Tuesday, May 24, 2011

HR 1540 and Cybersecurity

In an earlier blog on the introduction of HR 1540, the National Defense Authorization Act for Fiscal Year 2012 I mentioned that I saw no cyber security provisions but thought that that would change as this moved through the committee process. I was not completely wrong; I have found one fairly obscure reference to cyber security in the Committee Report on HR 1540.

In one of the reporting requirements that show up in committee reports but not the actual legislation, the House Armed Services Committee “directs the Secretary of Defense to conduct a study on the threat to the readiness of military installations from possible cyber attacks on civilian critical infrastructure” (pg 199). The requirement includes the inevitable ‘Report to Congress’ on the results and potential mitigation efforts.

The prior discussion makes it fairly clear that the Committee was concerned about potential attacks on local utilities supporting military bases. Interestingly the discussion makes no specific reference to Stateside facilities, so presumably it would also require DOD to look at potential affects on bases in foreign countries.

I am more than a little disappointed that the Committee has taken such a narrow view of the definition of ‘critical infrastructure’ in mandating this study. It fails to note that many military bases are served by fuel pipelines that could be subject to cyber attacks. Additionally, I would bet that there are military facilities that are located in areas that could be affected by attacks on high-risk chemical facilities and chemical facilities located in port areas covered by MTSA.

Interestingly, the chemical facilities that have the lightest federal security mandate, water treatment facilities, could be covered under this mandated report as long as they provide water service to a DOD facility. It would be interesting to see if there would be any mention of potential cyber attacks that could result in the release of chlorine gas from these facilities as a possible source of danger to military facilities.

Unfortunately we will never see this report. These reports to Congress usually get buried in any case, but this one will certainly be classified, so public release will be even less likely. It would have been nice to see a requirement for an unclassified summary to be included with this report, but Congress has never been keen on sharing their information with the public.

No comments:

/* Use this with templates/template-twocol.html */