S 1897 Introduced – Cybersecurity

As I noted earlier this week, Sen. Leahy (D,VT) introduced S 1897, the Personal Data Privacy and Security Act of 2014. This is essentially the same bill that was reported in the Senate in the 112^th Congress under the same name, S 1151. That bill passed in the Judiciary Committee which Sen. Leahy still chairs, but never made it to the floor while Sen. Reid (D,NV) waited for comprehensive cybersecurity legislation to coalesce.

Most of this bill deals with data breaches and protecting personally identifiable information. I will leave the discussion of those portions of the bill to folks with more expertise in the area.

Control System Security

There is one section of the bill that addresses industrial control system security issues. It is found in §109, Damage to Critical Infrastructure Computers. It would add §1030A to Chapter 47 of 18 USC. This new section would make it a criminal act to “intentionally cause or attempt to cause damage to a critical infrastructure computer” {§1030A(b)}

  

It defines a ‘critical infrastructure computer’ as one that “that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated” {§1030A(a)(2)} and then proceeds to give operational examples of industries where such computers could be found. Looking at the definition and the examples it clearly intends to protect against denial of service type attacks, but seems to ignore the possibility of such damage could result in catastrophic physical damage to the facility and the surrounding community.

I noted in an earlier blog post that identical language to §109 can be found in §305 of HR 1468.

Unauthorized Access

Sen. Leahy takes a light approach to ‘correcting’ the problem of people being inappropriately charged (or sued) for unauthorized access to a computer by virtue of violating terms or service agreements or acceptable use policies. Rather than proposing whole sale revisions to 18 USC 1030 as did Rep. Lofgren (D,CA) in HR 2454 {or Sen. Wyden (D,OR) in S 1196, a companion bill}, S 1897 would add a single subparagraph to §1030(g):

“(2) No action may be brought under this subsection if a violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, constitutes the sole basis for determining that access to the protected computer is unauthorized, or in excess of authorization.”.

Moving Forward

Many news reports about the introduction of this bill indicate that the Thanksgiving Target POS attack was the impetus for Leahy’s re-introduction of this bill. It will certainly pass in his Committee with minimal changes (hopefully including re-wording §109 to specifically include cyber attacks with catastrophic physical consequences). Whether it will ever make it to the floor of the Senate depends in large part upon the political whims of Sen. Reid.

In general, however, I think this bill was submitted too late in the election cycle to make it through the legislative process before the end of the year.