Tuesday, July 24, 2012

Analysis of S 3414 – Voluntary Cybersecurity Practices

This is part of an ongoing in-depth review of the provisions of S 3414, the Cybersecurity Act of 2012, that will be of interest to the control systems community. The first post in the series was:

In today’s posting I will look at §103 and the requirements for establishing voluntary cybersecurity practices. These practices will be those that critical cyber infrastructure facilities will be judged against.

Private Sector Development

The bill gives the private sector the first shot of developing ‘cybersecurity practices’ through each sector coordinating council. The term ‘cybersecurity practices’ is vaguely defined as “voluntary outcome based cybersecurity practices … sufficient to effectively remediate or mitigate cyber risks identified through an assessment conducted under section 102(a)” {§103(a)}.

These practices will be based upon “industry best practices, standards, and guidelines” {§103(a)(1)}. Where such practices don’t already exist, the sector coordinating councils will develop the practices in coordination with appropriate entities within the sector. The bill gives them 180 days to complete this development.

Council Review

Section 103(b) requires the National Cybersecurity Council, as always in consultation with CIPAC and ISAOs to:

• Consult with relevant security experts;

• Review relevant regulations or compulsory standards or guidelines;

• Review cybersecurity practices proposed by the sector coordinating councils; and

• Consider any amendments to the cybersecurity practices and any additional cybersecurity practices necessary to ensure adequate remediation or mitigation of the cyber risks identified through an assessment conducted under section 102(a).

Then, within one year of the passage of this bill, the Council is required to adopt the proposed cybersecurity practices {§103(a)(2)(A)(i)} and amend or add to those practices as deemed appropriate by the Council {§103(a)(2)(A)(ii)}. If no cybersecurity practices are submitted by the sector coordinating councils, the Council is required to develop those practices on its own. Presumably this will be done in consultation with CIPAC and ISAOs, but that is not required {§103(a)(2)(B)}.

In developing these cybersecurity practices the Council is required {§103(d)} to prioritize the development based upon the risk assessment discussed in yesterday’s blog post. This risk assessment will not be available to the sector coordinating councils as it will be developed concurrently with their development of cybersecurity practices. Besides there are no provisions in the bill that would require the sharing of this risk assessment with the sector coordinating councils.

These cybersecurity practices are to be living requirements to be reviewed and adjusted by the sector coordinating councils and the Council no less frequently than every three years.

Technology Neutrality

The crafters of this bill clearly wanted to ensure that no one company or industry unduly benefited from the provisions of this bill as they mandated that the cybersecurity practices be technology neutral. This means that a cybersecurity practice could not require {§103(f)}:

• The use of a specific commercial information technology product; or

• That a particular commercial information technology product be designed, developed, or manufactured in a particular manner.

Existing Regulations

The bill would allow existing regulatory agencies to adopt cybersecurity practices as mandatory {§103(g)(1)(A)}. In fact it actively encourages agencies to do so by requiring them to report to Congress why they have not done so within one year of the enactment of this bill {§103(g)(1)(B)}. Given that the Council has up to one year to adopt/establish the cybersecurity practices and any adoption of those practices as mandatory would have to go through the publish and comment process, there will be a lot of reporting to Congress.

The crafters of this bill were careful to note that this bill does not give any agency any additional authority to regulate cybersecurity {§103(g)(1)(C)}. This means, for example, that the current prohibition under CFATS for DHS mandating any security procedure still applies to these cybersecurity practices.

The bill also specifically does not step on the toes of existing regulatory regimes. The adopted cybersecurity practices may not prohibit an entity from complying with an existing law or regulation {§103(g)(2)}.

Independent Review

The bill requires {§103(h)} that a public review of each cybersecurity practice will be accomplished by CIPAC and the sector coordinating councils. CIPAC meetings are already public (in most instances) and a notice is required to be published in the Federal Register about all such meetings, public or not. Sector coordinating councils are not so closely regulated and it is not clear how the drafters expect to require their review to be public.

Voluntary Technical Assistance

Finally, this section requires {§103(i)} the Council, when requested by an owner/operator, to “provide guidance on the application of cybersecurity practices to the critical infrastructure”. Given that the Council is not provided a staff or funding it is not clear how this guidance will be provided. I would guess that the crafters intended it to come from the existing regulatory agencies that are already understaffed and underexpertised (new word) on cybersecurity matters.

No comments:

/* Use this with templates/template-twocol.html */