Regulation of Civilian Networks
That authority, in and of itself, is significant, but of little interest to those of us in the private sector. To keep us involved, the bill would also give the Secretary the authority “establish and enforce risk-based cybersecurity requirements for private sector computer networks within covered critical infrastructures” {§224(b)}. As Mickey McCarter noted in an article on HSToday.US, this risk-based regulatory scheme sounds an awful lot like the mandate given to DHS for regulating high-risk chemical companies.
The similarity does not end there. This bill would give the Director of the newly created Cybersecurity Compliance Division (within the OCSC) the authority to determine “which systems or assets of critical infrastructure shall be subject to the requirements of this section and designate them as covered critical infrastructures for purposes of this section” {§224(e)(1)(A)}. There are all sorts of ‘consultation’ requirements with a wide variety of people, but it is clear that the Director is making the determination much the same way that the ISCD Director determines which chemical facilities are at High-Risk of Terrorist Attack.
There are some restrictions on this authority. First the ‘system or asset’ must meet the existing requirements for inclusion “prioritized critical infrastructure list established by the Secretary” {§223(e)(2)(A)}. Next the ‘system or asset’ must meet one of the following two criteria.
● It “is a component of the national information infrastructure or the national information infrastructure is essential to the reliable operation of the system or asset” {§224(e)(2)(B)}.The later criterion is the one that will allow for the regulation of control systems at designated facilities. There are some additional criteria to define the types of catastrophes to be considered. They specifically include mass casualty or mass evacuation events. This could certainly point at selected chemical facilities. This is one of the unique characteristics of this bill and makes it significant to the chemical security community (and many other communities as well).
● The “destruction or the disruption of the reliable operation of the system or asset would cause a national or regional catastrophe” {§224(e)(2)(C)}.
There is an interesting twist to this designation authority. Before the final designation can be made “the Director shall provide the owner or operator of the system or asset an opportunity to appeal the determination” {§224(e)(4)}. The details of that appeals process would apparently be established by regulation.
Regulation thru Other Agencies
Another interesting part of this regulation is that Thompson, Harmon, and Clarke knew that many of these potentially covered facilities are already formally regulated or informally guided in security matters by existing agencies, inside and outside of DHS. When there is a formal regulatory scheme (like CFATS, MTSA, etc), the regulating agency is called a ‘first-party regulatory agency’. Unregulated critical infrastructure entities that are not covered by regulations are guided in security matters by sector-specific agencies.
With the exception of the information technology sector (OCSC becomes the sector specific agency for that sector) and the communications sector (the National Communications System, an office within the OCSC, is the sector specific agency for that agency) the “enforcement of cybersecurity regulations should be accomplished through appropriate first-party regulatory agencies or sector-specific agencies” {§224(a)(5)}.
In a rather devious way this makes a certain amount of sense. Take for example CFATS covered facilities. Their security is already regulated by ISCD. ISCD has some risk-based guidance on cyber security measures, but they are really vague and they probably don’t have the internal expertise to really determine what security measures would be appropriate for control systems (a point I have made before in more detail). If, however, OCSC provided the regulatory scheme and guidance (and training) for control system security issues, then ISCD could be expected to enforce those regulations as part of their regulatory scheme.
I do see a potential problem with this. Let’s look at a chemical facility that is designated as a covered critical infrastructure facility, but is not covered under CFATS. The designation would because they are a sole source supplier for some other critical infrastructure or government agency. The Chemical Sector Specific Agency within the Office of Infrastructure Protection is a relatively small office without any existing enforcement staff. I’m sure that there are many other potentially covered critical infrastructure entities that would be similarly under-served.
Other Details of the Plan
If this plan had a serious chance of being considered in the limited time remaining in the 111th Congress, I would go into additional details involved in this bill for things like cybersecurity plans, certifications and training requirements. There are a lot of interesting things that deserve serious consideration. It would have been nice if this had been developed a year ago; it might have gone somewhere. I hope that Ranking Member Thompson re-submits this bill in January. It certainly should go through the hearing and markup process to further refine its provisions.
No comments:
Post a Comment