As I mentioned in yesterday’s
blog
post, this replacement Cybersecurity Act of 2012, is a substantial re-write
of S 2105. Before I dive into this first of a multi-post review of the
provisions of the new bill, I think that we should first look at the major
revisions that are included in the bill.
Overview of Revisions
First off Title I of the bill was completely re-written. The
old Title I was ‘Protecting Critical Infrastructure’ and the new Title I is ‘Public-Private
Partnership to Protect Critical Infrastructure’. The change in name reflects a
wholesale revision in both the processes and focus of this legislation. I will
be spending quite some time reviewing the provisions of this title.
Two full sections of the remainder of the original bill were
removed:
Sec. 408. Cybersecurity incentives.
Sec. 801. Findings.
And three sections were added to other titles in the new bill:
Sec. 303. Research centers for
cybersecurity.
Sec. 304. Centers of excellence.
Sec. 415. Marketplace information.
A number of new definitions were included in §2 of the bill,
including:
• Category of Critical Cyber
Infrastructure
• Critical Cyber Infrastructure
• Significant Cyber Incident
Industrial Control System Coverage
Probably the single most important change in this bill (at
least from the view point of readers of this blog) comes in the definition of ‘information
infrastructure’:
The term ‘‘information
infrastructure’’ means the underlying framework that information systems and
assets rely on to process, transmit, receive, or store information
electronically, including programmable electronic devices, communications
networks, and industrial or supervisory control
systems [emphasis added] and any associated hardware, software, or
data.
That makes this the first piece of cybersecurity legislation
that I have seen that clearly and specifically includes industrial control
systems in its coverage. I’m not sure that I think including control systems in
‘information infrastructure’ was really appropriate from a technology point of
view, but it sure made the rest of the bill easier to write.
The National Cybersecurity Council
The very constrained power given to the Federal government
to oversee cybersecurity in the private sector is vested in a new organization,
the National Cybersecurity Council (NCC). The term ‘new organization’ is
slightly misleading in that there will be no new office complex in Washington
housing a bunch of new bureaucrats, it is an organization whose members are
already in government service performing already existing jobs who will be
representing the agencies for which they work.
The President will appoint members to this Council from {§101(d)}:
• Department of Commerce;
• Department of Defense;
• Department of Justice;
• The intelligence community;
• Sector-specific Federal agencies,
as appropriate;
• Federal agencies with
responsibility for regulating the security of critical cyber infrastructure, as
appropriate; and
• Department of Homeland Security.
In this case the last agency listed is not the least; the
Secretary of Homeland Security is designated {§101(f)} as the Chairperson (and
that term is actually used; a serious throw-back to the days of
politically-correct gender-neutral titles) of the Council. The Chairperson has
carefully enumerated authority to act without the specific consent or direction
of the Council {§101(c)(3)}.
The Council will be responsible for {§101(b)}:
• Conducting sector-by-sector risk
assessments;
• Identify categories of critical
cyber-infrastructure;
• Coordinating the adoption of
private-sector recommended voluntary outcome-based cybersecurity practices;
• Establishing an incentives-based
voluntary cybersecurity program for critical infrastructure to encourage owners
to adopt voluntary outcome-based cybersecurity practices;
• Developing procedures to inform
owners and operators of cyber threats, vulnerabilities, and consequences; and
• Providing any technical guidance
or assistance to owners and operators consistent with this title.
Cybersecurity Practices
To ensure that the Council does not step on the regulatory
toes of any agency in the Federal government, each sector-specific Federal agency
and each Federal regulatory agency will have a representative participating
with the Council when they deliberate on matters relating to that agency. That
is to ensure that any ‘cybersecurity practice’ (more about those in a later
post) adopted by the Council {§101(g)}:
• Does not contradict any
regulation or compulsory standard in effect before the adoption of the
cybersecurity practice; and
• To the extent possible,
complements or otherwise improves the regulation or compulsory standard
described above
The wording about ‘in effect before the adoption’ would tend
to imply that subsequent regulations or compulsory standards would be expected
to comply with the adopted cybersecurity practice. It would certainly be nice
if there were no conflict between these security practices and subsequent
regulations, but there is nothing in this bill that would give the Council any
authority or obligation to review new regulations that might impact
cybersecurity.
Coordination with the Private Sector
Since the Council is not given any regulatory power, they
have to be very careful to cultivate a cooperative relationship with the
private sector entities ‘covered’ by this bill. There are frequent uses of the
terms ‘in consultation with’, ‘in cooperation with’ and ‘cooperate with’. In
fact, the bill specifically requires the Council to coordinate its activities
with {§101(e)}:
• Appropriate representatives of
the private sector; and
• Owners and operators.
One of the ‘appropriate representatives’ frequently
mentioned throughout Title I of this bill is the existing Critical Infrastructure
Partnership Advisory Council. Additionally, sector advisory councils and
various industry organizations will certainly play an important part in
implementing the coordination requirements of this bill.
This section is one that is going to be a likely target of
privacy advocates. I expect that we will see attempts to add language to this
coordination requirement to add privacy advocates to the those with which the
Council will be required to coordinate.