Earlier this week Sen. McCain (R,AZ) introduced S 1519,
the National Defense Authorization Act for Fiscal Year 2018. The bill has
already been marked up in the Senate Armed Services Committee. The House
version of this bill is currently being considered on the floor of the House.
The bill includes a number of cyber provisions.
Those provisions include:
§510. Service credit for cyberspace experience or
advanced education upon original appointment as a commissioned officer.
§1042. Department of Defense
integration of information operations and cyber-enabled information operations.
§1621. Policy of the United States
on cyberspace, cybersecurity, and cyber warfare.
§1622. Cyber posture review.
§1623. Modification and
clarification of requirements and authorities relating to establishment of
unified combatant command for cyber operations.
§1624. Annual assessment of cyber
resiliency of nuclear command and control system.
§1625. Strategic Cybersecurity
Program.
§1626. Evaluation of agile
acquisition of cyber tools and applications.
§1627. Report on cost implications
of terminating dual-hat arrangement for Commander of United States Cyber
Command.
§1628. Modification of Information
Assurance Scholarship Program.
§1629. Measuring compliance of
components of Department of Defense with cybersecurity requirements for
securing industrial control systems.
§1630. Exercise on assessing
cybersecurity support to election systems of States.
§1630A. Report on various
approaches to cyber deterrence.
§1630B. Prohibition on use of
software platforms developed by Kaspersky Lab.
Only one of these provisions (§1629) specifically addresses industrial control
system operations.
ICS Compliance
Section 1629 requires DOD to modify its Cyber Scorecard
(part of the DOD
Cybersecurity Discipline Implementation Plan) to specifically address
securing “the industrial control systems of the Department against cyber
threats, including supervisory control and data acquisition systems (SCADA),
distributed control systems (DCS), programmable logic controllers (PLC), and
platform information technology (PIT)” {§1629(a)}.
Kaspersky Lab
Section 1630B is the much-publicized prohibition of DOD use
or continued use products from the Kaspersky Lab. There is nothing in the
language of §1630B
(or in the Committee
Report on the bill) that explains the reason for the prohibition.
Moving Forward
This bill is one of the ‘required’ bills that will be passed
each year. The bill will be taken up by the Senate, probably before the summer
recess starts in August. The process will include a substantial number of
amendments to be considered. Once the bill passes in the Senate, a conference
committee will take up the differences between the House version (HR 2810) and
this bill.
Commentary
If the §1629
provisions make it into the final bill, DOD will have to substantially re-write
their Cybersecurity Discipline Implementation Plan. The current document is IT-centric
with no mention of control systems or their unique security issues.
The Kaspersky provision is pure political theater;
anti-Russian posturing at its worst. Interestingly, the ‘immediately’ provisions
of the section do not become effective until October 1st, 2018 {§1630B(c)}, theoretically
one year after this bill becomes effective. I suspect that this unusual
provision was added to allow calmer heads to remove this requirement after the political
capital is harvested.
Posts
No comments:
Post a Comment