[Congressional Record Volume 165, Number 156 (Thursday, September 26, 2019)]
[House]
[Pages H8013-H8015]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
CYBERSECURITY VULNERABILITY REMEDIATION ACT
Ms. JACKSON LEE. Mr. Speaker, I move to suspend the rules and pass
the bill (H.R. 3710) to amend the Homeland Security Act of 2002 to
provide for the remediation of cybersecurity vulnerabilities, and for
other purposes.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 3710
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cybersecurity Vulnerability
Remediation Act''.
SEC. 2. CYBERSECURITY VULNERABILITIES.
Section 2209 of the Homeland Security Act of 2002 (6 U.S.C.
659) is amended--
(1) in subsection (a)--
(A) in paragraph (5), by striking ``and'' after the
semicolon at the end;
(B) by redesignating paragraph (6) as paragraph (7); and
(C) by inserting after paragraph (5) the following new
paragraph:
``(6) the term `cybersecurity vulnerability' has the
meaning given the term `security vulnerability' in section
102 of the Cybersecurity Information Sharing Act of 2015 (6
U.S.C. 1501); and''.
(2) in subsection (c)--
(A) in paragraph (5)--
(i) in subparagraph (A), by striking ``and'' after the
semicolon at the end;
(ii) by redesignating subparagraph (B) as subparagraph (C);
(iii) by inserting after subparagraph (A) the following new
subparagraph:
``(B) sharing mitigation protocols to counter cybersecurity
vulnerabilities pursuant to subsection (n); and''; and
(iv) in subparagraph (C), as so redesignated, by inserting
``and mitigation protocols to counter cybersecurity
vulnerabilities in accordance with subparagraph (B)'' before
``with Federal'';
(B) in paragraph (7)(C), by striking ``sharing'' and
inserting ``share''; and
(C) in paragraph (9), by inserting ``mitigation protocols
to counter cybersecurity vulnerabilities,'' after
``measures,'';
(3) in subsection (e)(1)(G), by striking the semicolon
after ``and'' at the end; and
(4) by adding at the end the following new subsection:
``(n) Protocols To Counter Cybersecurity Vulnerabilities.--
The Director may, as appropriate, identify, develop, and
disseminate actionable protocols to mitigate cybersecurity
vulnerabilities, including in circumstances in which such
vulnerabilities exist because software or hardware is no
longer supported by a vendor.''.
SEC. 3. REPORT ON CYBERSECURITY VULNERABILITIES.
(a) Report.--Not later than one year after the date of the
enactment of this Act, the Director of the Cybersecurity and
Infrastructure Security Agency of the Department of Homeland
Security shall submit to the Committee on Homeland Security
of the House of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate a report on
how the Agency carries out subsection (m) of section 2209 of
the Homeland Security Act of 2002 to coordinate vulnerability
disclosures, including disclosures of cybersecurity
vulnerabilities (as such term is defined in such section),
and subsection (n) of such section (as added by section 2) to
disseminate actionable protocols to mitigate cybersecurity
vulnerabilities, that includes the following:
(1) A description of the policies and procedures relating
to the coordination of vulnerability disclosures.
(2) A description of the levels of activity in furtherance
of such subsections (m) and (n) of such section 2209.
(3) Any plans to make further improvements to how
information provided pursuant to such subsections can be
shared (as such term is defined in such section 2209) between
the Department and industry and other stakeholders.
(4) Any available information on the degree to which such
information was acted upon by industry and other
stakeholders.
(5) A description of how privacy and civil liberties are
preserved in the collection, retention, use, and sharing of
vulnerability disclosures.
(b) Form.--The report required under subsection (b) shall
be submitted in unclassified form but may contain a
classified annex.
SEC. 4. COMPETITION RELATING TO CYBERSECURITY
VULNERABILITIES.
The Under Secretary for Science and Technology of the
Department of Homeland Security, in consultation with the
Director of the Cybersecurity and Infrastructure Security
Agency of the Department, may establish an incentive-based
program that allows industry, individuals, academia, and
others to compete in providing remediation solutions for
cybersecurity vulnerabilities (as such term is defined in
section 2209 of the Homeland Security Act of 2002, as amended
by section 2).
The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from
Texas (Ms. Jackson Lee) and the gentleman from Tennessee (Mr. Green)
each will control 20 minutes.
The Chair recognizes the gentlewoman from Texas.
General Leave
Ms. JACKSON LEE. Mr. Speaker, I ask unanimous consent that all
Members may have 5 legislative days to revise and extend their remarks
and to include extraneous material on this measure.
The SPEAKER pro tempore. Is there objection to the request of the
gentlewoman from Texas?
There was no objection.
Ms. JACKSON LEE. Mr. Speaker, I yield myself such time as I may
consume.
Mr. Speaker, I rise today in support of H.R. 3710, the Cybersecurity
Vulnerability Remediation Act, and I thank Chairman Bennie Thompson for
his work in securing the Nation against terrorist threats, including
cybersecurity vulnerabilities that target critical infrastructure,
civilian agency networks, and private-sector cyber resources.
I also thank subcommittee Chairman Richmond and the Committee on
Homeland Security staff for working with my staff and me on H.R. 3710.
I thank the ranking member of the full committee, Mr. Rogers from
Alabama, and the ranking member of the subcommittee.
Mr. Speaker, just a few weeks ago, we saw technology in the form of
drones be utilized to attack, with explosives, refineries in Saudi
Arabia. I think the basis of my legislation speaks to the point that it
is crucial that this Congress and this Nation prepare itself for new
forms of technology.
We have not had that incident here in the United States, but if we
recall, in 9/11, no one could fathom using loaded airplanes, fully
filled with the material, fuel, that could be utilized as a weapon to
attack the World Trade Center, to kill the brave at the Pentagon and
the brave in Pennsylvania.
H.R. 3710 is to speak to those vulnerabilities, in particular,
cybersecurity vulnerability remediation, which directs the DHS to
prioritize efforts to help network operators address known
vulnerabilities.
It requires DHS' Cybersecurity and Infrastructure Security Agency to
widely share mitigation protocols that counter cybersecurity
vulnerabilities, authorizing the DHS Science and Technology Directorate
to establish an incentive-based program to allow industry, individuals,
agencies, and academia to compete in providing remediation solutions
for the highest priority cybersecurity vulnerabilities.
We must be ever vigilant and diligent as we look to these new levels
and subsets of technology. It requires the CISA to report to Congress
on its efforts to share mitigation protocols and coordinate
vulnerability disclosure with its partners.
H.R. 3710 authorizes, for the first time, the Cybersecurity and
Infrastructure Security Agency to develop and distribute playbooks, in
consultation with private-sector experts, to provide procedures and
mitigation strategies for the most critical known vulnerabilities,
especially those affecting software or hardware that is no longer
supported by a vendor.
One of the statistics that we really know is that 80 percent--maybe
even higher now--to 85 percent of the Nation's vulnerabilities--
technology, infrastructure--is in the private sector. Those are the
sites that our enemies would look eagerly to attack. The World Trade
Center; in Saudi, the refineries; maybe some of our beautiful national
monuments, outstanding sites here in Washington, D.C.; our national
parks, these are the examples and the exhibits of the freedom of this
Nation. Those are some government, some private sector.
[[Page H8014]]
Many know the terror that New York collectively faced, but there are
other sites along the West Coast, in the Midwest, and in the Deep South
that would also exhibit what the freedom of America is all about.
The playbooks that we would make available to Federal agencies,
industry, and other stakeholders would help them prepare a network
defense in the event of a cyberattack based upon vulnerability. I would
like to think that we could prevent that attack.
A zero-day vulnerability is a software bug or exploit that has not
been patched. Hackers can use these bugs and exploits based upon the
vulnerability to steal data or damage networks before a patch can be
developed to prevent a breach.
There are some vulnerabilities that cannot be patched. These require
the resources provided by the playbook that will be provided in my
bill.
H.R. 3710 authorizes the DHS Science and Technology Directorate, in
consultation with CISA, to establish a competition program for
industry, individuals, academia, and others to provide remediation
solutions for cybersecurity vulnerabilities that are no longer
supported.
The good news is that it seeks to have the consultation of Americans
who have expertise and to be able to work with them to provide the
remediation but also the playbook for prevention.
The vulnerabilities that will receive an entry in the playbook are
serious and, if used by an adversary, can lead to significant costs and
disruption of vital goods and services to the public. Just think of
your water system, run mostly by local entities, or the electric grid,
run mostly by the private sector.
In the 115th Congress, I introduced H.R. 3202, Cyber Vulnerability
Disclosure Reporting Act, which addresses the Federal Government's
sharing of cyber vulnerability disclosures to critical infrastructure
owners and operators. H.R. 3710 goes further to address the remediation
of identified cybersecurity threats by incentivizing work to patch or
find solutions for cyber threats inherent in legacy systems.
Proactive and coordinated efforts are necessary to strengthen,
maintain, and secure critical infrastructure, including assets that are
vital to public confidence in the cyber nation's safety.
I hope that we will see our way forward in getting proactive and
preventative as we move toward new levels of technology.
Mr. Speaker I rise today to speak in favor of H.R. 3710, the
``Cybersecurity Vulnerability Remediation Act.''
I thank Chairman Bennie G. Thompson for his work in securing the
nation against terrorist threats, including cybersecurity
vulnerabilities that target critical infrastructure, civilian agency
networks, and private sector cyber resources.
I thank Subcommittee Chairman Richmond and the Homeland Security
Committee staff for working with me and my staff on H.R. 3710.
H.R. 3710, the ``Cybersecurity Vulnerability Remediation Act''
directs DHS to prioritize efforts to help network operators address
known vulnerabilities by:
1. Requiring DHS's Cybersecurity and Infrastructure Security Agency
(CISA) to widely share mitigation protocols to counter cybersecurity
vulnerabilities;
2. Authorizing the DHS Science and Technology Directorate to
establish an incentive-based program to allow industry, individuals,
agencies, and academia to compete in providing remediation solutions
for the highest priority cybersecurity vulnerabilities; and
3. Requiring CISA to report to Congress on its efforts to share
mitigation protocols and coordinate vulnerability disclosures with its
partners.
H.R. 3710, authorizes for the first time the Cybersecurity and
Infrastructure Agency (CISA) to develop and distribute ``playbooks,''
in consultation with private sector experts, to provide procedures and
mitigation strategies for the most critical, known vulnerabilities,
especially those affecting software or hardware that is no longer
supported by a vendor.
The playbooks would be available to Federal agencies, industry, and
other stakeholders to help them prepare network defense in the event of
a cyber-attack based upon a vulnerability.
A zero-day vulnerability is a software bug or exploit that has not
been patched.
Hackers can use these bugs and exploits based upon the vulnerability
to steal data or damage networks before a patch can be developed to
prevent a breach.
There are some vulnerabilities that cannot be patched and these
require the resources provided by the Playbook that will be provided by
this bill.
H.R. 3710 authorizes DHS Science and Technology Directorate (S&T), in
consultation with CISA, to establish a competition program for
industry, individuals, academia, and others to provide remediation
solutions for cybersecurity vulnerabilities that are no longer
supported.
The vulnerabilities that will receive entry into the Playbook are
serious and if used by an advisory, can lead to significant cost and
disruption of vital goods and services to the public.
In the 115th Congress, I introduced H.R. 3202, Cyber Vulnerability
Disclosure Reporting Act, which addresses the federal government's
sharing of cyber vulnerability disclosures to critical infrastructure
owners and operators.
H.R. 3710 goes further to address the remediation of identified
cybersecurity threats by incentivizing work to patch or find solutions
for cyber threats inherent in legacy systems.
Proactive and coordinated efforts are necessary to strengthen and
maintain secure critical infrastructure, including assets that are
vital to public confidence in the cyber nation's safety.
This bill supports the ongoing work of the Department of Homeland
Security in security civilian agency and coordinating with private
sector computing network owners and operators.
Most people do not know how long the federal government has used
computing to carry out vital functions in service of the public.
The Federal government's first use of computing technology occurred
in 1890 when an automated tabulation method was used to organize that
year's census data encoded on punch cards.
Since that modest beginning in 1890, the Federal government has
blazed a path for adoption of computing technology throughout the
federal government, which established an unprecedented pace for
innovation in the private sector that transformed our world from
analogue to digital in 129 years.
One of the consequences of federal government's use of computing
technology over the last 129 years are the challenges of operating
legacy systems that use outdated software, which cannot be quickly
upgraded to eliminate known cybersecurity vulnerabilities.
Federal government offices are vulnerable to cyberattacks, with the
number of cyber incidents reported by federal agencies increasing more
than 1,300 percent between 2006 and 2015.
In 2015, a hacker exploited access provided by a government agency
contractor to break into government databases to gain access to 22
million security clearance files from the Office of Personnel
Management.
In 2017, Federal agencies reported more than 35,000 cyber incidents,
some of which targeted old operating systems that were no longer
supported by a vendor.
According to the National Security Agency, it has not responded to a
zero-day attack on government systems in the last four years, largely
because hackers have found better success through basic attack methods.
H.R. 3710 will provide much needed structure around a federal
government wide effort to address cybersecurity vulnerabilities in
federal civilian agency networks.
I ask my colleagues to join me in voting for H.R. 3710.
Mr. Speaker, I reserve the balance of my time.
{time} 1345
Mr. GREEN of Tennessee. Mr. Speaker, I yield myself such time as I
may consume.
I rise today in support of H.R. 3710, the Cybersecurity Vulnerability
Remediation Act. This bill enables CISA to develop important mitigation
protocols for vulnerabilities existing in outdated software and
hardware through collaboration with public- and private-sector
entities.
This important legislation, introduced by Ms. Jackson Lee of Texas,
helps ensure that we maintain security in our networks.
I support this legislation, and I urge my colleagues to join me in
doing so.
Mr. Speaker, I reserve the balance of my time.
Ms. JACKSON LEE. Mr. Speaker, I yield myself such time as I may
consume.
Mr. Speaker, let me further explain what this bill does.
This bill supports the ongoing work of the Department of Homeland
Security and security civilian agency and coordinating with private-
sector computing network owners and operators.
Most people do not know how long the Federal Government has used
computing to carry out vital functions in service of the public. The
Federal Government's first use of computing technology occurred as long
ago as 1890,
[[Page H8015]]
when an automated tabulation method was used to organize that year's
Census data encoded on punch cards.
Let me remind our colleagues that we are about to venture on to
Census now. Imagine a cyberattack on that process.
Since a modest beginning in 1890, the Federal Government has blazed a
path for adoption of computing technology throughout the Federal
Government, which established an unprecedented pace for innovation in
the private sector that transformed our world from analog to digital in
129 years.
One of the consequences of the Federal Government's use of computing
technology over the last 129 years is the challenges of operating
legacy systems that use outdated software, which cannot be quickly
upgraded to eliminate known cybersecurity vulnerabilities.
Federal Government offices are vulnerable to cyberattacks, with the
number of cyber incidents reported by Federal agencies increasing more
than 1,300 percent between 2006 and 2015.
In 2015, a hacker exploited access by a government agency contractor
to break into the government databases to gain access to 22 million
security clearance files from the Office of Personnel Management.
In 2017, Federal agencies reported more than 35,000 cyber incidents,
some of which targeted old operating systems that were no longer
supported by a vendor.
According to the National Security Agency, it has not responded to a
zero-day attack on government systems in the last 4 years because
hackers have found better success through basic attack methods.
I would hope my colleagues would consider recognizing that we must be
in front of these potential attacks and not behind them.
Mr. Speaker, I reserve the balance of my time.
Mr. GREEN of Tennessee. Mr. Speaker, I urge adoption to the bill, and
I yield back the balance of my time.
Ms. JACKSON LEE. Mr. Speaker, I want to thank the minority for its
support of this legislation and ask my colleagues to support it.
As I do so, Mr. Speaker, I include in the Record an article, ``DHS
Flags Cybersecurity Vulnerabilities in Philips Patient Monitors: The
Department of Homeland Security has issued an advisory about
cybersecurity vulnerabilities in the wireless local area network
modules of Philips IntelliVue portable patient monitors.''
[Sept. 13, 2019]
DHS Flags Cybersecurity Vulnerabilities in Philips Patient Monitors
The Department of Homeland Security has Issued an Advisory About
Cybersecurity Vulnerabilities in the Wireless Local Area Network
Modules of Philips IntelliVue Portable Patient Monitors
(By Fred Donovan)
The Department of Homeland Security has issued (https://
www.us-cert.gov/ics/advisories/icsma-19-255-01) an advisory
about cybersecurity vulnerabilities in the wireless local
area network (WLAN) modules of certain Philips IntelliVue
portable patient monitors.
DHS's Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT) warned that an attacker could corrupt the
IntelliVue WLAN firmware and alter the data flow over to the
patient monitor, causing an inoperative condition alert at
the device and central station.
The vulnerable patient monitors are IntelliVue MP monitors
MP20-MP90, MP5/5SC, MP2/X2, and MX800/700/600.
The vulnerabilities include use of hard-coded password and
download of code without integrity check.
The use of a hard-coded password makes it easier for an
attacker to guess the password and login via FTP and upload
malicious firmware. In addition, the ``product downloads
source code or an executable from a remote location and
executes the code without sufficiently verifying the origin
and integrity of the code,'' warned the advisory.
Shawn Loveric of Finite State reported the vulnerabilities
to Philips.
In a product security advisory (https://
www.usa.philips.com/healthcare/about/customer-support/
product-security), Philips recommended that users of the
affected IntelliVue patient monitors update to the WLAN
Module Version C wireless module with current firmware.
Philips said it will also issue a software patch for WLAN
Version A that will be available by the end of 2019, while
WLAN Version B is obsolete.
``Wireless network access should be controlled by
authentication and authorization (e.g. WPA2), which are
supported by Philips. Additional mitigations include
implementing a firewall rule on the customer wireless
network, and further controls on physical access to the
system,'' Philips advised.
Philips said it had received no reports of patient harm.
Its analysis judged that it is unlikely that the
cybersecurity vulnerability would impact clinical use, due to
mitigating controls in place. To date, Philips has received
no complaints involving clinical use that it has been able to
associate with the vulnerability or evidence of patient
identifiers compromised.
DHS's Cybersecurity and Infrastructure Security Agency
recommended users of the vulnerable Philips devices take
defensive measures to minimize the risk of exploitation of
these vulnerabilities. Users should restrict system access to
authorized personnel and follow a least privilege approach,
apply defense-in-depth strategies, and disable unnecessary
accounts and services.
Ms. JACKSON LEE. With that in mind, this is a real-life example of
what can happen if we are not first in front.
Mr. Speaker, I hope that my colleagues will join me in voting for
H.R. 3710, and I yield back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentlewoman from Texas (Ms. Jackson Lee) that the House suspend the
rules and pass the bill, H.R. 3710.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill was passed.
A motion to reconsider was laid on the table.
____________________