HR 4310 Reported in House

As I mentioned in an earlier blog, the House will be considering HR 4310, the National Defense Authorization Act FY 2013. Since I wrote that post the House Armed Services Committee report has been published by the GPO. As we have come to expect there were some mentions of cybersecurity issues in the report. Interestingly the amended version of the bill included in that report contains two new sections referencing cybersecurity issues; none directly referencing control systems, but cybersecurity none-the-less. According to the House Rules Committee web site, this is the version of the bill that will be considered on the floor.

Cybersecurity Mentions

The three mentions of cybersecurity in the report include:

• Cyber Research of Embedded Systems, pg 86;

• Detection of Non-Signature Based Cyber Threats, pg 89;

• The Role of National Guard Cyber Defense Units, pg 201;

There are two sections added addressing cybersecurity issues in the actual bill are found in a new Subtitle E, Cyberspace-related Matters. They are:

• Section 941—Military Activities in Cyberspace; and

• Section 942—Quarterly Cyber Operations Briefings.

Cybersecurity Research

The two research priorities established in this report have definite possibilities for application in the control system security realm. While the report notes that “that the decreasing size and increasing computational power of many microelectronics has helped embed computers into practically every weapons system within the Department” it is becoming increasingly common for the same to be said about any number of industrial devices; and we are just now beginning to see concerns about the security of these computers in the public sector. Military research on securing this category of devices can certainly bear on security of devices in the civilian manufacturing sector.

The Committee notes that they are “concerned that the Department of Defense is not providing sufficient resources to acquire capabilities to detect and protect against cyber threats for which a signature has not yet been developed”. Anyone that follows cybersecurity issues will recognize that the same issue and concern applies to civilian computer systems, including control systems. The most successful attacks use 0-day vulnerabilities and properly executed can exist in the wild for some time before they are discovered. Any techniques that can successfully detect attacks using 0-day vulnerabilities will be valuable across the cybersecurity spectrum.

Cyber Warfare

While not directly related to control system security the addition of §941 to this bill may have certain long term consequences for the control system security community. This section revises the statement of authority for DOD to conduct operations in cyberspace that was included in last year’s DOD Authorization bill (P.L. 112–81). That law affirmed the authority to “conduct offensive operations in cyberspace” {§954}. This revision will expand that to specifically include “the authority to carry out a clandestine operation in cyberspace” {Revised §954(b)} in support of congressionally authorized ‘use of military force’ or to defend against a cyber-attack on an asset of the DOD.

The wording of this amended statement of authority would seem to indicate that Congress would not authorize a Stuxnet-like attack on a country like Iran against which Congress has not authorized the use of force. One would like to think that any nation-state cyber-adversaries would reciprocate (Riiight).

Interestingly this makes no provision for responding to cyber-attacks on any US entity that is not an asset of the DOD. Congress could certainly change this by specifically authorizing the use of force, but lacking that there is no authorization for DOD to act. This is keeping with our philosophy of close civilian control of military activities, but it certainly doesn’t cause many of our potential adversaries to be concerned about retaliation for cyber-attacks.

Moving Forward

Tomorrow afternoon the House Rules Committee will hold the first of two hearings on this bill. The first will be held to establish the debate parameters for consideration and the second will be consideration of which amendments will be included in the floor debate (indicating that this won’t be an open rule). According the HR 4310 page on the Committee web site at least 47 amendments have already been offered (none concerning cybersecurity activities) but the submission closing time won’t come until tomorrow afternoon; lots of time for more amendments.