Monday, March 14, 2016

S 2665 Introduced – State and Local Cybersecurity

NOTE: This bill does not contain any references to control system security, so it would not normally be addressed in this blog. In a subtle perversion of my normal policy I am including it specifically because it contains no reference to control system security.

Last week Sen. Peters (D,MI) introduced S 2665, the State and Local Cyber Protection Act of 2016. According to a press release the bill in intended “to promote better coordination of cybersecurity efforts between Department of Homeland Security (DHS) and state and local governments.”

Cybersecurity Assistance Provisions


The bill would amend 6 USC 148 which describes the functions of the National Cybersecurity and Communications Integration Center. Among other requirements the bill would require the NCCIC to assist State and local governments, upon request, in {new §148(m)(1)}:

• Identifying information system vulnerabilities; and
• Identifying information security protections commensurate with cybersecurity risks and the magnitude of the potential harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information systems used or operated by an agency or by a contractor of a State or local government or other organization on behalf of a State or local government;
• Coordinating a nationwide effort to ensure effective implementation of tools, products, resources, policies, guidelines, and procedures related to information security to secure and ensure the resiliency of State and local information systems;
• Providing, upon request, operational and technical cybersecurity training to State and local government and fusion center analysts and operators to address cybersecurity risks or incidents; and
• Developing and conducting targeted operational evaluations, including threat and vulnerability assessments, on the information systems of State and local governments

The bill does not specifically define ‘information systems’. Instead it uses the very IT limited definition of ‘information systems’ from §148(a)(4) that, in turn, refers back to the definition in 44 USC 3502(8) instead of the more expansive definition found in the Cybersecurity Information Sharing (CSIS) Act of 2015 (Title I of Division N of the Consolidated Appropriations Act of 2016) that adds the phrase “includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers” {§102(9)(b)} to the §3502(8) definition.

Moving Forward


Peters is a relatively low ranking Democrat on the Senate Homeland Security and Governmental Affairs Committee, but he may have enough influence to have the bill be considered in Committee. If it is considered there does not appear to be anything that would raise any serious opposition to the bill. The bigger question then becomes whether there is enough interest in the bill in an election year to actually bring the bill to the floor of the Senate where it would probably be considered under their unanimous consent process. If the bill is not considered in Committee in the next month, it is unlikely that it would make it to the floor before the November 1st elections.

Commentary


It is really disappointing to see the crafters of this bill use the restricted definition of information systems. State and local government agencies operate a number of utilities across the country that are considered critical infrastructure and extensively use industrial control systems in their operations. Using the more expansive definition used in the CSIS Act would help to ensure that the NCIC would provide State and local government owned utilities the control system security information that they need to protect their critical infrastructure.


I am hoping that there is an amendment in the committee process that would change the language to what has become much more common in cybersecurity legislation over the last year or so.

No comments:

 
/* Use this with templates/template-twocol.html */