Thursday, July 26, 2012

Analysis of S 3414 – Voluntary Cybersecurity Program

This is part of an ongoing in-depth review of the provisions of S 3414, the Cybersecurity Act of 2012, that will be of interest to the control systems community. The earlier posts in the series were:

NOTE: The GPO now has a copy of this bill available.

As anyone that has been reading the various news stories about S 3414 already probably knows, the heart of the difference between this bill and S 2151, at least for critical infrastructure cybersecurity, is that the program is voluntary. That, along with the incentives to encourage voluntary participation, is addressed in §104.

The Voluntary Program

The National Cybersecurity Council, within one year of the passage of this bill, is required {§104(a)(1)} to establish the Voluntary Cybersecurity Program for Critical Infrastructure. While this is to be specifically designed for designated critical cyber infrastructure, the bill also requires {§104(a)(2)(B)} the establishment of criteria for owners of other facilities to apply for certification under the Program.

Any owner operator applying for certification under the Program will “select and implement cybersecurity measures of their choosing that satisfy the outcome-based cybersecurity practices established under section 103” {§104(a)(3)(A)}. At that point the owner will have one of two options to establish the adequacy of their cybersecurity measures {§104(a)(3)(B)}:

• Certify in writing and under penalty of perjury to the Council that the owner has developed and effectively implemented cybersecurity measures; or

• Submit to the Council an assessment verifying that the owner has developed and effectively implemented cybersecurity measures.

While the first option should be cheaper in the short run, paying someone to conduct the assessment may avoid the problem ‘under penalty of perjury’ might pose if there is a subsequent successful attack on the system.

To ensure that assessments are conducted by reputable and properly skilled professionals, the Council will “enter into agreements with qualified third party private entities, to conduct assessments that use reliable, repeatable, performance-based evaluations and metrics to assess whether an owner certified under subsection (a)(3)(B)(ii) is in compliance with all applicable cybersecurity practices” {§104(b)(1)}.

In either case, when the Council is notified that the owner has an adequate cybersecurity program implemented, it is required {§104(a)(4)}to certify that owner.

Checking Security

While the Council is required to accept either the owner’s self-certification or the third-party assessment, the bill does provide that in the event that Council becomes aware (either through  actual knowledge or a reasonable suspicion) “that the certified owner is not in compliance with the cybersecurity practices or any other risk-based factors as identified by the Council” {§104(b)(3)}, the Council may conduct its own assessment of those security practices.

Once again, though, since there is no authorization for a Council Staff or any specific funding for the Council, any such assessment will have to be done for the Council by some other entity. It does not appear, however, that the wording in this section doesn’t appear to authorize the use of another entity.

Incentives for Participation

Since participation in the Voluntary Cybersecurity Program for Critical Infrastructure is mainly voluntary, the crafters knew that they had to offer some sort of incentives to encourage the participation of as many of the identified critical cyber infrastructure entities as possible. The incentives provided in this bill include {§104(c)}:

• Limitations on civil liability;

• Expedited security clearance process;

• Prioritized technical assistance;

• Provision of cyber threat information;

• Public recognition; and

• Procurement preference.

Much has been made in the press about the civil liability protections provided in this bill. There are, as one would expect, a number of different specifications, limitations and exceptions to that protection. A number of common lawyer type phrases have been added to this paragraph {§104(c)(1)} to limit the applicability of the ‘protections’; they include ‘punitive damages’, ‘substantial compliance’, ‘harm directly caused by’ and ‘additional or intervening acts or omissions’. Still, in the event of a significant attack, the limited protections could be significant.

The other benefits will provide some level of incentive, but it is not clear that they would be enough to justify the costs of the cybersecurity measures that will likely be required. The one possible exception is the last incentive, a Federal procurement preference. Unfortunately, the bill doesn’t actually provide this incentive; it just requires {§104(c)(6)} that a study be conducted about the potential use of such a preference. There is no time limit on conducting the study nor is there any provision for implementing the incentive if the study results are encouraging.

No comments:

/* Use this with templates/template-twocol.html */