S 3569 Introduced – Cloud Computing Security

Earlier this month, before the Senate adjourned for the electioneering break, Sen. Klobuchar (D,MN) introduced S 3560, the Cloud Computing Act of 2012. The bill would specifically add attacks against cloud computing services to the federal computer offences listed in 18 USC §1030.

Cloud ICS Not Covered

The current wording of the bill would not specifically address attacks against control systems operating in the cloud. The key to this lack of coverage is two definitions being added by §2(b)(3) to §1030(e); ‘cloud services’ and “cloud computing account”. The ‘services ‘term is defined as “a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service”. This definition could probably apply to ICS computing services in the cloud.

The limiting term deals with the cloud computing account. The term ‘cloud computing account’ means “information stored on a cloud computing service that requires a password or similar information to access and is attributable to an individual”. While it could be argued that ‘information stored’ could include information that forms the instructions in a cloud-based control system, the requirement that the information be ‘attributable to an individual’ clearly excludes cloud-based ICS.

This lack of ICS coverage is further emphasized in the additional language that is added to §1030 as sub-paragraph (k) that states if one of the computer offenses currently listed in the section is conducted against a computer that “ is part of a cloud computing service, each instance of unauthorized access of a cloud computing account, access in excess of authorization of a cloud computing account, or attempt or conspiracy to access a cloud computing account without authorization or in excess of authorization shall constitute a separate offense” {§2(a) }. Nothing in that description can reasonably be construed to involve an industrial control system.

To be fair to Ms. Klobuchar and her staff, there has not yet been a large movement of control systems to the cloud. It does seem apparent to the casual observer, however, that it is only a matter of time before there will be significant control system applications located in the cloud. If Congress intends to provide criminal sanctions on attacks against the cloud, the wording ought to be inclusive enough to address such services.

A simple wording change to ‘each instance of unauthorized access of a cloud computing account or cloud computing service’ should suffice.

Other Provisions

It would be truly impressive if a Senator could write a simple bill that accomplished a single purpose, but it doesn’t happen here. There are three additional provisions that deal with international cooperation and federal cloud computing procurement forecasting.

Section 4 of the bill requires the Secretary of State to work with international agencies (the actual wording in the bill is ‘international fora’; how quaint) “to advance the aims of ensuring interoperability between the provisions of this Act, the amendments made by this Act, and other laws and policies of the United States and foreign countries”. Such a vaguely worded requirement is no requirement at all.

Section 5 does kind of follow-up that requirement with the inevitable requirement for another study. This one requires the Secretary of State to “conduct a study on international cooperation regarding data privacy, retention, and security” {§5(a)(1)}. There is, of course, a requirement to present the results of this study to the Congress. This again reinforces the intention of this bill to only address information security, not ICS security.

These two sections of the bill do provide a sort of a logical extension of the legal definition of cloud computing offenses outlined earlier in the bill. The only relation the final section of the bill has to the named purpose of the bill is that it also refers to cloud computing. In this case, however, it is a requirement for each agency of the federal government to provide a “3-year forecast of the plans of the agency relating to the procurement of cloud computing services and support relating to such services” {§6(b)}.

Moving Forward

The introduction of this measure so late in the session calls into question if it was ever really intended to pass. If the Congress is going to take up any cybersecurity measure in the post-election lame duck session it is unlikely to be this one. This may be just another one of the multitude of bills that were introduced this month to further a re-election campaign.