Sunday, February 19, 2012

S 2102 Introduced – Cybersecurity Information Sharing

Last week Sen. Feinstein (D,CA) introduce S 2102, the Cybersecurity Information Sharing Act of 2012. This bill was later incorporated into S 2105 as Title VII of that bill, so this bill will be unlikely to be acted upon separately unless S 2105 is defeated or substantially amended. Since this is one of the areas of S 2105 that I have not specifically yet discussed (because of the apparent lack of coverage of industrial control systems) I will look at the provisions of this bill and this discussion will also apply to the provisions of Title VII of S 2105.

BTW: The official version of S 2105 is now available on the GPO web site.

Positive Coverage of ICS

This bill (and by extension Title VII of S 2105) does specifically apply to industrial control systems. You have to read past all of the references to ‘information systems’ in the bulk of the bill until you get to §9(10) [§708(10 in S 2105; this is the last time that I will list S 2105 section number; deducing the remaining section numbers will be left as an exercise for the student] that provides the definition of ‘information systems’ (BTW: bill crafters it would be very nice if definitions were put at the start of a bill or title instead of towards the end). That definition reads:

The term ‘‘information system’’ means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, including communications with, or commands to, specialized systems such as industrial and process control systems [emphasis added], telephone switching and private branch exchange, and environmental control systems.

There is one minor problem with this definition. It would appear that a direct cyber-assault on a piece of control equipment (a PLC for instance) that bypasses the ‘information system’ would not be covered. Of course one could argue that unless the attack was implemented by a direct physical connection (plugging into a USB port for instance) to the PLC, the use of a wireless connection, for instance, would still be covered under this broad definition of an information system.

I particularly like the phrasing “industrial and [emphasis added] process control systems” as this would include control systems for a variety of non-industrial uses. Thus things like power transmission systems, water treatment systems, which are arguably not ‘industrial’, would be covered. In fact, control systems in medical devices, data centers and automobiles would be covered under this wording. Kudos to Sen. Feinstein’s staff for this particular wording.

If this definition of ‘information system’ had been included in §2(12) of S 2105 it would have been clear that that bill was intended to specifically cover industrial control systems. Instead the definition used there was a reference to 44 USC 3502(8) which uses the generally accepted definition of “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”.

Authority to Self-Monitor

Section 2 of this bill provides specific ‘affirmative authority’ for a ‘private entity’ to monitor, and to take protective actions on its own information systems or to contract with a 3rd party to do that monitoring for them. While this action would seem to be self-evident to ICS owners it was designed to provide legal cover to information service providers monitoring “information that is stored on, processed by, or transiting [emphasis added] such information systems for cybersecurity threats” {§2(1)}.

Section 3 allows the private entity to share the information obtained via monitoring with another private entity. Privacy restrictions on sharing personal information are included. Sharing such information may only be made to protect the ‘information system’.

This will be an area with which the civil liberties folks will probably take issue. The crafters of this bill attempted to deflect such criticism by specifying in their definition of monitoring that the authorized monitoring is “for the purpose of identifying cybersecurity threats” {§9(13)}. There are additional civil liberties protections scattered throughout the bill, but this will continue to be a sticking point for any non-ICS cybersecurity legislation.

Cybersecurity Exchanges

The bulk of the rest of this bill (and Title VII of S 2105) deals with the establishment, operation and regulation of cyber exchanges. Cyber exchanges (CE) are organizations that are established “to efficiently receive and distribute cybersecurity threat indicators” {§4(b)}. The DHS Secretary will establish, by regulation, at least one governmental CE as the lead CE. It will act as “the focal point within the Federal Government for cybersecurity information sharing among Federal entities and with non-Federal entities” {§4(c)(1)}.

The bill allows the Secretary 60 days {§4(c)(3)(A)} to name the lead CE and the bill provides {§4(c)(3)(B)}  that in the interim the National Cybersecurity and Communications Integration Center (NCCIC) will serve as the lead CE. Since the crafters of this bill specifically prohibit the creation of “additional layers of Federal bureaucracy for the receipt and disclosure of cybersecurity threat indicators” {§4(g)} it seems clear that they intend for the NCCIC to be designated the lead CE.

The bill also suggests that the Secretary consider designating as CE other current Federal Cyber Security Centers. Those centers are listed in the definition section of the bill {§9(7)} and they include:

• Department of Defense Cyber Crime Center;

• Intelligence Community Incident Response Center;

• United States Cyber Command Joint Operations Center;

• National Cyber Investigative Joint Task Force;

• National Security Agency/Central Security Service Threat Operations Center, or

• United States Computer Emergency Readiness Team (US CERT)

Observant readers will note that the Industrial Control System Cyber Emergency Response Team (ICS-CERT) is not included in the list. The list is not intended to be an exhaustive list of potential CE’s (though its oversight should certainly be corrected in any subsequent amendment of this bill or S 2105) so the Secretary could still designate ICS-CERT as a CE. Since the organization is already fulfilling many of the requirements of a CE its designation is to be expected.

The bill also allows (it does not require) the Secretary to designate one or more CE’s outside of the Federal Government. Section 2(e) provides the information that the Secretary should take into account in this decision making process. Most of these items deal with the ability to protect and share information, but the last will be the largest hurdle to overcome; the “ability of the non-Federal entity to sustain operations using entirely non-Federal sources of funding” {§2(e)(1)(E)}. This is important because no new Federal funding for CE’s is authorized in this bill.

Voluntary Disclosure

The purpose of this whole bill is to encourage the private sector to share information with the Federal government about cybersecurity threats. As such §5 of the bill is the heart and meat of the matter, it provides for the voluntary disclosure of information to CE’s, prescribes how that information may be subsequently shared, and provides non-monetary incentives for sharing such information.

The main incentive is prevention of cyber-attacks, that is a given and not addressed in the bill. All of the other incentives are actually negations of existing disincentives to such information sharing. They include

• Ensuring that the information provided is only used for cyber-protection purposes {§5(b)};

• Exemption from public disclosure under the Freedom of Information Act {§5(d)};

• Exemption from ex parte communications rules {§5(e)};

• Exemption from waiver of privilege {§5(f)};

• Provides criminal and civil liability protections {§7(a)}: and

• Provides limitations on use for regulatory enforcement purposes {§7(c)}.

Oh, and one relatively small of this section {§5(c)} part deals with information shared by the CE’s with non-Federal entities. At first glance that would seem to mean private sector, but in reality it also includes information shared with State and local governments. As such it seems to be lacking any reference to those governments’ use of supplied information for regulatory or law enforcement purposes. This is only partially corrected in the §7 references. This oversight could chill the information sharing process.

Privacy and Civil Liberties

One of the main impediments to passing a comprehensive cybersecurity bill has been developing adequate protections of privacy and civil liberties. This bill {5(g)(4)}specifically places the onus for developing detailed procedures for these protections on the Secretary of DHS. Other federal agencies that are responsible for CE’s are required {5(g)(4)(B)} to adopt the procedures developed by the Secretary. Then the Attorney General is tasked {5(g)(4)(C)}with reviewing and approving these policies and procedures. Finally, copies of the approved procedures (and any subsequent revisions) will be provided to Congress for political review.

Classified Information

One of the complaints that the private sector (and State and local governments for that matter) has had about threat information sharing of any type is that most of that information developed by the Federal government is classified and that the flow of such classified threat information is practically non-existent. Section 6 of this bill attempts to deal with that complaint.

First the bill establishes a new class of non-Federal entities called certified entities {§9(1)}(oops we’ve already used the CE acronym in this bill). First these are entities that are protected (have contracted for cybersecurity services {§9(18)}), self-protected (provide their own cybersecurity services in-house {§9(19)}) or are cybersecurity providers {§9(4)}. Next they must have, or be able to maintain a security clearance {§9(1)(A)}. Finally they must demonstrate the ability to protect and use classified cybersecurity threat indicators {§9(1)(A)}.

Since ‘protected entities’ and ‘self-protected’ entities are by definition (see referenced paragraphs above) not individuals, and security clearances are only issued to individuals, the definition of certified entities certainly needs some work. Does every member of the entity have to have a security clearance (that doesn’t even happen in DOD) or is a single cleared individual on the payroll suffice (that would be a busy bugger just keeping up with the paperwork requirements for classified documents)?

Actually §6 of the bill attempts to address some of these issues. First it makes clear that classified threat indicators are to be shared only with “a person with an appropriate security clearance to receive such cybersecurity threat indicators” {§6(a)(3)}. It also restricts the use of such shared information by a certified entity “in a manner that protects such cybersecurity threat indicators from unauthorized disclosure” {§6(a)(4)}.

This still doesn’t address industry’s complaint that few of their personnel have such clearance, they are not easy (or timely) to obtain, and they may only be needed for a single communication of threat information. The bill addresses this issue by directing the Director of National Intelligence (DNI) to develop guidelines for issuing temporary security clearances to an employee {§6(b)(1)} or a certified entity {§6(b)(2)}, or to expedite the security clearance process {§6(b)(3)}.

Not Much Affect for ICS Organizations

This bill is an interesting attempt at dealing with the information sharing requirements that will be necessary for increasing the public-private partnership necessary to prevent cyber-attacks on industrial control systems. ICS-CERT already has a pretty impressive record of information sharing and little of it would be affected materially by this bill. I’m not sure how much classified threat information ICS-CERT receives from the intelligence community so it is hard to judge how the classified information sharing provisions would affect the ICS community.

What is absolutely missing from this bill from an ICS perspective is any mention of the relationship between software and system vendors and the owner/operators of industrial control systems. The slow, incomplete, or even non-existent response of vendors to the identification of vulnerabilities inherent in their system needs to be addressed in any information sharing legislation that would have meaningful effects on the cybersecurity of industrial control systems.

Finally, one other non-federal entity needs to be added to the list of providers of cyber threat information, the independent security researcher. In the last year we have seen a remarkable increase in the vulnerability disclosures made by these hard-working and oft maligned individuals and small organizations. Their efforts need to be acknowledged and protected in the information providers provisions of this bill.

No comments:

/* Use this with templates/template-twocol.html */