Tuesday, April 17, 2012

New Language for HR 3674

As I noted in yesterday’s blog post Rep. Lungren (R,CA), the chair of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Homeland Security Committee is planning on introducing substitute language for HR 3674, Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 (The PrECISE Act), during the full Committee markup of that bill. My earlier post provided just a general idea of the scale of changes included in the bill. I’ve now had a chance to do a more detailed review and this post looks at those areas that might be of interest to the control system security community.

Control System Security Ignored

HR 3674 has always been an information security bill, but earlier versions did include some brief mentions of control system security issues. This version of the bill removes all of those mentions. For example the wording in §226(a)(7), added in the substitute language submitted in the Subcommittee markup hearing that required the development of “guidelines for making critical infrastructure information systems and industrial control systems [emphasis added]  more secure at a fundamental level” has been removed in this latest version.

Even the wording in the original bill that addressed cybersecurity R&D efforts, requiring the “development and support of technologies to reduce vulnerabilities in process control systems” {§229(b)(5)} has been removed.

No Standards to be Set

It is apparent that the reason for the removal of any reference to control systems in this revised language is because of the full scale revision of the authority to be given to DHS to regulate cybersecurity in the private sector. Actually, ‘revision’ is hardly adequate; the regulatory scheme for this new bill is summed up nicely in §226 that is being added to the Homeland Security Act of 2002 in §2 of this bill. It requires the DHS Secretary to “perform necessary activities to help facilitate the protection of Federal systems and, solely upon the request of critical infrastructure owners and operators [emphasis added], assist such critical infrastructure owners and operators in protecting their critical infrastructure information systems” {§226(a)}.

The phrase ‘solely upon the request’ occurs in a number of places in the discussion in §226 of how the Secretary will go about ‘assisting in protecting’. It is specifically used to describe the conduct of risk assessments for critical infrastructure information systems and the providing of technical assistance to critical infrastructure owners and operators.

Careful reading of this section of the revised language for the bill allows one to understand why this bill does not intend to establish a regulatory regime for protecting cybersecurity in the private sector; there will not be enough resources made available to DHS to allow them to prepare rules and establish an enforcement capability to support such regulations. This is clearly seen in §226(e):

“The provision of assistance or information to critical infrastructure owners and operators, upon request of such critical infrastructure owners and operators, under this section shall be at the discretion of the Secretary and subject to the availability of resources. The provision of certain assistance or information to one critical infrastructure owner or and operator pursuant to this section shall not create a right or benefit, substantive or procedural, to similar assistance or information for any other critical infrastructure owner or and operator.”

Information Sharing

Lungren (and presumably the Committee Staff) is obviously trying to avoid the ire of various internet activists the way that the Roger’s information sharing bill (HR 3523) has increasingly done. Subtitle E of the bill would add a series of sections to the Homeland Security Act to address cybersecurity information sharing by DHS.

The first section of this subtitle clearly requires DHS to supply cyber-threat information to the private sector; something that has not been explicitly spelled out in any cybersecurity legislation to date. Section 241 requires the Secretary to make “information appropriately in the possession of the Department available to appropriate owners and operators of critical infrastructure on a timely basis”. Caveats are provided for details of protected information and classified information.

The bill establishes the National Cybersecurity and Communications Integration Center (NCCIC) as the agency within the Department responsible for carrying out the information sharing requirements of the Department. The sharing requirements for the NCCIC include cyber threat information and “exchanging technical assistance, advice, and support with appropriate entities” {§242(b)}. Unfortunately, the section that outlines the methodology and requirements for information sharing and protection is poorly written.

Section 243(a)(1) starts out explaining that that Federal agencies are required to provide cybersecurity threat information in their possession to the NCCIC; allowing them to place restrictions on what and how that information could be shared to protect the sources of that information. There is nothing really controversial here.

Section 243(a)(2) places additional and more specific restrictions on how information provided to the NCCIC can be shared. The wording implies, but never specifically states, that much of the information covered under this subparagraph would be information provided to DHS by the private sector. This can be seen in the use of the phrases “protected entity” and “self-protected entity” that have been proposed in other cybersecurity bills. Unfortunately they are not defined anywhere in this bill.

Information sharing protections listed in §243(a)(2)(C) and §243(a)(2)(D) include:

• Shall be exempt from disclosure under section 552 of title 5, United States Code;

• Shall be considered proprietary information and shall not be disclosed to an entity outside of the Federal Government except as authorized by the entity sharing such information;

• Shall not be used by the Federal Government for regulatory purposes;

• Shall be handled by the Federal Government consistent with the need to protect sources and methods and the national security of the United States; and

• Shall be exempt from disclosure under a State, local, or tribal law or regulation that requires public disclosure of information by a public or quasi-public entity.

Information Sharing Restrictions

Responding to specific privacy and domestic spying charges levied against HR 3523, Lungren has provided three separate restrictions on the use information shared with the Federal government (presumably, but not specified, by private sector entities). Actually this is another poorly written area as there is a repeated reference to ‘subsection (b)’ but there is no such subsection in §243.

The revised language provides the ‘limitation on use’ provisions that only allow Federal agencies to share the information only if “at least one significant purpose of the use” {§243(a)(3)(A)(ii)} is for cybersecurity purposes or protection of national security. Similar language is found in HR 3523.

Lungren has added language {§243(a)(3)(B)} that specifically prohibits searching such information provided to the Federal Government (again presumably by the private sector) except for national security or cybersecurity purposes. It also specifically prohibits {§243(a)(3)(C)} the Federal Government from requiring “a private sector entity to share information with the Federal Government”.

It is not clear that these efforts will mollify privacy and internet freedom advocates concerns about the effects of these security provisions on their privacy and freedom of expression rights. But an effort has been made.

The Markup Hearing

The full Homeland Security Committee will meet in a markup hearing on Wednesday, April 17th, 2012. It is likely that there will be a number of additional amendments made to this language. I’ll cover those results later this week.

No comments:

/* Use this with templates/template-twocol.html */