On Friday, the House Homeland Security Committee published a ‘discussion draft’ of legislation to be proposed by Rep. Lungren (R,CA) that would address cybersecurity issues. This is apparently the bill from the House side that we have been hearing so much about in the press discussion about cybersecurity legislation over the last week or two. Lungren’s Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies will hold a hearing on this draft on Tuesday.
This is once again an IT security bill that will limit the DHS authority over civilian cyber-assets to those employed in ‘critical infrastructure’. It will amend the Homeland Security Act of 2002 by adding a number of new sections that will provide DHS with ‘National Cybersecurity Authority’; making it responsible for “the protection of Federal systems and critical infrastructure information systems [emphasis added]” {§226(a)(4)(A)}. The phrase ‘critical infrastructure information systems is used so often throughout the bill that we should establish a new acronym CIIS to save substantial amounts of ink.
Identification of Cybersecurity Risks
There is one section of the bill where the CIIS phrase is curiously absent; §227, Identification of Sector Specific Cybersecurity Risks. This section requires the Secretary, in coordination with other government agencies responsible for regulating critical infrastructure, to “on a continuous and sector-by-sector basis, identify and evaluate cybersecurity risks to critical infrastructure” {§227(a)}.
One of the subjects for assessment that is listed in this section is the “extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by a disruption, destruction, or unauthorized use of covered critical infrastructure” {§227(b)(2)}. This would certainly seem to include high-risk chemical facilities in the critical infrastructure to be addressed.
As I have mentioned in discussions of a number of other bits of cybersecurity legislation, the clear absence of the words ‘information systems’ modifying the term ‘critical infrastructure’ used in just this particular section of the bill could be used as a justification for specifically including control systems in these required evaluations. Having said that; there is no clear, unambiguous mandate to do so. Given the inevitable underfunding and understaffing provided to DHS to support this action (no authorization for funding is provided in this bill), there is little likelihood that DHS will do much work in this area.
Catalogue of Standards
There is an interesting addendum to §227. Paragraph (d) would require to the Secretary to establish “a catalogue of existing internationally recognized consensus-developed risk-based performance standards, including such standards developed by the National Institute of Standards and Technology” {§227(d)(1)}. This catalogue would be more than just a list of these standards but it would include an evaluation of their cost effectiveness and how well they address the applicable cybersecurity hazards.
The use of, or compliance with, these standards by critical infrastructure entities would be encouraged by the use of market-based incentives and where ‘appropriate’ they would be included “in the regulatory regimes applicable to covered critical infrastructure” {§227(d)(3)}. CFATS is potentially an example of such a ‘regulatory regime’, but because of Congressional limitations on the authority of the Secretary to impose requirements, such the use of such standards could only be suggested, not required.
One interesting point about this requirement is that it introduces another new term; ‘covered critical infrastructure’. This is defined in the succeeding paragraph as any “facility or function, by way of a cyber vulnerability” {§227(f)} that, because of the unauthorized access, disruption or destruction of, could result in “the loss of thousands of lives” {§227(f)(1)}. There are also additional results that could define the phrase (including “mass evacuations of a major population center for longer than 30 days” {§227(f)(3)}) a clear reference to a nuclear release), but this is the only one that would address a single chemical facility.
Specific Mention of Control Systems
Section 229 addresses cybersecurity research and development. It is in this section that the find the only specific mention of control systems. In the lengthy list of cybersecurity research topics that DHS S&T would be required to ‘support’ is the requirement to “assist in the development and support of technologies to reduce vulnerabilities in process control systems” {§229(b)(5)}.
Again, since there is no spending authorization to support these new S&T support requirements, there is little that will be able to be practically accomplished by S&T in this area.
National Information Sharing Organization
There is an interesting new construct in this bill that I have not seen anywhere else. It specifically does not apply to control systems (all CIIS references), but it is such an odd idea that I just have to talk about it. The bill would add a new Title E to the Homeland Security Act of 2002 that would establish a new National Information Sharing Organization (NISO).
NISO would be a ‘not-for-profit’ organization responsible for “sharing cyber threat information and exchanging technical assistance, advice, and support and developing and disseminating necessary information security technology” {§241(a)}. Actually an existing ‘not-for-profit’ organization (possibly more than one) would be designated a NISO by a “Board of Directors” made up of five government representatives (at least one from DHS) and ten private sector representatives (including at least one ‘small business’ rep and two from the ‘privacy and civil liberties community).
The private sector representatives (presumably other than those listed above) would come from a list of seven ‘critical infrastructure sectors and subsectors’. With 18 different ‘critical infrastructure sectors’ currently listed in the National Infrastructure Protection Plan, that leaves a bunch of folks out of the loop. Specifically the NISO Board of Directors does not include someone from either the chemical, water, or transportation sectors.
There is lots of discussion about setting up NISOs and establishing rules and procedures, but the most interesting thing found in this new Title is that these not-for-profit organizations are the only new organizations (oops they have to be existing organizations to be designated a NISO) that have funding authorization in this bill.
There are funding restrictions (no more than 15% of the annual administrative and operational expenses), but there is literally a blank check provided in this draft for the funding of the initial expenses for the establishment of NISO. On the last page of this bill there is a sub-paragraph (b) that says “There is authorized to be appropriated $ _______”. Okay, it will have a figure in there when it comes up for a real vote, but it currently provides a ‘blank check’.
Subcommittee Hearing
As I mentioned at the start of this post there will be Subcommittee hearing on this proposal on Tuesday. It will be an actual hearing with witnesses, not a markup hearing. The current list of witnesses includes:
Cheri McGuire, VP at Symantec
Dr. Greg Shannon, Carnegie Mellon CERT
Gregory Nojeim, Center for Democracy & Technology
Kevin Kosar, Congressional Research Service.
BTW: I would suppose that the Carnegie Mellon CERT would be a potential candidate for being designated a NISO?
As one would expect from the way this bill was written, there is no one with a control system background testifying on Tuesday. I do find it odd that there is no one from DHS that is currently scheduled to appear at this hearing.
I would not be surprised to be writing next weekend that a markup hearing on the introduced version of this bill was scheduled for the week of December 12th if Congress is in session that week. It finally does look like Congress is getting ready to start moving forward (lots of political inertia to be overcome here) on cybersecurity legislation.
Posts
No comments:
Post a Comment