, fuel, that could be utilized as a weapon to attack the World Trade Center, to kill the brave at the Pentagon and the brave in Pennsylvania. H.R. 3710 is to speak to those vulnerabilities, in particular, cybersecurity vulnerability remediation, which directs the DHS to prioritize efforts to help network operators address known vulnerabilities. It requires DHS' Cybersecurity and Infrastructure Security Agency to widely share mitigation protocols that counter cybersecurity vulnerabilities, authorizing the DHS Science and Technology Directorate to establish an incentive-based program to allow industry, individuals, agencies, and academia to compete in providing remediation solutions for the highest priority cybersecurity vulnerabilities. We must be ever vigilant and diligent as we look to these new levels and subsets of technology. It requires the CISA to report to Congress on its efforts to share mitigation protocols and coordinate vulnerability disclosure with its partners. H.R. 3710 authorizes, for the first time, the Cybersecurity and Infrastructure Security Agency to develop and distribute playbooks, in consultation with private-sector experts, to provide procedures and mitigation strategies for the most critical known vulnerabilities, especially those affecting software or hardware that is no longer supported by a vendor. One of the statistics that we really know is that 80 percent--maybe even higher now--to 85 percent of the Nation's vulnerabilities-- technology, infrastructure--is in the private sector. Those are the sites that our enemies would look eagerly to attack. The World Trade Center; in Saudi, the refineries; maybe some of our beautiful national monuments, outstanding sites here in Washington, D.C.; our national parks, these are the examples and the exhibits of the freedom of this Nation. Those are some government, some private sector. [[Page H8014]] Many know the terror that New York collectively faced, but there are other sites along the West Coast, in the Midwest, and in the Deep South that would also exhibit what the freedom of America is all about. The playbooks that we would make available to Federal agencies, industry, and other stakeholders would help them prepare a network defense in the event of a cyberattack based upon vulnerability. I would like to think that we could prevent that attack. A zero-day vulnerability is a software bug or exploit that has not been patched. Hackers can use these bugs and exploits based upon the vulnerability to steal data or damage networks before a patch can be developed to prevent a breach. There are some vulnerabilities that cannot be patched. These require the resources provided by the playbook that will be provided in my bill. H.R. 3710 authorizes the DHS Science and Technology Directorate, in consultation with CISA, to establish a competition program for industry, individuals, academia, and others to provide remediation solutions for cybersecurity vulnerabilities that are no longer supported. The good news is that it seeks to have the consultation of Americans who have expertise and to be able to work with them to provide the remediation but also the playbook for prevention. The vulnerabilities that will receive an entry in the playbook are serious and, if used by an adversary, can lead to significant costs and disruption of vital goods and services to the public. Just think of your water system, run mostly by local entities, or the electric grid, run mostly by the private sector. In the 115th Congress, I introduced H.R. 3202, Cyber Vulnerability Disclosure Reporting Act, which addresses the Federal Government's sharing of cyber vulnerability disclosures to critical infrastructure owners and operators. H.R. 3710 goes further to address the remediation of identified cybersecurity threats by incentivizing work to patch or find solutions for cyber threats inherent in legacy systems. Proactive and coordinated efforts are necessary to strengthen, maintain, and secure critical infrastructure, including assets that are vital to public confidence in the cyber nation's safety. I hope that we will see our way forward in getting proactive and preventative as we move toward new levels of technology. Mr. Speaker I rise today to speak in favor of H.R. 3710, the ``Cybersecurity Vulnerability Remediation Act.'' I thank Chairman Bennie G. Thompson for his work in securing the nation against terrorist threats, including cybersecurity vulnerabilities that target critical infrastructure, civilian agency networks, and private sector cyber resources. I thank Subcommittee Chairman Richmond and the Homeland Security Committee staff for working with me and my staff on H.R. 3710. H.R. 3710, the ``Cybersecurity Vulnerability Remediation Act'' directs DHS to prioritize efforts to help network operators address known vulnerabilities by: 1. Requiring DHS's Cybersecurity and Infrastructure Security Agency (CISA) to widely share mitigation protocols to counter cybersecurity vulnerabilities; 2. Authorizing the DHS Science and Technology Directorate to establish an incentive-based program to allow industry, individuals, agencies, and academia to compete in providing remediation solutions for the highest priority cybersecurity vulnerabilities; and 3. Requiring CISA to report to Congress on its efforts to share mitigation protocols and coordinate vulnerability disclosures with its partners. H.R. 3710, authorizes for the first time the Cybersecurity and Infrastructure Agency (CISA) to develop and distribute ``playbooks,'' in consultation with private sector experts, to provide procedures and mitigation strategies for the most critical, known vulnerabilities, especially those affecting software or hardware that is no longer supported by a vendor. The playbooks would be available to Federal agencies, industry, and other stakeholders to help them prepare network defense in the event of a cyber-attack based upon a vulnerability. A zero-day vulnerability is a software bug or exploit that has not been patched. Hackers can use these bugs and exploits based upon the vulnerability to steal data or damage networks before a patch can be developed to prevent a breach. There are some vulnerabilities that cannot be patched and these require the resources provided by the Playbook that will be provided by this bill. H.R. 3710 authorizes DHS Science and Technology Directorate (S&T), in consultation with CISA, to establish a competition program for industry, individuals, academia, and others to provide remediation solutions for cybersecurity vulnerabilities that are no longer supported. The vulnerabilities that will receive entry into the Playbook are serious and if used by an advisory, can lead to significant cost and disruption of vital goods and services to the public. In the 115th Congress, I introduced H.R. 3202, Cyber Vulnerability Disclosure Reporting Act, which addresses the federal government's sharing of cyber vulnerability disclosures to critical infrastructure owners and operators. H.R. 3710 goes further to address the remediation of identified cybersecurity threats by incentivizing work to patch or find solutions for cyber threats inherent in legacy systems. Proactive and coordinated efforts are necessary to strengthen and maintain secure critical infrastructure, including assets that are vital to public confidence in the cyber nation's safety. This bill supports the ongoing work of the Department of Homeland Security in security civilian agency and coordinating with private sector computing network owners and operators. Most people do not know how long the federal government has used computing to carry out vital functions in service of the public. The Federal government's first use of computing technology occurred in 1890 when an automated tabulation method was used to organize that year's census data encoded on punch cards. Since that modest beginning in 1890, the Federal government has blazed a path for adoption of computing technology throughout the federal government, which established an unprecedented pace for innovation in the private sector that transformed our world from analogue to digital in 129 years. One of the consequences of federal government's use of computing technology over the last 129 years are the challenges of operating legacy systems that use outdated software, which cannot be quickly upgraded to eliminate known cybersecurity vulnerabilities. Federal government offices are vulnerable to cyberattacks, with the number of cyber incidents reported by federal agencies increasing more than 1,300 percent between 2006 and 2015. In 2015, a hacker exploited access provided by a government agency contractor to break into government databases to gain access to 22 million security clearance files from the Office of Personnel Management. In 2017, Federal agencies reported more than 35,000 cyber incidents, some of which targeted old operating systems that were no longer supported by a vendor. According to the National Security Agency, it has not responded to a zero-day attack on government systems in the last four years, largely because hackers have found better success through basic attack methods. H.R. 3710 will provide much needed structure around a federal government wide effort to address cybersecurity vulnerabilities in federal civilian agency networks. I ask my colleagues to join me in voting for H.R. 3710. Mr. Speaker, I reserve the balance of my time. {time} 1345 Mr. GREEN of Tennessee. Mr. Speaker, I yield myself such time as I may consume. I rise today in support of H.R. 3710, the Cybersecurity Vulnerability Remediation Act. This bill enables CISA to develop important mitigation protocols for vulnerabilities existing in outdated software and hardware through collaboration with public- and private-sector entities. This important legislation, introduced by Ms. Jackson Lee of Texas, helps ensure that we maintain security in our networks. I support this legislation, and I urge my colleagues to join me in doing so. Mr. Speaker, I reserve the balance of my time. Ms. JACKSON LEE. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, let me further explain what this bill does. This bill supports the ongoing work of the Department of Homeland Security and security civilian agency and coordinating with private- sector computing network owners and operators. Most people do not know how long the Federal Government has used computing to carry out vital functions in service of the public. The Federal Government's first use of computing technology occurred as long ago as 1890, [[Page H8015]] when an automated tabulation method was used to organize that year's Census data encoded on punch cards. Let me remind our colleagues that we are about to venture on to Census now. Imagine a cyberattack on that process. Since a modest beginning in 1890, the Federal Government has blazed a path for adoption of computing technology throughout the Federal Government, which established an unprecedented pace for innovation in the private sector that transformed our world from analog to digital in 129 years. One of the consequences of the Federal Government's use of computing technology over the last 129 years is the challenges of operating legacy systems that use outdated software, which cannot be quickly upgraded to eliminate known cybersecurity vulnerabilities. Federal Government offices are vulnerable to cyberattacks, with the number of cyber incidents reported by Federal agencies increasing more than 1,300 percent between 2006 and 2015. In 2015, a hacker exploited access by a government agency contractor to break into the government databases to gain access to 22 million security clearance files from the Office of Personnel Management. In 2017, Federal agencies reported more than 35,000 cyber incidents, some of which targeted old operating systems that were no longer supported by a vendor. According to the National Security Agency, it has not responded to a zero-day attack on government systems in the last 4 years because hackers have found better success through basic attack methods. I would hope my colleagues would consider recognizing that we must be in front of these potential attacks and not behind them. Mr. Speaker, I reserve the balance of my time. Mr. GREEN of Tennessee. Mr. Speaker, I urge adoption to the bill, and I yield back the balance of my time. Ms. JACKSON LEE. Mr. Speaker, I want to thank the minority for its support of this legislation and ask my colleagues to support it. As I do so, Mr. Speaker, I include in the Record an article, ``DHS Flags Cybersecurity Vulnerabilities in Philips Patient Monitors: The Department of Homeland Security has issued an advisory about cybersecurity vulnerabilities in the wireless local area network modules of Philips IntelliVue portable patient monitors.'' [Sept. 13, 2019] DHS Flags Cybersecurity Vulnerabilities in Philips Patient Monitors The Department of Homeland Security has Issued an Advisory About Cybersecurity Vulnerabilities in the Wireless Local Area Network Modules of Philips IntelliVue Portable Patient Monitors (By Fred Donovan) The Department of Homeland Security has issued (https:// www.us-cert.gov/ics/advisories/icsma-19-255-01) an advisory about cybersecurity vulnerabilities in the wireless local area network (WLAN) modules of certain Philips IntelliVue portable patient monitors. DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned that an attacker could corrupt the IntelliVue WLAN firmware and alter the data flow over to the patient monitor, causing an inoperative condition alert at the device and central station. The vulnerable patient monitors are IntelliVue MP monitors MP20-MP90, MP5/5SC, MP2/X2, and MX800/700/600. The vulnerabilities include use of hard-coded password and download of code without integrity check. The use of a hard-coded password makes it easier for an attacker to guess the password and login via FTP and upload malicious firmware. In addition, the ``product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code,'' warned the advisory. Shawn Loveric of Finite State reported the vulnerabilities to Philips. In a product security advisory (https:// www.usa.philips.com/healthcare/about/customer-support/ product-security), Philips recommended that users of the affected IntelliVue patient monitors update to the WLAN Module Version C wireless module with current firmware. Philips said it will also issue a software patch for WLAN Version A that will be available by the end of 2019, while WLAN Version B is obsolete. ``Wireless network access should be controlled by authentication and authorization (e.g. WPA2), which are supported by Philips. Additional mitigations include implementing a firewall rule on the customer wireless network, and further controls on physical access to the system,'' Philips advised. Philips said it had received no reports of patient harm. Its analysis judged that it is unlikely that the cybersecurity vulnerability would impact clinical use, due to mitigating controls in place. To date, Philips has received no complaints involving clinical use that it has been able to associate with the vulnerability or evidence of patient identifiers compromised. DHS's Cybersecurity and Infrastructure Security Agency recommended users of the vulnerable Philips devices take defensive measures to minimize the risk of exploitation of these vulnerabilities. Users should restrict system access to authorized personnel and follow a least privilege approach, apply defense-in-depth strategies, and disable unnecessary accounts and services. Ms. JACKSON LEE. With that in mind, this is a real-life example of what can happen if we are not first in front. Mr. Speaker, I hope that my colleagues will join me in voting for H.R. 3710, and I yield back the balance of my time. The SPEAKER pro tempore. The question is on the motion offered by the gentlewoman from Texas (Ms. Jackson Lee) that the House suspend the rules and pass the bill, H.R. 3710. The question was taken; and (two-thirds being in the affirmative) the rules were suspended and the bill was passed. A motion to reconsider was laid on the table. ____________________
All in House sectionPrev40 of 117Next