Wednesday, June 30, 2010

S 3538 Introduced

Last week Sen. Bond (R, MO) introduced S 3538, the National Cyber Infrastructure Protection Act of 2010 with the GPO posting a copy of the introduced bill today. This is another cyber security bill targeted mainly at protecting Federal government ‘information networks’. There is no mention of ‘industrial control systems’ or ‘SCADA’ in the proposed legislation. There are, however, some provisions that might be of interest to the chemical security community. The bill would establish within the Department of Defense a National Cyber Center. While the center would receive administrative and logistical support from DOD, the Director would report directly to the President and would not be part of the Executive Office of the President. This would make the Center very nearly a Cabinet level agency. It is when we delve down into the duties of the Director that we start to see some wording that could provide justification for the Center to have some affect on industrial cyber security activities for areas other than just ‘information networks’. The constant use of the modifying term ‘information networks’ through out the rest of the bill make these paragraphs standout because of the lack of that terminology. Imminent Cyber Attack For example §103(d)(7) requires the Director to “provide recommendations, on an ongoing basis, to Federal agencies, private sector entities, and public and private sector entities operating critical infrastructure for procedures to be implemented in the event of an imminent cyber attack that will protect critical infrastructure by mitigating network vulnerabilities”. This doesn’t appear to give the Director authority to develop or enforce cyber security regulations for companies operating critical infrastructure facilities. However, the fact that the Director would have budgetary authority over the cyber security activities of the executive branch agencies would give special weight to the Director’s recommendations. Cyber Security Intelligence Section 103(d)(11) would require the Director to “develop plans and policies for the sharing of cyber threat-related information among appropriate Federal agencies, and to the extent consistent with the protection of national security sources and methods, with State, tribal, and local government departments, agencies, and entities, and public and private sector entities that operate critical infrastructure”. The bill does not provide the Director with any specific intelligence collection or analysis capability. It does, however, specifically give the Director “access to all intelligence relating to cyber security collected by any Federal agency” {§104(b)}. To make the information sharing requirement really effective would require funding and staffing for a cyber security intelligence analysis unit within the Center. Vague Provisions Since these provisions do not provide explicit authorization for ‘SCADA’ or ‘ICS’ related regulatory actions, we will have to watch any hearings and reports to see if there is more concrete language that would provide clearer indications of ‘Congressional intent’ to support industrial cyber security activities by the Center or the Director. So, I’ll add this to the list of bills that I will watch for as we rapidly head for the election season this fall.

