Senate Passes S 754 – CISA

As everyone is probably already aware the Senate yesterday passed an amended S 754 by a substantially bipartisan vote of 74 to 21. The bill will now go to a conference committee where the differences between this bill and HR 1560 that was passed in the House in April.

Control System Security Issues

The revised bill does contain two provisions that have specific implications for control system security. First the information sharing provisions of the bill do apply to control systems as the definition of ‘information system’ in §102(10) specifically “includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers”.

Second, as I reported earlier, §407 of the bill would require DHS to report to Congress on the extent that critical infrastructure is currently required to report cyber intrusions or incidents involving cybersecurity incidents that “could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security”. DHS would also be required to suggest to Congress additional statutory authority that would be required to allow the department to put into effect “a strategy that addresses each of the covered [critical infrastructure] entities, to ensure that, to the greatest extent feasible, a cyber security incident affecting such entity would no longer reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” {§407(c)(1)}.

The Whitehouse amendment (revised amendment #2626) that I described in my earlier post was not considered by the Senate. This amendment and Mikulski #257 were objected to by Sen. Burr (R,NC; Chair of the Senate Intelligence Committee and co-author of S 754) as not being “germane to amendment No. 2716.” { CREC-2015-10-27-pt1-PgS7503). Readers might remember that the Whitehouse amendment would have made it a federal criminal offense to damage to a critical infrastructure computer during the commission of computer fraud.

Moving Forward

With the House and Senate bills headed to conference in the coming weeks, there is no telling exactly when the resulting bill will come back for votes in the House and Senate. It is also not yet clear which bill number will be the vessel for that vote. It is apparent, however, that we will have an information sharing bill sent to the President in the not too distant future (probably before the end of the year).

Commentary

I think that I have to agree with Jack Whitsitt’s view of the effectiveness of the information sharing provisions of this bill; it is not going to be a game changer by any stretch of the imagination. Nor do I subscribe to the dystopian view that this bill specifically furthers the government invasion of privacy evidenced in the NSA revelations of the last couple of years. It will, however, relieve Congress from any further requirement in the near term to craft ‘comprehensive cybersecurity legislation’.

I think what we will see from Congress is a continuation of the trend that I have mentioned here a couple of times of including relatively minor cybersecurity language in bills dealing with technology issues or general security issues. This will, in my opinion, be a much more effective (if piecemeal) way of dealing with cybersecurity issues in general and control system security issues specifically.

As Congress routinely addresses technical issues in automotive safety, intelligent transportation systems, medical devices, the smart grid and aircraft safety (to name a few specific areas) legitimate attention will also have to be directed at the security of the electronic systems that form the control basis for those systems. Integrating control system security into those larger issues is where important legislative work needs to be done.

The one area, however, that still needs major legislative attention is the protection of control systems where failure or an attack could have significant impact on a large segment of society. Section 407 of the bill that was passed yesterday was an important step in identifying those control systems that need to be protected.

I think that the time frame requirements in that section are way too short for effective analysis. This means that some truly critical systems are sure to be missed and some not so critical systems will be included. But, it is an important first step.

The control system security community, meanwhile, needs to start thinking seriously about how we want to see meaningful legislation crafted to deal with the control system vulnerabilities in these critical facilities. We need to figure out how to craft rules that won’t be technically obsolete by the time that they are published. We need to figure out how regulate control system security without stifling the creative expansion of control system capabilities.

We need to do it because Congress does not (and never will have) the technological skills and comprehension to do it on their own. If we leave this to them we will either have systems so complicated that future changes in automation technology will be fatally handicapped; or so weak that there will be no protection of critical infrastructure control systems at all. Congress is not equipped to find the technological middle ground; we are.