S 1353 Introduced – Cybersecurity

As I noted last week, Sen. Rockefeller (D,WV) introduced S 1353, the Cybersecurity Act of 2013. This bill has received a lot of attention in the main stream press as a bill that would formally implement the cybersecurity framework initiated by the Obama Cybersecurity Executive Order (EO 13636), but there is very little linkage, if any, between the two.

The bill is organized into three Titles:

Title I — Public-Private Collaboration on Cybersecurity

Title II — Cybersecurity Research and Development

Title III — Education and Workforce Development

The last two titles are little more than rehashes of R&D and education programs outlined in other legislation and share the same short comings. No new funds are identified for the new and or repurposed programs so they will either have to steal funds from other worthwhile programs without Congress accepting responsibility for that reprograming or the new programs will die still born due to the lack of funds.

The meat of the bill is found in Title I, but even that suffers from the lack of specific funding authority for the executive actions that are directed to be accomplished by that title.

Definitions

Before we actually get to Title I we need to first glance through Sections 2 and 3. Section 2 of the bill defines three terms to be used in this bill:

• Cybersecurity mission;

• Information infrastructure; and

• Information system.

The first is a very expansive term that describes a wide range of activities that includes such things as threat reduction, international engagement, resiliency (which is not an activity the last time I looked) and incident response to name a few. It also ropes in some aspects of even more disparate activities such as law enforcement, diplomacy, military and intelligence missions where they relate to the security and stability of cyberspace.

The second term, ‘information infrastructure’, means “the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically” {§2(b)}. Interestingly the definition specifically includes “communications networks, and industrial or supervisory control systems [emphasis added] and any associated hardware, software, or data”.

Before anyone gets too excited about the specific of control systems, it needs to be made clear that the construction of the second and third definitions limits those control systems to those that directly support information systems. The definition of that term comes from 44 USC 3502(8) where it is defined as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”. So we can forget this bill covering security for any control system that manufactures, controls or moves anything besides information.

One last thing that we need to look at before we get to Title I is §3 of the bill. It specifically and unequivocally states:

“Nothing in this Act shall be construed to confer any regulatory authority on any Federal, State, tribal, or local department or agency.”

Public-Private Collaboration - NIST

Section 101(a) starts out by modifying the list of activities that the Secretary of the Department of Commerce is allowed (not required) to perform through the Director of the National Institute of Standards and Technology (NIST) under 15 USC 272(c) by adding sub-paragraph (15) that would allow “on an ongoing basis, [to] facilitate and support the development of a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure”.

If the drafters of this bill had really wanted NIST to undertake a proactive cybersecurity development program they would have listed this program in §272(b) under the mandated functions of the Institute rather than under the allowed activities in §272(c). This is especially true since §272(c)(13) and (c)(14) already provide wide latitude to study computer controls and information systems.

Section 101(b) goes on to add another paragraph to 15 USC 272. Section 272(e) provides additional details about how the Director is to go about executing his newly allowed activities. There is a lot of coordinating and consulting mentioned before one gets to the meat in §272(e)(1)(A)(iii) that outlines a mandate (in an allowed, not required activity) to “identify a prioritized, flexible, repeatable, performance-based, and cost-effective approach” that can be voluntarily adopted “owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks”.

Section 272(e) goes on to require that the approach would

• Mitigate impacts on business confidentiality {§272(e)(1)(A)(iv)(I)};

• Protect individual privacy and civil liberties {§272(e)(1)(A)(iv)(II)};

• Incorporate voluntary consensus standards and industry best practices {§272(e)(1)(A)(v)};

• Align with international standards ‘to the fullest extent possible’ {§272(e)(1)(A)(vi)}; and

• Prevent conflict with regulatory requirements, mandatory standards and related processes {§272(e)(1)(A)(vii)}.

Section 272(e)(2) provides limited protection of information shared with or provided to the Director of NIST in support of §272(c)(15). It specifically states that the information “shall not be used by any Federal, State, tribal, or local department or agency to regulate the activity of any entity”. The bill does not, however, provide any protection against public disclosure of that information or use of that information in civil actions by those other than the government. Nor are there any provision to protect against anti-trust actions based upon the sharing of standards, best practices or security practices.

There are also no provisions in this bill for protected information sharing about specific intelligence or threat information. To be fair, one would not expect that in an NIST activity as it is not part of the intelligence community, but the sharing of threat intelligence will almost certainly have a major impact on the development of best practices, methodologies and procedures. Without open and effective threat information sharing the effectiveness of any such developments will be stunted to say the least.

EO Lite

Because the crafters of this bill limited Title I of the bill to just activities at NIST, this bill only supports just the barest number of supports for the Cybersecurity Framework currently be  developed by NIST in support of the President’s EO. Without the activities outlined for agencies in DHS, DOD, Justice and GSA in the EO, the most effective parts of the Framework are either not present or not supported by this flimsy legislative structure.

The biggest shortcoming of this bill in this regards is the complete lack of any indication that one of the largest portions of the cybersecurity threat currently facing this country is not information related (though that is certainly an important area of concern) but rather the vulnerability of physical control systems to manipulations that could cause  widespread physical damage, mass casualties or the destruction of infrastructure that would reverberate throughout our economy through cascading supply chain damage.

Moving Forward

This bill will likely move through markup today without discussion. The big question will be if, after the summer recess, it will have any chance of making it to the floor of the Senate. A lot of that will depend on the competing bills that are crafted between now and then. This is a bland enough bill that it would probably pass, both here and in the House if it were to make it a vote.