Thursday, December 17, 2015

Cybersecurity Act of 2015

House and Senate negotiators, principally from the two intelligence and both homeland security committees, attached the Cybersecurity Act of 2105 to the Consolidated Appropriations Act, 2016 (HR 2029) that is being considered in the House this morning. Labeled as Division N (pgs 1728 thru 1863), the Act is a negotiated blend of S 754 (CISA), HR 1560 (Protecting Cyber Networks Act), and HR 1731 (National Cybersecurity Protection Advancement Act of 2015) that were passed earlier this year in their respective house of congress.

The Act consists of four Titles:

• Cybersecurity Information Sharing;
• National Cybersecurity Advancement;
• Federal Cybersecurity Workforce Assessment; and
• Other Cyber Matters

Industrial Control System Provisions

For the most part the three base bills that were merged together to form this Division dealt with information technology (IT) systems; not industrial control systems (ICS). This is even more obvious in the blended legislation. The one clear exception to this is found in the definition of ‘information system’ found in §102(9); it specifically includes “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers” {§102(9)(B)}. Thus all of the information sharing provisions of Title I specifically apply to industrial control systems.

Unfortunately, the attention to ICS quickly breaks down in Title II of the bill where cyber incidents are discussed in relation to the operations of the National Cybersecurity and Communications Integration Center. The term incident is defined in the new §227(a)(3) as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system”.

This definition ignores the fact that a situation could involve an ICS in critical infrastructure and result in catastrophic results to a region or community (wide spread power outage, pipeline rupture and fire, or a toxic chemical release) without in any way harming the ICS or the information contained within the ICS. The basic misunderstanding of this situation can be clearly seen in §208 where DHS is required to report to Congress on “the feasibility of producing a risk-informed plan to address the risk of multiple simultaneous cyber incidents affecting critical infrastructure, including cyber incidents that may have a cascading effect on other critical infrastructure”. This was almost certainly seen as addressing control systems (the use of the term ‘cascading effect’ is clearly indicating power grid incidents), but the definition of ‘incidents’ almost excludes the intended situations.

This is seen again in §209 where another report to Congress by DHS is supposed to look at “cybersecurity vulnerabilities for the 10 United States ports that the Secretary determines are at greatest risk of a cybersecurity incident and provide recommendations to mitigate such vulnerabilities”. Again, the failure to include non-cyber consequences in the definition of ‘incident’ severely restricts its application to control system situations.

There is an interesting consequence to this expanded definition of ‘information system’ used throughout this division. In §228 the bill mandates that DHS “develop and implement an intrusion assessment plan to proactively detect, identify, and remove intruders in agency information systems on a routine basis” {§228(b)(1)(A)}. Since this Section uses the same ‘information system’ definition, this requirement also applies to agency ICS for such systems as building environmental controls, building access controls and security systems. In fact, an argument could be made that it also includes automotive control systems. I am pretty sure that this was not specifically intended by the staffs crafting this legislation.

Interestingly the ‘information system’ definition is not carried over to §405, Improving Cybersecurity in the Health Care Industry. This means that vendors of, and software developers for, medical devices are not included in the definition of ‘health care industry stakeholder’ found at §405(a). This makes no sense when the report required by this section from the Secretary of Health and Human Services is specifically required to address “challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record” {§405(c)(1)(C)}.

Missing ICS Provisions

The three bills that were the precursor to this Division were also generally IT security bills, but they did include two specific ICS related provisions that did not make it into this legislation.

For example S 754 included a provision (§407) that required the DHS Secretary to “identify critical infrastructure entities where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” {§407(b)}. It would then require a report to Congress “describing the extent to which each covered entity reports significant intrusions of information systems essential to the operation of critical infrastructure” {§407(c)} to either DHS or a regulating agency.

In HR 1731 we saw an amendment to 6 USC 148 that would have modified the mandatory composition of the National Cybersecurity and Communications Integration Center by adding the DHS ICS-CERT as a represented organization. It would have formalized the role of the ICS-CERT with the responsibility to {new §148(d)(1)(G)}:

∙ Coordinate with industrial control systems owners and operators;
∙ Provide training, upon request, to Federal entities and non-Federal entities on industrial control systems cybersecurity;
∙ Collaboratively address cybersecurity risks and incidents to industrial control systems;
∙ Provide technical assistance, upon request, to Federal entities and non-Federal entities relating to industrial control systems cybersecurity; and
∙ Shares cyber threat indicators, defensive measures, or information related to cybersecurity risks and incidents of industrial control systems in a timely fashion.

Moving Forward

Each of the component bills used to craft this negotiated compromise were passed by significant bipartisan votes in their respective house of Congress. Unfortunately, there are a number of privacy advocates that are dissatisfied with the privacy protection feature that were not included in this final version. For them to vote against the Cybersecurity Act of 2015, however, they have to vote against the whole package of spending bills to which it is appended. At this point (the House is currently debating HR 2029 as I write this) it is not clear if there is enough combined opposition to this (and other slightly less controversial provisions) to stop the bill from passing.

No comments:

/* Use this with templates/template-twocol.html */