Monday, July 30, 2012

Analysis of S 3414 – Protection of Information

This is part of an ongoing in-depth review of the provisions of S 3414, the Cybersecurity Act of 2012, that will be of interest to the control systems community. The earlier posts in the series were:

NOTE: The GPO now has a copy of this bill available.

This post will look at the provisions of §106, Protection of Information. The public-private partnership outlined in Title I allows for and requires critical infrastructure entities within the private sector to provide information to the Federal government. This section provides for the protection of that information.

Information Protection Program

There is a much overdue on-going (but very much delayed) Executive Branch review of the multitude of sensitive but unclassified information programs within the Federal government. The idea is to reduce the number of such programs to a minimum and to rationalize the requirements of the various programs. To avoid adding another complicating program this bill would add the information collected to support the critical cyber infrastructure program to an existing critical infrastructure information program under 6 U.S.C. 133.

NOTE: The bill actually refers to “section 214 of the Homeland Security Act of 2002” {§106(b)(1)}; this is a common and confusing practice in writing legislation. It is much easier to cite the appropriate US Code entry and much easier for a researcher to find the appropriate reference.

That program is designed to protect voluntarily provided information and specifically limits the coverage to information “that is voluntarily submitted to a covered Federal agency for use by that agency regarding the security of critical infrastructure and protected systems” {6 USC 133(a)(1)}. Since some of the information submitted under this bill is required to be submitted {see specifically §102(b)(4)}, the crafters of this bill provided an exception to the ‘voluntarily provided’ requirement {§106(b)(1)}. It is unusual that this section does not actually revise the existing USC language to provide this exemption; that may create an interesting situation for lawyers to argue the applicability of this exemption.

This established information protection regime protects the provided information from:

• Federal {6 USC §133(a)(1)(A)} and State or local {§133(a)(1)(E)} Freedom of Information Act type disclosures;

• Any agency or judicial rules regarding ex parte communications {§133(a)(1)(B)}; and

• Disclosure in any Federal or State civil action {§133(a)(1)(C)}.

It does not prevent disclosure in:

• Criminal investigations and/or prosecutions {§133(a)(1)(D)(i)};

• Congressional hearings and/or investigations {§133(a)(1)(D)(ii)(I)}; or

• Government Accounting Office investigations {§133(a)(1)(D)(ii)(II)}.

Interestingly I see nothing in this section that would allow the Government to share generalized threat information obtained through data provided under the voluntary critical infrastructure cybersecurity program. There is authority to do so under 6 USC §133(g), but again since this section does not modify that portion of the USC in its inclusion of involuntarily provided information, it could be argued that it doesn’t apply to information obtained under this Title.

This is particularly true since the protections on 6 USC 133 only apply to information provided that includes the statement {6 USC §133(a)(2)}:

‘This information is voluntarily submitted to the Federal Government in expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of 2002.”

Cybersecurity Tip Line

An interesting part of this section that in some ways seems out of place is the requirement for the establishment of a Critical Infrastructure Cybersecurity Tip Line. This would be established to allow individuals to anonymously (well it doesn’t actually say ‘anonymously’) report “concerns involving the security of covered critical infrastructure against cyber risks” {§106(c)(1)(A)}. It would also be useable for reporting ‘concerns’ about programs or functions established under Title I involving {§106(c)(1)(B)}:

• A possible violation of any [emphasis added] law, rule, regulation or guideline;

• Mismanagement;

• Risk to public health, safety, security, or privacy; or

• Other misfeasance or nonfeasance.

The program concerns reported to this Tip Line would be investigated by an Inspector General. The definition of ‘Inspector General’ in this section {§106(a)(2)} makes it clear that this is not limited to the Inspector General of DHS. There is nothing that describes how it will be determined which IG will conduct the investigation or who will make that determination.

Any information submitted to the Critical Infrastructure Cybersecurity Tip line would be covered information afforded the protections of this section {§106(a)(1)(E)}. That is probably the reason that this was placed in this section of the bill.

Limitations on Protection

Section 106(d) makes it clear that the crafters of this bill did not intend for the protections to be applied overly broadly. It outlines a number of areas to which this section does not apply or limit. It does not:

• Limit the “right, ability, duty, or obligation of any entity to use or disclose any information of that entity” [thus it prohibits the attempted Bayer CropScience PCII defense];

• Prevent the classification of information submitted under this section;

• Prevent the government from obtaining information that is not covered information;

• Prevent DHS from using the information in enforcement proceedings under this Act (the whole thing not just Title I);

• Authorize the withholding of information from Congress, the Comptroller General or any [emphasis added] IG; or

End of Title I

There are a number of sections of Title I that I have ignored in this series of blog posts. They are:

Sec. 105. Rules of construction.
Sec. 107. Annual assessment of cybersecurity.
Sec. 108. International cooperation.
Sec. 109. Effect on other laws.
Sec. 110. Definitions.

While certainly not unimportant, these sections do not appear that they will have any great impact on the control system community as they do not directly apply to operations in the private sector.
I will try to get a general look at the information sharing provisions of Title VII of this bill written up in a post later this week. A lot will depend on how the debate goes and how many additional amendments are proposed that deal with Title I of this bill. Right now it appears that the bulk of the public opposition to this bill deals with Title I and not the privacy concerns with Title VII that were seen with previous versions of the bill.


Anonymous said...

It appears that the link on this page "Analysis of S 3414 – Voluntary Cybersecurity Program" is incorrect as it points to the PDF of the full bill.

PJCoyle said...

The Link has been corrected. Thank you for pointing out the problem.

/* Use this with templates/template-twocol.html */