In that post I looked at two of the problems that concerned Mr. Clinton about that proposal; the expansive definition of ‘covered critical infrastructure’ and the lack of qualified people to enforce the annual review requirements. I would like to take a closer look at the first issue here.
Expansive Definition of Critical Infrastructure
In reviewing the standards that the President’s legislative proposal provides for determining which critical infrastructure entities would have to comply with the new cybersecurity standards Mr. Clinton notes that “a careful reading of the legislative language indicates that it provides essentially unfettered authority to DHS to mandate technical standards for almost any aspect of the private sector” (pg 8). While there is more than a hint of political paranoia in that statement, the underlying concern rests clearly on the vague terms and lack of definitions included in the President’s proposal.
Clinton’s testimony looks at the two criteria that a facility must meet before the Secretary can label is ‘covered critical infrastructure’. These two criteria are found in §3(b)(1) on page 32 of the proposal. They are:
● The incapacity or the disruption of the reliable operation of the entity, a system or asset it operates, or a service it provides would have a debilitating impact on national security, national economic security, national public health or safety; andMr. Clinton focuses on the word ‘debilitating’; quite correctly noting that it is undefined in this context. He goes on to give the example of the recent cyber security breach at Sony; an attack that he notes “reportedly will cost more than a billion dollars in damage” (page 9) and makes the point that that would certainly be ‘debilitating’.
● The entity, a system or asset it operates, or a service it provides is dependent upon information infrastructure to operate, or is a part of information infrastructure and critical to its operation.
What he fails to understand is that this wording comes almost directly from the current definition of ‘critical infrastructure’ found in 42 USC 5195c(e). The Secretary has already been given considerable regulatory authority over critical infrastructure and few observers would point to the Department as being overly expansive in the reach of their regulations. In fact, I have complained on a number of occasions about their failure to write regulations that they are required to promulgate.
In the second section of the requirements he targets the term ‘information infrastructure’ and claims that “virtually all modern systems that are reliant on some form of information infrastructure to operate” (page 8). That term is not defined in this rule, a glaring oversight in view of its central nature to the regulatory scheme. We can, however, go to 44 USC 3502(8) for a definition of ‘information systems’ to find a better term for what Clinton describes.
An information system is defined as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”. Again this is not referenced in this proposal (and it should be), but if we use this definition to describe networks within a facility for the management of information or process control, then we would use the term ‘information infrastructure’ to describe the inter-facility communications media that allows for transmission of that information or coordination of process control at multiple facilities.
Mandating Technical Standards
Mr. Clinton’s concern about the authority given to the Secretary to establish technical standards would be a legitimate concern, if in fact there were such authority provided in this proposal. What this proposal does do in Section 4 it to require the Secretary to identify one or more ‘standardized frameworks’ for appropriately addressing each of a variety of cybersecurity risks.
Again, this terminology is not defined in the proposal or even particularly well described. What is made painfully clear (to those of us who work with the CFATS regulations) that what ever these ‘frameworks’ are, they are not standards. Section 4(b)(5) clearly states that:
“Frameworks shall not require the use of a particular measure, but shall leave the choice of particular measures to an entity to which the framework applies.”After watching the regulatory development process that accompanied the publication of the Risk Based Performance Standards for the CFATS program, I can assure anyone that industry will jealously guard against any suggestion that a particular measure is even becoming close to being a requirement in this type of regulatory scheme.
While this gives the maximum amount of flexibility to an entity that has an effective cyber security staff, it also has its downside. For entities that do not have the requisite level of expertise in house, this effectively removes the technical resources of DHS as a source for recommendations on how to adequately secure a cyber asset.
Other Issues Remain
While I don’t agree with Mr. Clinton’s assessment of these two areas of the President’s proposal there are other areas that I am in agreement with his testimony. I will address these in future blog posts.