Saturday, July 21, 2012

Analysis of S 3414 – National Cybersecurity Council

As I mentioned in yesterday’s blog post, this replacement Cybersecurity Act of 2012, is a substantial re-write of S 2105. Before I dive into this first of a multi-post review of the provisions of the new bill, I think that we should first look at the major revisions that are included in the bill.

Overview of Revisions

First off Title I of the bill was completely re-written. The old Title I was ‘Protecting Critical Infrastructure’ and the new Title I is ‘Public-Private Partnership to Protect Critical Infrastructure’. The change in name reflects a wholesale revision in both the processes and focus of this legislation. I will be spending quite some time reviewing the provisions of this title.

Two full sections of the remainder of the original bill were removed:

Sec. 408. Cybersecurity incentives.

Sec. 801. Findings.

And three sections were added to other titles in the new bill:

Sec. 303. Research centers for cybersecurity.

Sec. 304. Centers of excellence.

Sec. 415. Marketplace information.

A number of new definitions were included in §2 of the bill, including:

• Category of Critical Cyber Infrastructure

• Critical Cyber Infrastructure

• Significant Cyber Incident

Industrial Control System Coverage

Probably the single most important change in this bill (at least from the view point of readers of this blog) comes in the definition of ‘information infrastructure’:

The term ‘‘information infrastructure’’ means the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically, including programmable electronic devices, communications networks, and industrial or supervisory control systems [emphasis added] and any associated hardware, software, or data.

That makes this the first piece of cybersecurity legislation that I have seen that clearly and specifically includes industrial control systems in its coverage. I’m not sure that I think including control systems in ‘information infrastructure’ was really appropriate from a technology point of view, but it sure made the rest of the bill easier to write.

The National Cybersecurity Council

The very constrained power given to the Federal government to oversee cybersecurity in the private sector is vested in a new organization, the National Cybersecurity Council (NCC). The term ‘new organization’ is slightly misleading in that there will be no new office complex in Washington housing a bunch of new bureaucrats, it is an organization whose members are already in government service performing already existing jobs who will be representing the agencies for which they work.

The President will appoint members to this Council from {§101(d)}:

• Department of Commerce;

• Department of Defense;

• Department of Justice;

• The intelligence community;

• Sector-specific Federal agencies, as appropriate;

• Federal agencies with responsibility for regulating the security of critical cyber infrastructure, as appropriate; and

• Department of Homeland Security.

In this case the last agency listed is not the least; the Secretary of Homeland Security is designated {§101(f)} as the Chairperson (and that term is actually used; a serious throw-back to the days of politically-correct gender-neutral titles) of the Council. The Chairperson has carefully enumerated authority to act without the specific consent or direction of the Council {§101(c)(3)}.

The Council will be responsible for {§101(b)}:

• Conducting sector-by-sector risk assessments;

• Identify categories of critical cyber-infrastructure;

• Coordinating the adoption of private-sector recommended voluntary outcome-based cybersecurity practices;

• Establishing an incentives-based voluntary cybersecurity program for critical infrastructure to encourage owners to adopt voluntary outcome-based cybersecurity practices;

• Developing procedures to inform owners and operators of cyber threats, vulnerabilities, and consequences; and

• Providing any technical guidance or assistance to owners and operators consistent with this title.

Cybersecurity Practices

To ensure that the Council does not step on the regulatory toes of any agency in the Federal government, each sector-specific Federal agency and each Federal regulatory agency will have a representative participating with the Council when they deliberate on matters relating to that agency. That is to ensure that any ‘cybersecurity practice’ (more about those in a later post) adopted by the Council {§101(g)}:

• Does not contradict any regulation or compulsory standard in effect before the adoption of the cybersecurity practice; and

• To the extent possible, complements or otherwise improves the regulation or compulsory standard described above

The wording about ‘in effect before the adoption’ would tend to imply that subsequent regulations or compulsory standards would be expected to comply with the adopted cybersecurity practice. It would certainly be nice if there were no conflict between these security practices and subsequent regulations, but there is nothing in this bill that would give the Council any authority or obligation to review new regulations that might impact cybersecurity.

Coordination with the Private Sector

Since the Council is not given any regulatory power, they have to be very careful to cultivate a cooperative relationship with the private sector entities ‘covered’ by this bill. There are frequent uses of the terms ‘in consultation with’, ‘in cooperation with’ and ‘cooperate with’. In fact, the bill specifically requires the Council to coordinate its activities with {§101(e)}:

• Appropriate representatives of the private sector; and

• Owners and operators.

One of the ‘appropriate representatives’ frequently mentioned throughout Title I of this bill is the existing Critical Infrastructure Partnership Advisory Council. Additionally, sector advisory councils and various industry organizations will certainly play an important part in implementing the coordination requirements of this bill.

This section is one that is going to be a likely target of privacy advocates. I expect that we will see attempts to add language to this coordination requirement to add privacy advocates to the those with which the Council will be required to coordinate.

No comments:

/* Use this with templates/template-twocol.html */