I got an interesting email yesterday from Scott Jensen, Director of Issues Communication at the American Chemistry Council. He was kind enough to forward a copy of the written testimony that the ACC was submitting for today’s hearing before the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of the House Homeland Security Committee.
While typically made part of the ‘public record’, such unsolicited written testimony is seldom placed on the hearing web site. Perhaps the Homeland Security Committee can establish a new level of public information sharing by including such written testimony on their hearing web site.
Today’s hearing is another in a series of hearings on the Administration’s comprehensive cyber security proposal that I wrote about in an earlier blog. As I noted in a weekly notice on congressional hearings, this hearing today is much more likely to address the control systems security issues of probable interest to my readers and obviously the ACC.
I noted in my blog about the legislative proposal that I didn’t think that the description of covered critical infrastructure found in §3 of the proposed Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act would generally effect chemical facilities because they wouldn’t normally fall under the dependency on ‘information infrastructure’ requirements of §3(b)(1)(A).
The ACC testimony seems to indicate that their review of the proposal takes a more expansive view of potentially covered critical infrastructure. Their testimony doesn’t specifically outline what they expect to be covered, but their analysis of the CFATS cyber security requirements would seem to indicate that they believe that CFATS covered facilities would be covered under this legislation.
The confusion about what types of facilities would be covered by this cyber security proposal isn’t limited to me and the ACC. In the hearing earlier this week before the Subcommittee on Crime and Terrorism of the Senate Judiciary Committee none of the witnesses could provide a clear definition of what facilities would be covered under the broad definition of ‘critical infrastructure’. The conclusion was that this would be best developed during the development of regulations implementing the law if the bill is passed. In other words, the Administration wants Congress to provide the DHS Secretary with the widest possible latitude.
It would be interesting to see if today’s hearing is able to get a clearer definition of what facilities might be covered.
Information sharing between covered facilities and regulators will be a key to the effectiveness of any cyber security regulation scheme. The ACC testimony addresses one of the information sharing issues that I identified in my earlier blog. They note that one of the keys to a successful cybersecurity program is the creation of “a public/private partnership to effectively share information that is timely, specific and actionable and is properly protected from public disclosure”. They specifically recommend that “information voluntarily provided by the private sector should be adequately protected from public disclosure including Freedom of Information Act requests”.
There are currently a number of different information protection schemes that the government has established to protect such information from public disclosure. One of the most restrictive (read ‘protective’) is the Chemical-Terrorism Vulnerability Information (CVI) program for the CFATS program. This is because this program requires the most expansive sharing of information, a level comparable to what it appears that this plan will require.
The level of information protection needs to be clearly spelled out in any cyber security legislation adopted by Congress.
Today’s hearing is just another stop on the Administration’s road show supporting their cyber security proposal. At some point in the not too distant future someone is going to have to turn the proposal into actual legislation. Then things will start to get real interesting. We can expect at least two separate bills, one for each house of Congress, probably authored by committee chair. It will be interesting to see if Congressional leaders in the two Houses can field companion bills. Actually, it will be even more interesting to see if the competing committee chairs can come up with a single bill for each body.