Saturday, March 19, 2011

HR 1136 Introduced – Cyber Security

On Thursday Rep. Langevin (D, RI) introduced HR 1136, the Executive Cyberspace Coordination Act of 2011. This bill, like most cybersecurity legislation introduced to date, deals principally with the security of Federal electronic information systems. It does, however, provide authority for the regulation of private sector information systems that support industrial control systems in critical infrastructure.

Federal Information System Security

This bill would provide a “comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets” {§3551(1)}. It would establish the Office for Cyberspace within the Executive Office of the President headed by a Director that would be appointed by the President with the consent of the Senate. The Director would serve as a member of the National Security Council. The bill would also require the President to appoint a Federal Chief Technology Officer (Federal CTO) in a separate Office of the Federal Chief Technology Officer within the Executive Office.

Within the Office for Cyberspace the legislation would also create the Federal Cybersecurity Practice Board. The Board would be chaired by the Director and would include representatives of various Federal agencies including OMB, DOD and the Federal law enforcement community. This Board would “be responsible for developing and periodically updating information security policies and procedures” {§3554(c)(1)} for protecting the Federal government’s information technology systems.

The Director is also given the responsibility to “review and offer a non-binding approval or disapproval of each agency’s annual budget to each such agency before the submission of such budget by the head of the agency to the Office of Management and Budget” {§3555(c)(2)}. Lacking actual budget control authority the Director would act more as an advisor than a controller of the security of Federal information technology systems.

This lack of real control authority is reflected in the specific requirement for each agency to “develop, document, and implement an agencywide [sic] information security program” {§3556(b)}. Additionally, the Secretary of Commerce (in consultation with the DHS Secretary) is given broad authority to “promulgate information security standards pertaining to Federal information systems” {§3557(a)(1)(A)}.

Critical Infrastructure

The last 2½ pages of this bill address cybersecurity for critical infrastructure. The entire Title III of this bill relies upon one of the most sweeping definitions of ‘critical information infrastructure’ that I have ever seen. Section 301(1) of the bill states:

“The term ‘critical information infrastructure’ means the electronic information and communications systems, software, and assets that control, protect, process, transmit, receive, program, or store information in any form, including data, voice, and video, relied upon by critical infrastructure, industrial control systems such as supervisory control and data acquisition systems, and programmable logic controllers. This shall also include such systems of the Federal Government.”
I hate to be an English Nerd, but the comma behind the words ‘critical infrastructure’ means that any industrial control system or programmable logic controllers residing on, or being supported by, an electronic network of any sort makes that network a piece of ‘critical information infrastructure’. Taken to its logical extreme, this definition would include the electronics system in every modern automobile.

Having established a very expansive scope of the potentially regulated community this Title then provides the Secretary of Homeland Security the primary authority “in creation, verification, and enforcement of measures with respect to the protection of critical information infrastructure, including promulgating risk-informed information security practices and standards applicable to critical information infrastructures that are not owned by or under the direct control of the Federal Government” {§302(a)}.

This broad authority is tempered only by the requirement to coordinate with ‘sector specific regulatory agencies’ “in establishing [those] enforcement mechanisms” {§302(b)(2)}. Of course, DHS is that regulatory agency for a number of sectors including the chemical sector.

The only saving grace is that the scope and authority is so wide and all encompassing as to be practically meaningless. Any attempt to establish cybersecurity regulations under this authority would be tied up in court so fast that thousands of lawyers would get rich on the billable hours on these cases alone. Besides, there are no provisions in this legislation for establishing an agency within DHS to exercise this authority, or giving an existing agency that authority. So practically speaking, there is no one to write the regulations for industry to object to.

I expect that if this bill goes anywhere, that there will be substantial revisions to Title III.

No comments:

/* Use this with templates/template-twocol.html */