S 1638 Introduced – Cybersecurity Awareness

As I mentioned in an earlier post Sen. Whitehouse (D,RI) introduced S 1638, the Cybersecurity Public Awareness Act of 2013. This bill is supposed to promote public awareness of the cybersecurity threat.

The Threat

Section 2 of the bill is a statement of the ‘cybersecurity problem’. It outlines the various types of cybersecurity threats that have been becoming more prevalent over the last decade or so. As is to be expected from Congress it focuses on threats to the Federal IT infrastructure, intellectual property theft, and personal identity theft. There is no mention of control system vulnerabilities or how those could affect the economy or the safety of people working in or living around vulnerable facilities.

After describing the problem this section does make an important point when it states that only “a well-informed public and Congress can make the decisions necessary to protect consumers, industries, and the national and economic security of the United States” {§2(7)}. It then goes on to conclude:

“As of 2013, the level of public awareness of cyber threats is unacceptably low. Only a tiny portion of relevant cybersecurity information is released to the public. Information about attacks on Federal Government systems is usually classified. Information about attacks on private systems is ordinarily kept confidential. Sufficient mechanisms do not exist to provide meaningful threat reports to the public in unclassified and anonymized form.” {§2(8)}

This is the deficiency that the remainder of the bill is designed to correct.

Reports to Congress

The mechanism through which the bill would try to increase public awareness is the inevitable reports to Congress. While many bills require a couple of reports to Congress, this bill is nothing but reports to Congress. It includes requirements for reports from:

• DHS on major cyber incidents on non-DOD government agencies {§3(a)};

• DOD on major cyber incidents on DOD networks {§3(b)};

• FBI on investigations conducted relating to “cyber intrusions, computer or network compromise, or other forms of illegal hacking” {§4};

• DHS on the federal government responce to requests for assistance from the private sector to “assist in the defense of the information networks of the requesting private sector entity against cyber threats that could result in loss of life or significant harm to the national economy or national security” {§5};

• SEC assessment of cyber incident reporting in financial statements of publicly traded companies {§6};

• Sector Specific and regulatory agencies on the “nature and state of the vulnerabilities to cyber threats of each critical infrastructure sector” {§7};

• National Research Council Congress “on opportunities to develop new technologies or technological approaches, including developing a secure domain, that would enhance the cybersecurity of critical infrastructure entities” {§8}; and

• DHS on the impediments to public awareness of cybersecurity threats.

The requirements for most of these reports includes language that the report should be completed in an ‘unclassified form’ with the option for the additional publication of a classified annex that would provide lawmakers with information that must be restricted to protect intelligence means and methods.

Shortcomings

Sen. Whitehouse, like all congress critters, is fully aware (Sarcasm Alert) that the federal employees that would collect and collate the information for these reports, prepare these reports, and hold meetings to vet these reports through their political overseers have nothing better to do with their time sitting around in their luxurious offices in and around the nation’s capital (end Sarcasm Alert) so this bill does not include any authorization for additional monies for the preparation of these reports.

The bill does not actually provide any way for the information provided in these reports to get to the public to help to increase the public awareness of the cybersecurity threat. We all know what will happen as these reports trickle into the offices of the various committee staffs; they will be read by staffers who will summarize them for the Committee Chair and Ranking Member. They, in turn, will then issue press releases decrying the state of cyber security based upon the summary provided by their staffs. If the news cycle is slow enough on the day of the press release, there will be a 10 second report on the evening news about the issue. And nothing will come of it.

I would have been more impressed if the bill included a requirement for the National Institue of Standards and Technology (NIST) or the National Archives and Records Administration (NARA) to prepare and maintain a cybersecurity web site where these reports could be published for the world to see.

Even better would have been to eliminate the recurring reporting requirement. Then the bill could have established a cybersecurity commission which would be required to compile all of these disparate reports into a single document analyzing the current state of cybersecurity and include bipartisan draft legislation to effectively address the situation.

Of course, if the 9/11 Commission report is any indication of what would happen; Congress would implement bits and pieces of the recommendations over the next ten years. And the federal agencies involved would take an additional 5 to 10 years to craft the rules necessary to implement that legislation.

Moving Forward

This bill is innocuous enough that if it were to make it to the floor of the Senate it would be passed by unanimous consent in the closing minutes of a day’s session. In the House it would be considered under suspension of the rules with ’40 minutes of debate’ where everyone would speak in support of the bill for 5 minutes and then pass the bill with 400 yeas.

The question is if the Senate leadership is desperate enough to pass cybersecurity legislation in this session that they have to resort to this do nothing bill. I think they are rapidly reaching that level of desperation. I would not be surprised to see this pass in the Senate before Thanksgiving and in the House before Christmas.