HR 3032 Introduced – Cybersecurity

As I noted a little over a week ago Rep. Langevin (D,RI) introduced HR 3032, the Executive Cyberspace Coordination Act of 2013. The three titles of the bill address:

• Federal Information Security Amendments;

• Federal Chief Technology Officer; and

• Strengthening Cybersecurity for Critical Infrastructure

Federal Information Security

Title I of this bill would delete Subchapters II and III of 44 USC and replace them with a new Subchapter II dealing with Federal information security programs. The new §3551 is essentially a duplicate of the current §3541 and §3531 that are being deleted. The new §3552 replaces the current definition sections, modifies the current definition of ‘Information security’ {§3552(b)(4)} and adds definitions for:

• ‘Adequate security’ §3552(b)(1)

• ‘Incident’ §3552(b)(2)

• ‘Information infrastructure’ §3552(b)(3)

The new §3553 establishes the National Office for Cyberspace within the Executive Office of the President. “The Office shall serve as the principal office for coordinating issues relating to cyberspace, including achieving an assured, reliable, secure, and survivable information infrastructure and related capabilities for the Federal Government, while promoting national economic interests, security, and civil liberties.” {§3553(b)(1)}

The new §3554 establishes Federal Cybersecurity Practice Board. “Subject to the authority, direction, and control of the Director of the National Office for Cyberspace, the Board shall be responsible for developing and periodically updating information security policies and procedures” {§3554(c)(1)}. The specific areas of responsibility include:

• Minimum security controls {§3554(c)(2)(A)};

• Measures of effectiveness {§3554(c)(2)(B)};

• Products and services {§3554(c)(2)(C)}; and

• Remedies {§3554(c)(2)(D)};

The Board will propose regulations to carry out these policies and procedures and the Director of the National Office for Cyberspace will promulgate and periodically update the necessary regulations {§3554(d)}.

Federal Chief Technology Officer

Title II would create the position of the Office of the Federal Chief Technology Officer within the Executive Office of the President. The Federal CTO would be a member of the Federal Cybersecurity Practice Board. The duties of the Federal CTO would include:

• Undertaking fact-gathering, analysis, and assessment of the Federal Government’s information technology infrastructures, information technology strategy, and use of information technology {§201(b)(1)};

• Leading an interagency effort to develop and implement a planning process to ensure that they use best-in-class technologies, share best practices, and improve the use of technology in support of Federal Government requirements {§201(b)(2)};

• Advising the President on information technology considerations with regard to Federal budgets and with regard to general coordination of the research and development programs of the Federal Government for information technology-related matters {§201(b)(3)};

• Promoting technological innovation in the Federal Government, and encourage and oversee the adoption of robust cross-governmental architectures and standards-based information technologies {§201(b)(4)};

• Establishing cooperative public-private sector partnership initiatives to achieve knowledge of technologies available in the marketplace that can be used for improving governmental operations {§201(b)(5)};

• Gathering timely and authoritative information concerning significant developments and trends in information technology, and in national priorities {§201(b)(6)}; and

• Developing, reviewing, revising, and recommending criteria for determining information technology activities warranting Federal support {§201(b)(7)}.

Cybersecurity for Critical Infrastructure

Title III is the shortest of the three titles in this bill but it clearly has the potential to affect the widest swath of cybersecurity. It starts out with one new definition in §301, the term Critical Information Infrastructure:

“The term ‘‘critical information infrastructure’’ means the electronic information and communications systems, software, and assets that control, protect, process, transmit, receive, program, or store information in any form, including data, voice, and video, relied upon by critical infrastructure, industrial control systems such as supervisory control and data acquisition systems, and programmable logic controllers. This shall also include such systems of the Federal Government.” {§301(1)}

Interestingly the phrases ‘industrial control systems’ and ‘programmable logic controllers’ are not subordinate to ‘critical infrastructure’ in that definition. This means that the remaining portions of the Title that rely on this definition could be very widely applied to just about any control system in the country.

Section 302 of the bill would provide the DHS Secretary the primary Executive authority for the “creation, verification, and enforcement of measures with respect to the protection of critical information infrastructure, including promulgating risk-informed information security practices and standards applicable to critical information infrastructures that are not owned by or under the direct control of the Federal Government” {§302(a)}. This certainly sounds like authority to regulate ‘critical information infrastructure’.

Specifically included in this authority is the authority to:

• Conduct such audits as are necessary to ensure that appropriate measures are taken to secure critical information infrastructure {§302(c)(1)};

• Issue such subpoenas as are necessary to determine compliance with Federal regulatory requirements for securing critical information infrastructure {§302(c)(2)}; and

• Authorize sector specific Federal regulatory agencies to undertake such audits {§302(c)(3)}.

Interestingly there are no provisions for civil or criminal sanctions in this bill. So the most that the Secretary can seemingly do is to require an entity to allow an inspection of their critical information infrastructure.

There is another indirect restriction on the limits of this authority. There is no authorization for funds or personnel to implement a new regulatory agency. Effectively this would seem to limit the application of this authority to those areas where a regulatory regime already exists. An example would be the CFATS program or the MTSA program.

Moving Forward

If it weren’t for Title III there would be little impediment to the passage of this bill. Add a few more pro-forma privacy statements and Titles I and II could pass in the House and Senate before the end of the fiscal year. Title III, however, will have to be significantly reworked to make clear that only voluntary measures can be developed to protect critical information infrastructure and even then it will have to be specifically limited to clearly defined critical infrastructure to have any chance of passage.