Monday, December 16, 2013

HR 3696 Introduced – Cybersecurity

As I mentioned last week, Rep. McCaul, and the rest of the bipartisan leadership of the House Homeland Security Committee, introduced HR 3696, the National Cybersecurity and Critical Infrastructure Protection Act (NCCIPA) of 2013. This is a fairly comprehensive effort to all DHS to address the issues associated with cybersecurity in critical infrastructure without allowing any additional spending or any attempts at regulating.


Section 101 of the bill starts off by adding a number of cyber related definitions to the Homeland Security Act of 2002 (6 USC §101). Those definitions include:

• Critical infrastructure §101(19)
• Critical infrastructure owner §101 (20)
• Critical infrastructure operator §101 (21)
• Cyber incident §101 (22)
• Cybersecurity provider §101 (23)
• Cybersecurity purpose §101 (24)
• Cybersecurity system§101 (25)
• Cyber threat §101 (26)
• Cyber threat information §101 (27)
• Federal civilian information systems §101 (28)
• Information security §101 (29)
• Information system §101 (30)
• Private entity §101 (31)
• Protected private entity §101 (32)
• Shared situational awareness §101 (33)

Three of the definitions will have some important consequences. The first (in importance to readers of this blog) is the definition of ‘information system’:

“ The term ‘information system’ means the underlying framework and functions used to process, transmit, receive, or store information electronically, including programmable electronic devices, communications networks, and industrial or supervisory control systems [emphasis added] and any associated hardware, software, or data.”

This definition, applying to the Homeland Security Act, means that any place in that act that refers to an ‘information system’ will include (unless specifically exempted) control systems. If this bill is passed, this could have serious unintended consequences when additional cyber amendments are made to this Act. For current US Code provisions that would be affected by this expanded definition see §143, §144, and §145 of 6 USC.

The second definition of interest is also expansive in its coverage. The term ‘cyber incident’ is used to describe any incident, or an attempt to cause an incident that would:

• Jeopardize or imminently jeopardize, without lawful authority, the security, integrity, confidentiality, or availability of an information system [emphasis added] or network of information systems or any information stored on, processed on, or transiting such a system;

• Constitute a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies related to an information system [emphasis added] or network of information systems, or an act of terrorism against an information system or network of information systems; or

• Result in the denial of access to or degradation, disruption, or destruction of an information system [emphasis added]  or network of information systems, or the defeat of an operations control or technical control essential to the security or operation of an information system or network of information systems.

If people think that the current hacking criminal statutes are overly broad, they at least require intent. While this is not a criminal statute, just about any computer malfunction or interruption, intentional or otherwise, becomes a cyber incident; to be tracked and reported by DHS.

The final important definition is ‘cyber threat’. It is defined as “any action that may result in [emphasis added] unauthorized access to, exfiltration of, manipulation of, harm of, or impairment to the security, integrity, confidentiality, or availability of an information system or network of information systems, or information that is stored on, processed by, or transiting an information system or network of information systems.” Once again, expansiveness is the order of the day.

Cybersecurity and Information Sharing

Section 102 of the bill is the first in a series of sections that modify Title II of the Homeland Security Act by adding new sections to 6 USC Subchapter II Part C after renaming that Part (formerly ‘Information Security’) “Cybersecurity and Information Sharing” making this Part the cybersecurity central of the Act.

Sec 226 is added, providing the DHS Secretary with overall responsibility for conducting activities for cybersecurity purposes. Sec 227 provides that the Secretary will coordinate with the various stake holders to {§227(1)}:

• Facilitate a national effort to strengthen and maintain secure, functioning, and resilient critical infrastructure from cyber threats;
• Ensure that Department policies and procedures enable critical infrastructure owners and critical infrastructure operators to receive real-time, actionable, and relevant cyber threat information;
• Upon request, facilitate and assist risk management efforts of entities to reduce vulnerabilities, identify and disrupt threats, and minimize consequences to their critical infrastructure;
• Upon request, provide education and assistance to critical infrastructure owners and critical infrastructure operators on how they may use protective measures and countermeasures to strengthen the security and resilience of the Nation’s critical infrastructure; and
• Coordinate a research and development strategy to facilitate and promote advancements and innovation in cybersecurity technologies to protect critical infrastructure.

Additionally, the Secretary is given sole responsibility to {§227(2)}:

• Support critical infrastructure owners’ and critical infrastructure operators’ efforts to secure, protect, and ensure the resiliency of critical infrastructure from cyber threats;
• Provide multi-directional sharing of real-time, actionable, and relevant cyber threat information; and
• Facilitate expeditious cyber incident response and recovery assistance, and provide analysis and warnings related to threats to and vulnerabilities of critical information systems.

The remainder of §227 codifies existing organizations and practices related to Critical Infrastructure Sectors {§227(b)}, Sector Coordinating Councils {§227(d)}; and Sector Information Sharing and Analysis Centers {§227(e)}. Additionally it specifies {§227(e)(3)} that $25 Million of funding will be provided to the National Cybersecurity and Communications Integration Center (NCCIC) out of the funds authorized for the DHS Office of Cybersecurity and Communications.

The NCCIC is described in §228. The bill requires that the NCCIC will include {§228(b)}:

• At least one Information Sharing and Analysis Center established under section 227(e) for each critical infrastructure sector.
• The Multi-State Information Sharing and Analysis Center;
• The United States Computer Emergency Readiness Team;
• The Industrial Control System Cyber Emergency Response Team; and
• The National Coordinating Center for Telecommunications.

The bill adds §229 that addresses cyber incident response and technical assistance. It requires the Secretary to establish Cyber Incident Response Teams (CIRT) {§229(a)} and to develop a Cyber Incident Response Plan {§229(c)}.

The next two added sections (§230 and §230a) deal with Federal cybersecurity programs, specifically with workforce issues. The first addresses the readiness of the Federal cybersecurity workforce and the second addresses personnel policies designed to hire and retain that workforce.

DHS Cybersecurity Reorganization

Section 108 of the bill deals with the reorganization of the National Protection and Programs Directorate into the new Cybersecurity and Infrastructure Protection Directorate. It amends 6 USC 113 to specifically authorize an Under Secretary for Cybersecurity and Infrastructure Protection with two Deputy Under Secretaries; one for Cybersecurity and the other for Infrastructure Protection. It does this by adding paragraphs (K), (L), and (M) to §113. Interestingly, the bill does not touch the currently authorized Under Secretary responsible for overseeing critical infrastructure protection, cybersecurity and other related programs within the Department. That position in paragraph (H) remains in §113.

The bill does state that the people filling the current equivalent positions may retain those positions under the new titles {§108(b)(2)}.

NIST and the Cybersecurity Framework

Section 230b is also added to the new Cybersecurity and Information Sharing Part of the Homeland Security Act. While the bill never specifically mentions the current Cybersecurity Framework, the functions assigned to the Director of the National Institute of Standards and Technology (NIST) steals a lot of the verbiage from the President’s EO on Cybersecurity.


Section 202 of the bill modifies the provisions of the SAFET Act (6 USC Subchapter VII Part G) to specifically include cybersecurity technologies under the purview of the Act. Mainly it does this by modifying the descriptive language from referring to just terrorism to now include the word ‘cybersecurity’. For example the title of 6 USC §441(b) is changed to “Designation of anti-terrorism and cybersecurity technologies.”

Additionally bill would add a new paragraph to 6 USC §444 to address qualifying cyber incidents {§644(7)}. The opening sub-paragraph provides the Secretary with wide latitude to further define and specify those qualifications. The remainder goes on to describe the various types of qualifying incidents that should be included. The most pertinent from a control system perspective is the one that reads:

Disrupts or imminently jeopardizes the integrity, operation, confidentiality, or availability of programmable electronic devices, communication networks, including hardware, software and data that are essential to their reliable operation, electronic storage devices, or any other information system [emphasis added], or the information that system controls, processes, stores, or transmits {§644(7)(B)(ii)};

Restricting DHS Cybersecurity Operations

The last two sections of the bill will greatly restrict the ability of DHS to be very effective in their implementation of this bill if it is passed. Section 203 of the bill specifically denies the Secretary the authority to create or authorize the issuance of any new regulations. Section 204 specifically states that there is no new funding being authorized to take the actions directed. All necessary monies will come from current funding.

Moving Forward

The bill is fairly wide ranging and does include information sharing language without a lot of language protecting privacy or civil liberties. Normally, I would expect those twin characteristics to doom the prospects for this bill being considered. On the other hand, the fact that the sponsors are the top two cybersecurity Republicans and the top two cybersecurity Democrats on the House Homeland Security Committee. There may be a chance for this bill to move forward.

We’ll have to see how fast this bill makes it through Committees. It was referred to  the Committee on Homeland Security, the Committees on Science, Space, and Technology, and the Oversight and Government Reform Committee. If it gets relatively fast action in the first two, it has a good chance to get to the floor before spring. If it doesn’t get through the Senate by July 4th it is unlikely to get considered in an election year.

No comments:

/* Use this with templates/template-twocol.html */