Wednesday, January 12, 2011

HR 174 Introduced – Cyber Security

On the January 5, 2011, the first day of the 112th Session of Congress, Rep. Thompson (D, MS) introduced HR 174, the Homeland Security Cyber and Physical Infrastructure Protection Act of 2011. A copy of the bill is finally available on the GPO web site for public review.

This bill is virtually identical (the only changes other than ‘2011’ for ‘2010’ are the correction of two very minor typographical errors) to HR 6423 from the 111th Congress. The only other difference is that HR 174 has no cosponsors while HR 6423 was cosponsored by Jane Harman (D-CA) and Yvette D. Clarke (D-NY). The earlier bill was introduced during the Lame Duck Session and there was no action taken beyond referring the bill to the Homeland Security Committee and the Committee on Oversight and Government Reform.

As I noted in my blog post on that earlier bill, HR 174 will primarily provide for regulation of government IT networks through an Office of Cybersecurity and Communications (OCSC) at DHS. There is significant language in the bill (§224), however, that would allow for the establishment of CFATS like rules to regulate cyber security activities at critical infrastructure facilities, including the security of industrial control systems. The wording of this authority is broadly written and would allow wide latitude for regulation writers.

Private Sector Regulation

The interesting part of this is that the regulation of private networks and systems would be regulated by the general regulating agency for that industry (first party regulatory agency) or the current sector-specific agency that is responsible for that industry under Homeland Security Presidential Directive 7. For chemical facilities that would be under NPPD at DHS; for electrical facilities, that would be under the appropriate agency at DOE; and for water facilities it would be the appropriate agency at EPA. The actual regulations would be written by the Director of the OCSC, but would effectively be administered by the “first party regulatory agency or sector-specific agency” {§224(a)(5)}.

Information Protection

Section 4 of HR 174 would extend the sensitive security information protections to the information required to be collected, reported and shared in under this new cyber security program. This will set up some interesting security information conflicts if/when a CFATS covered facility comes under these cyber security rules. Identical information could be covered under the SSI rules and the Chemical-Terrorism Vulnerability Information (CVI) provisions of the CFATS regulations. Both are unclassified but sensitive information programs but with significantly different rules, particularly with regard to disclosure in court cases. This conflict needs to be resolved, giving one program or the other primacy.

Cybersecurity R&D

Section 5 of the bill would provide for an extensive cybersecurity R&D effort. It outlines a wide variety of areas that those efforts would address, including attack detection, mitigation and forensics capabilities. Section 5(b)(5) specifically addresses industrial control system (ICS) issues, requiring efforts to “assist the development and support of technologies to reduce vulnerabilities in process control systems”.

Committee Referral

This bill was referred to the Committees on Homeland Security and on Oversight and Government Reform. This early in a new Congress it is hard to forecast how well bills like this will fair in committee. I suspect that it will get a hearing in the Homeland Security Committee and don’t see anything that would draw any particular objections there (though there are a bunch of new players involved so something might strike a cord on someone’s pet peave).

I have no idea how this will be received in the Oversight and Government Reform Committee; it’s not a committee that I have paid much attention to. Their focus would be on the government IT security requirements in §223, not the regulation of industrial systems. Of course, it the bury the bill, it is unlikely to advance to floor consideration.

This is a cyber security bill that we will watch closely.

No comments:

/* Use this with templates/template-twocol.html */