S 133 Introduced – FY 2017 Intelligence Authorization

Earlier this month Sen. Burr (R,NC) introduced S 133, the Intelligence Authorization Act for Fiscal Year 2017. Last Friday the Senate Select Committee on Intelligence reported the bill favorably without amendment. There are two cybersecurity provisions that may be of interest to readers of this blog:

Sec. 312. Assistance for nationally significant critical infrastructure.

Sec. 614. Report on cybersecurity threats to seaports of the United States and maritime shipping.

CI Assistance

Section 312 would authorize elements of the intelligence community, through the Under Secretary for Intelligence and Analysis of the Department of Homeland Security, to provide assistance to covered critical infrastructure facilities “to reduce the risk of regional or national catastrophic harm caused by a cyber attack (sic) against covered critical infrastructure” {§312(c)}.

A key term used in §312 is ‘covered cybersecurity asset’ which is defined as “an information system or industrial control system [emphasis added] that is essential to the operation of covered critical infrastructure” {§312(a)(2)}.

The bill describes the type of assistance to be provided by the intelligence community. It includes {§312(e)(2)}:

• Activities to develop a national strategy to effectively leverage intelligence community resources made available to support the program;

• Activities to consult with the Director of National Intelligence and other appropriate intelligence and law enforcement agencies to identify within the existing framework governing intelligence prioritization, intelligence gaps and foreign intelligence collection requirements relevant to the security of covered cyber assets and covered critical infrastructure;

• Activities to improve the detection, prevention, and mitigation of espionage conducted by foreign actors against or concerning covered critical infrastructure;

• Activities to identify or provide assistance related to the research, design, and development of protective and mitigation measures for covered cyber assets and the components of covered cyber assets; and

• Activities to provide technical assistance and input for testing and exercises related to covered cyber assets.

Cybersecurity Threats to Seaports

Section 614 would require the Under Secretary of Homeland Security for Intelligence and Analysis to submit a report to Congress on cybersecurity threats to seaports and maritime shipping. The report would address “the cybersecurity threats to, and the cyber vulnerabilities within, the software, communications networks, computer networks, or other systems” {§614(a)}. While it does not specifically address control systems, the ‘other systems’ mention probably provides for coverage of that topic.

In addition to a report on any recent cyberattacks or cybersecurity threats, the bill would require an assessment of{§614(b)}:

• Any planned cyberattacks directed against such software, networks, and systems;

• Any significant vulnerabilities to such software, networks, and systems; and

• How such entities and concerns are mitigating such vulnerabilities.

While not specifically stated, the report will almost certainly be classified because of the requirement to be “consistent with the protection of sources and methods” {§614(a)}.

Moving Forward

This bill was supposed to have been a ‘must pass’ bill in the last session. The House passed three slightly different versions of an intel authorization bill and the Senate Select Committee on Intelligence marked up their own version of such a bill, but nothing made its way to the Senate floor. With most of the players remaining the same in the Senate, it will be interesting to see if the change in administration has any potential effect on the consideration of this bill.