Last month Sen Cortez-Masto introduced S 161,
the Strengthening and Enhancing Cybersecurity Usage to Reach Every (SECURE) Small
Business Act. The bill would require the Small Business Administration (SBA) to
“establish a program to assist small business concerns with purchasing
cybersecurity products and services” {§3(a)}.

Definitions

Section 2 of the bill provides definitions of the following
key terms:

• Administrator,

• Covered Industry Sector,

• Covered Vendor,

• Cybersecurity,

• Cybersecurity Threat, and

• Small Business Concern

The term ‘Cybersecurity Threat’ is defined as “the
possibility of a malicious attempt to infiltrate, damage, disrupt, or destroy
computer networks or systems” {§2(5)}.

The term ‘Covered Sector’ includes 10 of the 16 Critical Infrastructure
Sectors
defined under Presidential Policy Directive #21. It does not
include the Chemical or Energy Sectors.

The definition of ‘Covered Vendor’ specifically includes “cybersecurity
risk insurance” {§2(3)}.

Cooperative Market Place

A key portion of the program required under this bill would
be the establishment of the “Cooperative Marketplace For Purchasing
Cybersecurity Products And Services” {§3(c)}.
The Cooperative Marketplace would facilitate the “creation of mutual agreements
under which small business concerns cooperatively purchase cybersecurity products
and services from covered vendor” {3(c)(1)(B)}.
The CM would be free to use for small businesses and covered vendors.

GAO Study

The bill would also require the Government Accountability
Office to conduct a study on existing Federal cybersecurity initiatives that “train
small business concerns how to avoid cybersecurity threats” {§4(a)(1)}.
The GAO would be required to provide a report to Congress within one year of
the enactment of the bill.

Moving Forward

Cortez-Masto is not a member of the Senate Small Business
and Entrepreneurship Committee to which this bill was assigned for
consideration. Both of her cosponsors {Sen Risch (R,ID) and Sen Rosen (D,NV),
however, are members. This means that there should be adequate influence
available to have this bill considered in Committee. I see nothing in the language
of this bill that would engender any significant opposition.

The bill should receive bipartisan support if it is
considered by the Committee. If this bill makes it to the floor of the Senate,
it will most likely be considered under the Senate’s unanimous consent process;
the bill is not important enough to be considered under the normal debate/amend
process.

Commentary

First off, the failure to include the Chemical and Energy
sectors in the definition of the ‘Covered Sector’ bothers me. Both sectors have
numerous small business concerns that form important pieces of the supply chains
larger companies. The cybersecurity of those small businesses deserves the same
coverage as the listed sectors in the bill. I would suggest changing the definition
in §2(2) to read:

(2) COVERED INDUSTRY
SECTORS.—The term “covered industry sectors” means those critical
infrastructure sectors defined in  Presidential Policy Directive 21 (PPD-21):
Critical Infrastructure Security and Resilience or successor documents,

The definition of ‘Cybersecurity Threat’ is weak and looks
to exclude the threat to industrial control systems and Internet-of-Things
systems that are forming an increasingly threatened portion of the cyber
landscape. A better choice would have been to use the definition from 6 USC
1501 since that definition is based on the ICS inclusive definition of ‘Information
System’ in the same section. Thus, I would change §2(5) to read:

(5) CYBERSECURITY THREAT.—The
term “cybersecurity threat” as that term is defined in 6 USC 1501,

By admin