S 412 Introduced – Cybersecurity Coordination

Last month Sen. Peters (D,MI) introduced S 412, the State and Local Cyber Protection Act of 2017. The bill would require the National Cybersecurity and Communications Integration Center (NCCIC) to provide cybersecurity assistance to State and local government organizations. This bill is very similar to S 2665 that was introduced in the 114^th Congress; no action was taken on the earlier bill.

The Assistance

The bill would amend 6 USC 148 by adding a new paragraph (n); State and Local Coordination on Cybersecurity. It would require the Center (where practicable) to {new §148(n)(1)}:

• Assist State and local governments in identifying information system vulnerabilities;

• Assist State and local governments in identifying information security protections commensurate with cybersecurity risks and the magnitude of the potential harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information systems or stored information;

• Provide and periodically update via a web portal tools, products, resources, policies, guidelines, and procedures related to information security;

• Coordinate a nationwide effort to ensure effective implementation of tools, products, resources, policies, guidelines, and procedures related to information security to secure and ensure the resiliency of State and local information systems;

• Provide operational and technical cybersecurity training to State and local government and fusion center analysts and operators to address cybersecurity risks or incidents;

• Provide privacy and civil liberties training to State and local governments related to cybersecurity

• Provide, upon request, operational and technical assistance to State and local governments to implement tools, products, resources, policies, guidelines, and procedures on information security;

• Assist State and local governments to develop policies and procedures for coordinating vulnerability disclosures procedures consistent with international and national standards in the information technology industry;

• Ensure that State and local governments are made aware of the tools, products, resources, policies, guidelines, and procedures on information security developed by the Department and other appropriate Federal departments and agencies for ensuring the security and resiliency of Federal civilian information systems.

Moving Forward

Peters is a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This may mean that he has enough influence to ensure that this bill is considered in Committee. This version was introduced much earlier in the session so it may actually be considered.

There is nothing in the bill that would engender any significant opposition. If the bill does make it to consideration it should be able to pass with substantial bipartisan support.

Commentary

This bill still does not contain any mention of control system security. State and local governments operate a wide variety of control systems (traffic control systems, utility control systems and security control systems to mention a few) and the security of those systems is becoming increasingly important.

This bill frequently mentions the term ‘information security’. Since this bill amends §148 it relies on the definition of that term found in §148(a)(5) which refers back to the very limited, IT-based definition found in 44 USC 3502(8) instead of the broader, ICS-inclusive definition of the term found in 6 USC 1501(9). Simply changing the reference to the newer definition would extend the requirements of this bill to industrial control system security issues.

There are a wide variety of new requirements in this bill that will require personnel, time and materials to effect. Unfortunately, as is common in much legislation, there are no provisions in the bill for providing additional monies to fulfill these requirements. This means that any efforts made by the NCCIC to meet the requirements of this bill would have to draw down existing efforts in other areas of its operation. Where Congress does not provide guidance as to where this funding comes from, it is relying on the Executive Branch to make those decisions. This ultimately allows congress critters to complain about budgetary decisions without having to make those decisions themselves; just keep adding requirements and do not worry about paying for them. That is a great political game….