Tuesday, June 28, 2011

S 1253 Introduced – FY 2012 National Defense Authorization Bill

Last week Sen. Levin (D, MI) introduced S 1253, the National Defense Authorization Act for Fiscal Year 2012. It provides authority for appropriations for fiscal year 2012 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths. The bill contains a number of cyber security provisions.

GPS Interference

The Senate Armed Services Committee has concerns about the same GPS interference issue that I have discussed on a number of occasions. Sec 913 of this bill addresses this issue by requiring DOD to conduct an ongoing review to “determine if commercial communications services are causing or will cause widespread or harmful interference with national security Global Positioning System receivers” {§913(b)(2)}. If and when DOD determines that interference is or may be occurring, then DOD is required to ‘promptly’ submit a report to Congress on the situation.

Detecting Cyber Attacks

Section 931 of the bill addresses the problem of detecting new forms of cyber attacks; for example new worms and viruses for which there are no anti-virus signatures available to allow AV software to detect the attack. Specifically, the Committee is looking for DOD to obtain the capability to “enable well-trained analysts to discover the sophisticated attacks conducted by nation-state adversaries that are categorized as ‘advanced persistent threats’” {§931(b)(1)(a)}.

The legislation envisions DOD seeking this capability to be acquired from commercial sources if possible. Specifically it requires that:

“In making decisions on the procurement of such capabilities from among competing commercial and Government providers, the Secretary shall take into consideration the needs of other departments and agencies of the Federal Government, State and local governments, and critical infrastructure owned and operated by the private sector for unclassified, affordable, and sustainable commercial solutions.” {§931(b)(2)}
WIKI Leaks Prevention

Section 932 requires the Secretary of Defense to support an expanded information sharing program while providing for “the adoption and improvement of technical and procedural capabilities to detect and prevent personnel without authorization from acquiring and exporting information from classified networks” {§932(a)}. This would help to prevent the occurrence of future ‘WIKI Leaks’.

The Committee envisions a wide range of activities to be included in this effort {§932(b)} including:

• Disabling ‘removable media ports of computers’;

• Requiring system administrator approval of downloads on computers where such ports are necessary;

• Electronic monitoring and reporting of downloading to removable media;

• Public-key identity authentication to control information access;

• Electronic auditing and reporting of user activity;

• Using ‘data-loss prevention’ and ‘data-rights management’ to prevent unauthorized data export; and

• Integrating all of the above to “enable efficient management and operations, and effective protection of information, without impairing the work of analysts and users of networks” {§932(b)(7)}.
Cyberspace Experts

No authorization bill would be complete without any number of mandated studies. Section 1076 of this bill requires the conduct of a manpower study that will look at the “availability of military and civilian personnel for Department of Defense defensive and offensive cyberspace operations, identifying any gaps in meeting personnel needs, and recommending available mechanisms to fill such gaps, including permanent and temporary positions” {§1076(a)}.

In addition to the requisite look at ‘various recruiting, training, and affiliation mechanisms’ that may be used to address the manpower situation, probably the most valuable part of the study will be the requirement to look at “the availability of personnel with expertise in matters related to cyberspace operations from outside of the Department of Defense” {§1076(b)(2)(B)}. Properly done, this could provide a good snapshot of the current status of cybersecurity personnel.

Control Systems Not Addressed

As one would expect, there is nothing in this bill that specifically addresses industrial control system security. On the other hand, all of the areas addressed above could have significant impacts down the road on ICS security activities.

As is usual with major legislation like this, we might expect to see additional policy areas and reporting requirements in the Committee Report that accompanies this legislation. I’ll look at that document in a separate blog posting.

No comments:

/* Use this with templates/template-twocol.html */