Saturday, April 16, 2011

S 813 Introduced – Cyber Security Studies

This week Sen. Whitehouse (D, RI) introduced S 813, the Cyber Security Public Awareness Act of 2011. The bill would require the publication of a number of executive branch reports on cyber security issues.

Now I am not a big fan of government reports on a problem as extensively reported as is cyber security, but I do have to sympathize with Sen. Whitehouse’s concern as expressed in the findings section of the bill. After summarizing what is publicly known about the attacks on the US information infrastructure, public and private, the bill notes that:

“As of 2011, the level of public awareness of cyber security threats is unacceptably low. Only a tiny portion of relevant cyber security information is released to the public. Information about attacks on Federal Government systems is usually classified. Information about attacks on private systems is ordinarily kept confidential. Sufficient mechanisms do not exist to provide meaningful threat reports to the public in unclassified and anonymized form.” {§2(a)(8)}
To correct this information deficiency, Senators Whitehouse and Kyle (R, AZ; the cosponsor of the bill) go on to require a number of Federal agencies to prepare unclassified reports (an initial report with annual updates) to Congress on various aspects of the problem. Each report could include a classified annex to protect sources, methods, proprietary or sensitive business information, and national security

Cyber Attacks on Federal Agencies

For successful cyber attacks on the Federal government (§3) the required reports would be prepared by the Secretaries of DOD (breaches against networks of the Department of Defense and the military departments) and DHS (breaches of networks of other executive agencies). The reports would include:

• The aggregate statistics on the number of breaches of networks of executive agencies;

• The volume of data exfiltrated;

• The estimated cost of remedying the breaches; and

• A discussion the risk of cyber sabotage.
Interestingly, there are no requirements for similar reports on cyber attacks on the Federal Judiciary, Congress, State and local governments. I guess that those agencies have been blessed with adequate cyber security measures. Either that or Sen. Whitehouse doesn’t think that there is anything in their systems worth protecting.

Cyber Attacks in the Public Sector

Section 5 of the bill would require the Secretary of Homeland Security to prepare a report to Congress that “describes policies and procedures for Federal agencies to assist a private sector entity in the defending of the information networks of the private sector entity against cyber threats that could result in loss of life [emphasis added]or significant harm to the national economy or national security” {§5(a)}. I suppose that Sen. Whitehouse, in including the ‘loss of life’ consequence must be referring to potential attacks on control systems. It would be helpful if ‘or industrial control systems’ were added to this sentence.

A new and, in my opinion, important consideration in the consequences of cyber attacks is addressed in a report required in §6. This section requires the Securities and Exchange Commission to provide a report on the “the extent of financial risk to issuers of securities caused by cyber intrusions or other cybercrimes, and any resulting legal liability” {§6(1)} and “whether current financial statements of issuers transparently reflect” {§6(2)} that risk.

Section 7 provides guidance on the reports required to reflect the cyber attacks that have been conducted against selected critical industries. Those listed industries are:

• Energy industry;
• Financial services industry;
• Air, rail and ground transportation industry;
• Communications industry;
• Food supply industry;
• Water supply industry; and
• Any other element of the economy determined to be critical by the Secretary of Homeland Security.
The bill then requires the “primary regulators responsible for the physical and economic security” to report on the cyber security of those critical industries. The ‘primary regulator’ is different for each industry listed and for the most part are the agencies one would expect. The one odd ball, however is the ‘any other element’ category; the listed agency is the Federal Trade Commission. With the chemical industry fairly obviously falling under this listing, I cannot find any way that someone would expect the FTC to be responsible for their ‘physical and economic’ security.

The other interesting element of §7 is that the term ‘information networks’ is not found in this section; neither are the terms ‘industrial control system’ or ‘SCADA’. The lack of specificity could allow the EPA, for instance, to look at cyber attacks on the control systems for water treatment facilities in their reporting. I would find it a major stretch of imagination, however, for the FTC to consider control system security in their look at the cyber security status of the chemical industry; they’re just too focused on the boardroom.

Preventing Attacks in the Private Sector

Section 8 requires DHS to enter into a contract with the National Research Council, or a similar Federally funded research group to prepare a report to Congress “on available technical options, consistent with Constitutional and statutory privacy rights, for enhancing the security of the information networks of entities that own or manage critical infrastructure” {§8(b)(1)}. Again the focus is specifically on ‘information networks’ and the security of control systems is completely ignored.

Cyber Supply Chain Security Issues

Section 11 requires DHS to report on the issue of how cyber security is affected by foreign suppliers of “of information technology (including equipment, software, and services)” {§11(b)(1)}. The areas of concern are the ‘public and private telecommunications networks of the United States’, which §11(a)(2) says includes:

• Telephone systems;
• Internet systems;
• Fiber optic lines, including cable landings;
• Computer networks; and
• Smart grid technology under development by the Department of Energy.
The concern is not so much about equipment coming from some place like Germany. It is focused on suppliers that are linked directly or indirectly to a government that might be inimical to the United States. The section specifically mentions suppliers that have “ties to the military forces of a foreign government” (can anyone say ‘China’). The concern is that such suppliers might make networks containing such equipment vulnerable to politically directed cyber crime or espionage.

I almost said that this section once again ignores control systems, but that would be less than true. Since ‘smart grid technology’ is specifically addressed, at least that narrow representation of control systems is included, though I suspect that Sen. Whitehouse is more concerned about the information system aspects of the smart grid.

Protecting the Electrical Grid

The last section, §12, deals with an analysis of the threat of a cyber attack on the electrical grid. The there are a couple on anomalies in this section. First is that the responsibility for this report rests with the Secretary of Homeland Security and the Director of National Intelligence; no one from an agency with oversight responsibility for the energy sector is mentioned in this section.

The two responsible parties may be well versed in two of the four areas (threat analysis and determining the ‘national security implications’ of such an attack) required to be included in the report. One would have to question their level of expertise, though, in final two areas to be addressed;

• The “options available to the United States and private sector entities to quickly reconstitute electrical service” {§12(3)}; and

• A “plan to prevent disruption of the electric grid of the United States caused by a cyber attack” {§12(4)}
So Many Reports

Even accepting for the moment that control systems are ignored in the series of reports that would be required by this legislation, I have to commend Sen. Whitehouse for describing one of the most complete looks at cyber security issue from a national perspective that I have ever seen. The one thing that is lacking is the production of a compiled report that brings everything together for the public; and Sen. Whitehouse was supposedly specifically trying to engage the public.

The way that this bill is constructed is that there would be a large number (I did not bother to try to count them) of reports submitted to ‘Congress’. The first problem is that ‘Congress’ is a relatively nebulous term. One would assume that the reports from DHS would go to the two Homeland Security Committees; the reports from EPA would go to the two environmental committees, and so on. There would be not single body responsible for looking at the totality of the problem.

The second problem is that the reports would be dropping into public awareness at random intervals. While all of the reports have ‘required’ submission dates of 180 days after passage, anyone familiar with the operations of the Federal government know that that means that the first such report would probably arrive no earlier than that date and most of the remaining would come trickling in for a number of years. I mean we no longer even expect Congress to produce spending bills in a timely manner.

No comments:

 
/* Use this with templates/template-twocol.html */