As
I
noted last week, Sen. Rockefeller (D,WV) introduced
S
1353, the Cybersecurity Act of 2013. This bill has received a lot of
attention in the main stream press as a bill that would formally implement the
cybersecurity framework initiated by the Obama Cybersecurity Executive Order
(EO 13636), but there is very little linkage, if any, between the two.
The bill is organized into three Titles:
Title I — Public-Private
Collaboration on Cybersecurity
Title II — Cybersecurity Research and
Development
Title III — Education and Workforce
Development
The last two titles are little more than rehashes of R&D
and education programs outlined in other legislation and share the same short
comings. No new funds are identified for the new and or repurposed programs so
they will either have to steal funds from other worthwhile programs without Congress
accepting responsibility for that reprograming or the new programs will die
still born due to the lack of funds.
The meat of the bill is found in Title I, but even that
suffers from the lack of specific funding authority for the executive actions
that are directed to be accomplished by that title.
Definitions
Before we actually get to Title I we need to first glance
through Sections 2 and 3. Section 2 of the bill defines three terms to be used
in this bill:
• Cybersecurity mission;
• Information infrastructure; and
• Information system.
The first is a very expansive term that describes a wide
range of activities that includes such things as threat reduction,
international engagement, resiliency (which is not an activity the last time I
looked) and incident response to name a few. It also ropes in some aspects of
even more disparate activities such as law enforcement, diplomacy, military and
intelligence missions where they relate to the security and stability of
cyberspace.
The second term, ‘information infrastructure’, means “the
underlying framework that information systems and assets rely on to process,
transmit, receive, or store information electronically” {§2(b)}. Interestingly
the definition specifically includes “communications networks, and industrial or supervisory control systems
[emphasis added] and any associated hardware, software, or data”.
Before anyone gets too excited about the specific of control
systems, it needs to be made clear that the construction of the second and
third definitions limits those control systems to those that directly support
information systems. The definition of that term comes from
44
USC 3502(8) where it is defined as “a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing, dissemination,
or disposition of information”. So we can forget this bill covering security
for any control system that manufactures, controls or moves anything besides
information.
One last thing that we need to look at before we get to
Title I is §3 of the bill. It specifically and unequivocally states:
“Nothing in this Act shall be construed
to confer any regulatory authority on any Federal, State, tribal, or local department
or agency.”
Public-Private
Collaboration - NIST
Section 101(a) starts out by modifying the list of
activities that the Secretary of the Department of Commerce is allowed (not
required) to perform through the Director of the National Institute of
Standards and Technology (NIST) under
15
USC 272(c) by adding sub-paragraph (15) that would allow “on an ongoing
basis, [to] facilitate and support the development of a voluntary, industry-led
set of standards, guidelines, best practices, methodologies, procedures, and
processes to reduce cyber risks to critical infrastructure”.
If the drafters of this bill had really wanted NIST to undertake
a proactive cybersecurity development program they would have listed this
program in §272(b) under the mandated functions of the Institute rather than
under the allowed activities in §272(c). This is especially true since §272(c)(13)
and (c)(14) already provide wide latitude to study computer controls and
information systems.
Section 101(b) goes on to add another paragraph to
15
USC 272. Section 272(e) provides additional details about how the Director
is to go about executing his newly allowed activities. There is a lot of coordinating
and consulting mentioned before one gets to the meat in §272(e)(1)(A)(iii) that
outlines a mandate (in an allowed, not required activity) to “identify a
prioritized, flexible, repeatable, performance-based, and cost-effective
approach” that can be voluntarily adopted “owners and operators of critical
infrastructure to help them identify, assess, and manage cyber risks”.
Section 272(e) goes on to require that the approach would
• Mitigate impacts on business
confidentiality {§272(e)(1)(A)(iv)(I)};
• Protect individual privacy and
civil liberties {§272(e)(1)(A)(iv)(II)};
• Incorporate voluntary consensus
standards and industry best practices {§272(e)(1)(A)(v)};
• Align with international
standards ‘to the fullest extent possible’ {§272(e)(1)(A)(vi)}; and
• Prevent conflict with regulatory
requirements, mandatory standards and related processes {§272(e)(1)(A)(vii)}.
Section 272(e)(2) provides limited protection of information
shared with or provided to the Director of NIST in support of §272(c)(15). It
specifically states that the information “shall not be used by any Federal,
State, tribal, or local department or agency to regulate the activity of any entity”.
The bill does not, however, provide any protection against public disclosure of
that information or use of that information in civil actions by those other
than the government. Nor are there any provision to protect against anti-trust
actions based upon the sharing of standards, best practices or security
practices.
There are also no provisions in this bill for protected
information sharing about specific intelligence or threat information. To be
fair, one would not expect that in an NIST activity as it is not part of the
intelligence community, but the sharing of threat intelligence will almost
certainly have a major impact on the development of best practices,
methodologies and procedures. Without open and effective threat information
sharing the effectiveness of any such developments will be stunted to say the
least.
EO Lite
Because the crafters of this bill limited Title I of the
bill to just activities at NIST, this bill only supports just the barest number
of supports for the Cybersecurity Framework currently be developed by NIST in support of the President’s
EO. Without the activities outlined for agencies in DHS, DOD, Justice and GSA in
the EO, the most effective parts of the Framework are either not present or not
supported by this flimsy legislative structure.
The biggest shortcoming of this bill in this regards is the
complete lack of any indication that one of the largest portions of the
cybersecurity threat currently facing this country is not information related
(though that is certainly an important area of concern) but rather the
vulnerability of physical control systems to manipulations that could
cause widespread physical damage, mass casualties
or the destruction of infrastructure that would reverberate throughout our
economy through cascading supply chain damage.
Moving Forward
This bill will likely move through markup today without
discussion. The big question will be if, after the summer recess, it will have
any chance of making it to the floor of the Senate. A lot of that will depend
on the competing bills that are crafted between now and then. This is a bland
enough bill that it would probably pass, both here and in the House if it were
to make it a vote.