Thursday, October 8, 2015

Bills Introduced – 10-07-15

Yesterday with both the House and Senate in session there were 34 bills introduced. Of those two may be of specific interest to readers of this blog:

S 2156 A bill to amend title 18, United States Code, to provide a criminal penalty for launching drones that interfere with fighting fires affecting Federal property or responding to disasters affecting interstate or foreign commerce, and for other purposes. Sen. Shaheen, Jeanne [D-NH]

S 2157 A bill to amend title 18, United States Code, to provide a criminal penalty for operating drones in certain locations, and for other purposes. Sen. Boxer, Barbara [D-CA]

These bills dealing with drones will only be of interest here in this blog if they have some effect on drone operation over or around critical infrastructure.

Senate Adopts HR 1735 Conference Report

Yesterday as expected the Senate the Senate accepted the Conference Report on HR 1735, the 2016 National Defense Authorization Act, by a vote of 70-23. The bill now goes to the President for signature. While a veto had been threatened, the vote to pass in both houses of Congress was certainly large enough to overturn a veto. It will be interesting to see if Obama makes a principled stand on this budgeting issue or if he just acquiesces and makes that fight another day.

HR 623 Passed as Amended in Senate

Yesterday the Senate passed HR 623, Social Media Working Group Act of 2015, accepting the amended version reported by the Senate Homeland Security and Governmental Affairs Committee. As expected it was passed near the close of yesterday’s session under the Senate unanimous consent process with no debate and no vote.

The House will now have the choice of accepting the version that the Senate passed or to request a Conference Committee to work out the details. I suspect that the House will accede to the Senate version.

Wednesday, October 7, 2015

CFATS Fact Sheet – October 2015

I have been kind of surprised that the DHS Infrastructure Security Compliance Division (ISCD) has not yet published their CFATS Fact Sheet for October. I had a little time on my hands earlier today, so I went searching and I found it. I’m not sure if ISCD had intended on releasing this yet, so take all of the comments that follow with a grain of salt.

The table below compares the data from the October Fact Sheet with the September Fact Sheet that I discussed last month.

Sept 2015
Oct 2015
Covered Facilities
Authorized SSP
Approved SSP
Compliance  Inspection


The month-to-month trends for the two SSP categories look good; they continue to show improvement. And ISCD has finally started to list the number of compliance inspections that it has completed. As expected we have a long way to go to get all of the compliance inspections done, but at least we can now see how much progress is being made.

It is interesting to see that the number of covered facilities continues to drop. Unfortunately, that is still a data point that can be interpreted in a number of different ways because of the lack of substance in the information provided. It could be a good thing if facilities are finding substitute chemicals that do not present the same terrorist target risk as the DHS chemicals of interest that are being replaced. Or it could be a sign of impending doom as more and more chemical facilities go out of business due to the cost of implementing CFATS site security plans. Or it could be a sign of increasing risk as facility managers find creative ways to reduce on site inventory of COI by keeping them in transit for longer periods of time (stored at freight warehouses or train yards).

The neatest statistical anomaly is that the October Fact Sheet now reports that there are more authorized site security plans than there are covered facilities. Actually, this may be the reason that the Fact Sheet has not been publicly released yet; at the last minute someone realized that that anomaly would make the Department look a little silly.

What I suspect happened is that someone is keeping three (now four) separate spread sheets to keep track of these statistics. When a facility is removed from CFATS coverage, its name is taken off of the spread sheet of covered facilities. Apparently, however, that same facility is not being taken off of the other three lists of authorized, approved and inspected facilities.

In one way that makes sense since the Department already did the work on authorizing the facility site security plan so they should get credit for that work. On the other hand, if this is the reason for the data anomaly then we cannot really tell from the data in the Fact Sheet how many facilities have yet to have their SSP authorized.

Another potential explanation is that a facility could have completed the SSP submission process and had the SSP authorized and then had to submit a new Top Screen that required a substantial rework of the SSP which got counted as a new authorization when it reached that stage of the process. If that is the case it is an even more confusing data point.

This is one of the problems that one runs into when numbers are reported without explanation. ISCD started this voluntary data reporting out of self-defense a couple of years back. And they took the easy way out by just simply publishing numbers without explanations, probably because they really did not have a spare person to keep up with this type of reporting. ISCD has been having the same type of hiring and retention problem that we have been seeing across the entire Department. And, there personnel authorization has never really been that high considering the number of facilities covered and the detail of inspection that ISCD has been attempting to accomplish.

It will be interesting to see if this version of the October Fact Sheet ever gets officially published.

HR 1735 Conference Report

Last week the Conference Committee charged with resolving the differences between the House and Senate on HR 1735, the National Defense Authorization (NDA) Act for Fiscal Year 2016, completed their work on the bill and published their Conference Report. Most of the cybersecurity related provisions of the bill in both the House and Senate versions remain in the bill.

Included Provisions of Interest

The list below includes all of the major cybersecurity provisions. Most of these are strictly military related and will have little or no specific impact on control system security issues in the private sector. I have briefly discussed most of these in earlier posts (here and here).

Sec. 885. Amendments concerning detection and avoidance of counterfeit electronic parts.
Sec. 888. Standards for procurement of secure information technology and cyber security systems.
Sec. 1603. Council on Oversight of the Department of Defense Positioning, Navigation, and Timing Enterprise.
Sec. 1641. Codification and addition of liability protections relating to reporting on cyber incidents or penetrations of networks and information systems of certain contractors.
Sec. 1642. Authorization of military cyber operations.
Sec. 1643. Limitation on availability of funds pending the submission of integrated policy to deter adversaries in cyberspace.
Sec. 1645. Designation of military department entity responsible for acquisition of critical cyber capabilities.
Sec. 1646. Assessment of capabilities of United States Cyber Command to defend the United States from cyber attacks.
Sec. 1647. Evaluation of cyber vulnerabilities of major weapon systems of the Department of Defense.
Sec. 1648. Comprehensive plan and biennial exercises on responding to cyber attacks.
Sec. 1649. Sense of Congress on reviewing and considering findings and recommendations of Council of Governors on cyber capabilities of the Armed Forces.

There are three other provisions that may be of specific interest to readers of this blog:

Sec. 1065. Report on the status of detection, identification, and disablement capabilities related to remotely piloted aircraft.
Sec. 1089. Reestablishment of Commission to Assess the Threat to the United States from Electromagnetic Pulse Attack.
Sec. 1603. Council on Oversight of the Department of Defense Positioning, Navigation, and Timing Enterprise.

Provisions Removed

There were a large number of provisions from either the House or Senate versions of the bill that did not make it into the final version of the bill approved by the Conference Committee. Those that may be of specific interest to readers of this blog include:

• Availability of cyber security and IT certifications for Department of Defense personnel critical to network defense;
• Priority processing of applications for Transportation Worker Identification Credentials for members undergoing discharge or release from the Armed Forces;
• Sense of Congress regarding cyber resiliency of National Guard networks and communications systems; and
• Comprehensive plan of Department of Defense to support civil authorities in response to cyber attacks by foreign powers.

The first three of these provisions were originally found in the House version of the bill; the final one was in the Senate version. For the second and third provisions in the above list the Conferees generally agreed with the purpose of the provision, but decided that it did not really belong in the NDA. For the TWIC provision they urged DOD and DHS “to consult to eliminate processing delays and waive fees for transitioning servicemembers and for honorably discharged veterans” (pg 672). For the cyber resiliency provision the report encourages “the National Guard to constantly explore ways to improve and expand its communications and networking capabilities to provide for enhanced performance and resilience in the face of cyber attacks or disruptions, as well as other instances of degradation” (pg 764).

For the provision addressing cyber certifications for DOD cyber personnel, the conferees suggested that there are probably few if any private sector certifications that are directly applicable to missions performed by DOD cyber personnel. Because of a lack of certainty about that assumption, however, the report encourages “the Secretary of Defense to examine the needs of the Department and determine the extent and role industry cyber security and IT certifications should play in workforce management” (pg 670).

For the final provision listed above the conferees noted that §1648 that was included in the reported version of the bill already includes “a comprehensive plan on Department of Defense support to civil authorities is required as part of a provision requiring the Secretary of Defense to conduct national-level cyber exercises” (pg 838) so that this provision was redundant.

Moving Forward

Last Thursday the House accepted the Conference report by a nearly party-line vote of 270-156. The President has threatened to veto the bill over a disagreement in how the bill gets around the current funding caps. The Senate did, however, vote to close debate on the bill yesterday by a vote of 73-26. That would tend to indicate that there were sufficient votes in both the House and Senate to override a presidential veto. The final vote in the Senate is due today.

Bills Introduced – 10-05-15

On Monday with only the Senate actually in session there were twelve bills introduced. Only four of those may be of specific interest to readers of this blog:

S 2129 A bill making appropriations for Agriculture, Rural Development, Food and Drug Administration, Energy and Water Development, and Departments of Transportation, and Housing and Urban Development, and related programs for the fiscal year ending September 30, 2016, and for other purposes. Sen. Cochran, Thad [R-MS]

S 2130 A bill making appropriations for Department of Defense, energy and water development, Department of Homeland Security, military construction, Department of Veterans Affairs, and Department of State, foreign operations, and related programs for the fiscal year ending September 30, 2016, and for other purposes. Sen. Cochran, Thad [R-MS]

S 2131 A bill making appropriations for Departments of Commerce and Justice, and Science, and Related Agencies and Department of Homeland Security for the fiscal year ending September 30, 2016, and for other purposes. Sen. Cochran, Thad [R-MS] 

S 2132 A bill making appropriations for financial services and general government, Department of the Interior, environment, and Departments of Labor, Health and Human Services, and Education, and related programs for the fiscal year ending September 30, 2016, and for other purposes. Sen. Cochran, Thad [R-MS]

It looks like the Senate leadership is going to try to pass four spending bills this year instead of the recent norm of passing an omnibus bill. To get from 12 spending bills (what is supposed to be normal) to four they had to combine some bills. Interestingly DHS shows up in the title for both S 2130 and S 2131; unlikely to be in both but we’ll see.

If the Senate passes any of these bills they will then use that language to ‘amend’ one of the spending bills previously passed by the House. This has to be done because according to the Constitution spending bills must originate in the House.

The site does not have any language yet for these bills and there is nothing on the Senate Appropriations Committee web site on them either. The closest that we come is a press release from Chairman Cochran from last week indicating that he intended to try to pass 12 spending bills by December 11th. That has obviously changed.

NOTE: The web site is getting pretty slow in getting the previous day’s bills posted. It is not the only government web site that is having this problem; OIRA is fully a day late in getting ICR’s posted. This obviously slows down the timeliness of my blog posts on these topics. Sorry, but there isn’t much that I can do.

Tuesday, October 6, 2015

House Passes HR 3510 – Cybersecurity Strategy

This evening the House passed HR 3510, the Department of Homeland Security Cybersecurity Strategy Act of 2015 on a voice vote. There was only 10 minutes (out of an authorized 40 minutes) of debate on the bill before the vote.

As I noted in an earlier post there is really nothing in the bill that specifically addresses control system security issues, but neither does it specifically address IT security issues. This is a very broadly written bill that does not even distinguish between government cybersecurity issues and regulatory cybersecurity issues.

This bill is unlikely to attract even this much attention in the Senate if it is considered there. I would expect that it would be taken up at the end of the day under the unanimous consent process which normally involves no debate.
/* Use this with templates/template-twocol.html */