As I
mentioned last week, Rep. McCaul, and the rest of the bipartisan leadership
of the House Homeland Security Committee, introduced HR
3696, the National Cybersecurity and Critical Infrastructure Protection Act (NCCIPA)
of 2013. This is a fairly comprehensive effort to all DHS to address the
issues associated with cybersecurity in critical infrastructure without
allowing any additional spending or any attempts at regulating.
Definitions
Section 101 of the bill starts off by adding a number of
cyber related definitions to the Homeland Security Act of 2002 (6
USC §101). Those definitions include:
• Critical infrastructure §101(19)
• Critical infrastructure owner §101
(20)
• Critical infrastructure operator §101
(21)
• Cyber incident §101 (22)
• Cybersecurity provider §101 (23)
• Cybersecurity purpose §101 (24)
• Cybersecurity system§101 (25)
• Cyber threat §101 (26)
• Cyber threat information §101 (27)
• Federal civilian information systems
§101 (28)
• Information security §101 (29)
• Information system §101 (30)
• Private entity §101 (31)
• Protected private entity §101 (32)
• Shared situational awareness §101
(33)
Three of the definitions will have some important
consequences. The first (in importance to readers of this blog) is the
definition of ‘information system’:
“ The term ‘information system’
means the underlying framework and functions used to process, transmit,
receive, or store information electronically, including programmable electronic
devices, communications networks, and industrial or supervisory control systems
[emphasis added] and any associated hardware, software, or data.”
This definition, applying to the Homeland Security Act,
means that any place in that act that refers to an ‘information system’ will
include (unless specifically exempted) control systems. If this bill is passed,
this could have serious unintended consequences when additional cyber
amendments are made to this Act. For current US Code provisions that would be
affected by this expanded definition see §143,
§144,
and §145
of 6 USC.
The second definition of interest is also expansive in its
coverage. The term ‘cyber incident’ is used to describe any incident, or an
attempt to cause an incident that would:
• Jeopardize or imminently
jeopardize, without lawful authority, the security, integrity, confidentiality,
or availability of an information system [emphasis added]
or network of information systems or any information stored on, processed on,
or transiting such a system;
• Constitute a violation or
imminent threat of violation of law, security policies, security procedures, or
acceptable use policies related to an information system [emphasis added] or
network of information systems, or an act of terrorism against an information
system or network of information systems; or
• Result in the denial of access to
or degradation, disruption, or destruction of an information system
[emphasis added] or network of
information systems, or the defeat of an operations control or technical
control essential to the security or operation of an information system or
network of information systems.
If people think that the current hacking criminal statutes
are overly broad, they at least require intent. While this is not a criminal
statute, just about any computer malfunction or interruption, intentional or otherwise,
becomes a cyber incident; to be tracked and reported by DHS.
The final important definition is ‘cyber threat’. It is
defined as “any action that may result in [emphasis
added] unauthorized access to, exfiltration of, manipulation of, harm of, or
impairment to the security, integrity, confidentiality, or availability of an
information system or network of information systems, or information that is
stored on, processed by, or transiting an information system or network of
information systems.” Once again, expansiveness is the order of the day.
Cybersecurity and
Information Sharing
Section 102 of the bill is the first in a series of sections
that modify Title II of the Homeland Security Act by adding new sections to 6
USC Subchapter II Part C after renaming that Part (formerly ‘Information
Security’) “Cybersecurity and Information Sharing” making this Part the
cybersecurity central of the Act.
Sec 226 is added, providing the DHS Secretary with overall
responsibility for conducting activities for cybersecurity purposes. Sec 227
provides that the Secretary will coordinate with the various stake holders to {§227(1)}:
• Facilitate a national effort to
strengthen and maintain secure, functioning, and resilient critical
infrastructure from cyber threats;
• Ensure that Department policies
and procedures enable critical infrastructure owners and critical infrastructure
operators to receive real-time, actionable, and relevant cyber threat
information;
• Upon request, facilitate and
assist risk management efforts of entities to reduce vulnerabilities, identify
and disrupt threats, and minimize consequences to their critical
infrastructure;
• Upon request, provide education
and assistance to critical infrastructure owners and critical infrastructure
operators on how they may use protective measures and countermeasures to
strengthen the security and resilience of the Nation’s critical infrastructure;
and
• Coordinate a research and
development strategy to facilitate and promote advancements and innovation in
cybersecurity technologies to protect critical infrastructure.
Additionally, the Secretary is given sole responsibility to {§227(2)}:
• Support critical infrastructure
owners’ and critical infrastructure operators’ efforts to secure, protect, and
ensure the resiliency of critical infrastructure from cyber threats;
• Provide multi-directional sharing
of real-time, actionable, and relevant cyber threat information; and
• Facilitate expeditious cyber
incident response and recovery assistance, and provide analysis and warnings
related to threats to and vulnerabilities of critical information systems.
The remainder of §227 codifies existing organizations and
practices related to Critical Infrastructure Sectors {§227(b)}, Sector
Coordinating Councils {§227(d)}; and Sector Information Sharing and Analysis
Centers {§227(e)}. Additionally it specifies {§227(e)(3)} that $25 Million of
funding will be provided to the National Cybersecurity and Communications
Integration Center (NCCIC) out of the funds authorized for the DHS Office of
Cybersecurity and Communications.
The NCCIC is described in §228. The bill requires that the
NCCIC will include {§228(b)}:
• At least one Information Sharing
and Analysis Center established under section 227(e) for each critical
infrastructure sector.
• The Multi-State Information
Sharing and Analysis Center;
• The United States Computer
Emergency Readiness Team;
• The Industrial Control System
Cyber Emergency Response Team; and
• The National Coordinating Center
for Telecommunications.
The bill adds §229 that addresses cyber incident response
and technical assistance. It requires the Secretary to establish Cyber Incident
Response Teams (CIRT) {§229(a)} and to develop a Cyber Incident Response Plan {§229(c)}.
The next two added sections (§230 and §230a) deal with
Federal cybersecurity programs, specifically with workforce issues. The first
addresses the readiness of the Federal cybersecurity workforce and the second
addresses personnel policies designed to hire and retain that workforce.
DHS Cybersecurity
Reorganization
Section 108 of the bill deals with the reorganization of the
National Protection and Programs Directorate into the new Cybersecurity and
Infrastructure Protection Directorate. It amends 6
USC 113 to specifically authorize an Under Secretary for Cybersecurity and
Infrastructure Protection with two Deputy Under Secretaries; one for
Cybersecurity and the other for Infrastructure Protection. It does this by
adding paragraphs (K), (L), and (M) to §113. Interestingly, the bill does not
touch the currently authorized Under Secretary responsible for overseeing
critical infrastructure protection, cybersecurity and other related programs
within the Department. That position in paragraph (H) remains in §113.
The bill does state that the people filling the current
equivalent positions may retain those positions under the new titles {§108(b)(2)}.
NIST and the
Cybersecurity Framework
Section 230b is also added to the new Cybersecurity and
Information Sharing Part of the Homeland Security Act. While the bill never
specifically mentions the current Cybersecurity Framework, the functions
assigned to the Director of the National Institute of Standards and Technology
(NIST) steals a lot of the verbiage from the President’s EO on Cybersecurity.
SAFETY Act
Section 202 of the bill modifies the provisions of the SAFET
Act (6
USC Subchapter VII Part G) to specifically include cybersecurity
technologies under the purview of the Act. Mainly it does this by modifying the
descriptive language from referring to just terrorism to now include the word ‘cybersecurity’.
For example the title of 6
USC §441(b) is changed to “Designation of anti-terrorism and cybersecurity
technologies.”
Additionally bill would add a new paragraph to 6
USC §444 to address qualifying cyber incidents {§644(7)}. The opening
sub-paragraph provides the Secretary with wide latitude to further define and
specify those qualifications. The remainder goes on to describe the various
types of qualifying incidents that should be included. The most pertinent from
a control system perspective is the one that reads:
Disrupts or imminently jeopardizes
the integrity, operation, confidentiality, or availability of programmable
electronic devices, communication networks, including hardware, software and
data that are essential to their reliable operation, electronic storage
devices, or any other information system [emphasis added],
or the information that system controls, processes, stores, or transmits {§644(7)(B)(ii)};
Restricting DHS
Cybersecurity Operations
The last two sections of the bill will greatly restrict the
ability of DHS to be very effective in their implementation of this bill if it
is passed. Section 203 of the bill specifically denies the Secretary the
authority to create or authorize the issuance of any new regulations. Section
204 specifically states that there is no new funding being authorized to take
the actions directed. All necessary monies will come from current funding.
Moving Forward
The bill is fairly wide ranging and does include information
sharing language without a lot of language protecting privacy or civil
liberties. Normally, I would expect those twin characteristics to doom the
prospects for this bill being considered. On the other hand, the fact that the
sponsors are the top two cybersecurity Republicans and the top two
cybersecurity Democrats on the House Homeland Security Committee. There may be
a chance for this bill to move forward.
We’ll have to see how fast this bill makes it through
Committees. It was referred to the Committee
on Homeland Security, the Committees on Science, Space, and Technology, and the
Oversight and Government Reform Committee. If it gets relatively fast action in
the first two, it has a good chance to get to the floor before spring. If it
doesn’t get through the Senate by July 4th it is unlikely to get
considered in an election year.
Posts
No comments:
Post a Comment