S 2152 Language

Thanks to two different readers I now have a copy of S 2151, the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (SECURE IT) Act of 2012 that was introduced by Sen. McCain on Thursday. The copy I have is the final draft version from committee files, but until the GPO publishes the final version it’s the best available information. It is a much more limited cybersecurity bill than S 2105, not providing any additional regulatory powers to DHS.

Information Sharing

For the civilian portion of critical infrastructure there is little more in the bill that some provisions that authorize information sharing from the civilian sector to the federal government. While at first glance it would not seem necessary to authorize that sharing, the provisions of the bill allow the sharing of ‘cyber threat information’ with existing federal ‘cybersecurity centers’ or ‘any other entity’ for the purpose of “preventing, investigating, or otherwise mitigating threats to information security [emphasis added]” {§102(a)(2)(B)}. Again, this bill uses the common definition of ‘information security’ that does not specifically include control systems from 44 USC 3502(8).

Nothing in the definition of ‘cyber threat’ includes specific language that would include information systems linked to control systems. Nor is the ICS-CERT listed as one of the current agencies listed as ‘cybersecurity centers’. In short the information sharing section (Title I) of this bill has no effect on control system security, nor does it authorize sharing of cyber threat information concerning control systems.

The information sharing provisions of this bill are important because the exempt the sharing of cyber threat information from the communications limitations of various anti-trust rules and regulations; provide public reporting exemptions under the Freedom of Information Act and pre-empts state laws regarding information sharing.

Criminal Penalties

There is an important control system related change being made in this bill in that it provides for criminal penalties for attacks on control systems in critical infrastructure. It adds Section 1030A to 18 USC that makes it an offense to knowingly cause, or attempt to cause, damage to a ‘critical infrastructure computer’ or the critical infrastructure associated with the computer. It provides for a sentence of 3 to 20 years for each offense.

A ‘critical infrastructure computer’ is defined as “a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated” {§1030A(a)(2)} and then goes on to list the following included sectors:

• Gas and oil production, storage, and delivery systems;

• Water supply systems;

• Telecommunication networks;

• Electrical power delivery systems;

• Finance and banking systems;

• Emergency services;

• Transportation systems and services; and

• Government operations that provide essential services to the public.

If and when someone actually gets caught attacking a non-refinery chemical control system we will find out how broadly the courts will interpret ‘national economic security, public health or safety’ as it pertains to facilities in sectors not specifically listed in the bill. It would have seemed more appropriate to list all of the current 18 Critical Infrastructure Sectors.

Research and Development

Title IV of this bill provides for an amendment to the National High-Performance Computing Act of 1991 by adding research on networking and information technology to the goals and priorities section of that act without adding any additional funding for such research goals.

Section 404(b) of the bill provides for special emphasis on research on technical solutions in a variety of cyber technologies including cybersecurity {§404(b)(1)} and ‘cyber-physical systems’ {§404(b)(5)}. Cyber-physical systems are defined as “physical or engineered systems whose networking and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions [emphasis added]” {§401(g)(4)}; a clear, unequivocal reference to industrial control systems.

The ‘cyber-physical systems’ research is to be focused on improving “the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security [emphasis added]” {§402(b)(3)}.

No Real Control System Security

So once again we have a cyber-security bill that essentially ignores the unique problems with control systems. Nor are there any regulatory requirements that would allow the government to force software vendors to address vulnerabilities in software systems in either the information security sector or in the control system sector.