Earlier this month, before the Senate adjourned for the electioneering
break, Sen. Klobuchar (D,MN) introduced S 3560, the Cloud Computing Act of 2012.
The bill would specifically add attacks against cloud computing services to the
federal computer offences listed in 18
USC §1030.
Cloud ICS Not Covered
The current wording of the bill would not specifically
address attacks against control systems operating in the cloud. The key to this
lack of coverage is two definitions being added by §2(b)(3) to §1030(e); ‘cloud
services’ and “cloud computing account”. The ‘services ‘term is defined as “a
service that enables convenient, on-demand network access to a shared pool of
configurable computing resources (including networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with
minimal management effort or interaction by the provider of the service”. This
definition could probably apply to ICS computing services in the cloud.
The limiting term deals with the cloud computing account.
The term ‘cloud computing account’ means “information stored on a cloud
computing service that requires a password or similar information to access and
is attributable to an individual”. While it could be argued that ‘information
stored’ could include information that forms the instructions in a cloud-based
control system, the requirement that the information be ‘attributable to an
individual’ clearly excludes cloud-based ICS.
This lack of ICS coverage is further emphasized in the
additional language that is added to §1030 as sub-paragraph (k) that states if
one of the computer offenses currently listed in the section is conducted
against a computer that “ is part of a cloud computing service, each instance
of unauthorized access of a cloud computing account, access in excess of
authorization of a cloud computing account, or attempt or conspiracy to access
a cloud computing account without authorization or in excess of authorization
shall constitute a separate offense” {§2(a) }. Nothing in that description can
reasonably be construed to involve an industrial control system.
To be fair to Ms. Klobuchar and her staff, there has not yet
been a large movement of control systems to the cloud. It does seem apparent to
the casual observer, however, that it is only a matter of time before there will
be significant control system applications located in the cloud. If Congress intends
to provide criminal sanctions on attacks against the cloud, the wording ought
to be inclusive enough to address such services.
A simple wording change to ‘each instance of unauthorized
access of a cloud computing account or
cloud computing service’ should suffice.
Other Provisions
It would be truly impressive if a Senator could write a
simple bill that accomplished a single purpose, but it doesn’t happen here.
There are three additional provisions that deal with international cooperation
and federal cloud computing procurement forecasting.
Section 4 of the bill requires the Secretary of State to
work with international agencies (the actual wording in the bill is ‘international
fora’; how quaint) “to advance the aims of ensuring interoperability between
the provisions of this Act, the amendments made by this Act, and other laws and
policies of the United States and foreign countries”. Such a vaguely worded
requirement is no requirement at all.
Section 5 does kind of follow-up that requirement with the
inevitable requirement for another study. This one requires the Secretary of
State to “conduct a study on international cooperation regarding data privacy,
retention, and security” {§5(a)(1)}. There is, of course, a requirement to
present the results of this study to the Congress. This again reinforces the
intention of this bill to only address information security, not ICS security.
These two sections of the bill do provide a sort of a
logical extension of the legal definition of cloud computing offenses outlined earlier
in the bill. The only relation the final section of the bill has to the named
purpose of the bill is that it also refers to cloud computing. In this case,
however, it is a requirement for each agency of the federal government to
provide a “3-year forecast of the plans of the agency relating to the
procurement of cloud computing services and support relating to such services”
{§6(b)}.
Moving Forward
The introduction of this measure so late in the session calls into question if it was ever really intended to pass. If the Congress is going to take up any cybersecurity measure in the post-election lame duck session it is unlikely to be this one. This may be just another one of the multitude of bills that were introduced this month to further a re-election campaign.