S 2392 Introduced – Cybersecurity Technology

Earlier this month Sen. Daines (R,MT) introduced S 2392, the Cyber Support for Anti-Terrorism by Fostering Effective Technologies (Cyber SAFETY) Act of 2018. The bill would extend the protections of the SAFETY Act (6 USC 441 et seq) to cybersecurity technology in addition to the existing protections for anti-terrorism technology.

SAFETY Act Background

The DHS Science and Technology Directorate administers the SAFETY Act and describes it on their web site this way:

“The SAFETY Act provides incentives for the development and deployment of anti-terrorism technologies by creating systems of risk and litigation management. The purpose of the Act is to ensure that the threat of liability does not deter potential manufacturers or sellers of effective anti-terrorism technologies from developing and commercializing technologies that could save lives.”

After appropriate review of proposed technologies {see 6 USC 441(b)}, the Secretary certifies an anti-terrorism technology {“any product, equipment, service (including support services), device, or technology (including information technology) designed, developed, modified, or procured for the specific purpose of preventing, detecting, identifying, or deterring acts of terrorism or limiting the harm such acts might otherwise cause”; 6 USC 444(1)} as qualified anti-terrorism technology. When that qualified technology is employed in response to an act of terrorism, the seller/provider of that technology is provided some protections against 3^rd party liability claims resulting from the approved use of the technology.

Amendments to SAFETY Act

The bill would make a number of amendments to the existing language of the SAFETY Act. Most of those changes consist of adding the words “cybersecurity” or “qualifying cyber incidents” in places in the Act which make reference to “anti-terrorism” or “acts of terrorism”.

There is only one definition supplied by this bill; adding the term “qualifying cyber incident” to the list of definitions in §444. That new definition applies the definition of ‘incident’ from 44 USC 3552(b)(2). That definition is a very IT centric definition that applies to any occurrence that “actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system” {§3552(b)(2)(A)}. It also specifically includes “a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies” {§3552(b)(2)(B)}.

Moving Forward

Daines is a relatively low-ranking member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that he may have enough influence to have this bill be considered in Committee.

I do not see anything in this bill that would engender any significant opposition. If the bill were to be considered in Committee, it would probably pass with bipartisan support as it would if it were to ever reach the floor of the Senate.

Commentary

While the provision for limited protections against 3^rd party liability claims for qualifying cybersecurity technology certainly has its merits, there are a couple of very serious problems with this bill. And those deal with definitions, both those that are missing and those that are lacking.

The most glaring problem with the bill is the lack of a definition of ‘cybersecurity’ or more importantly ‘cybersecurity technologies’ as the term is usually used in the proposed revision to the SAFETY Act. The definition of ‘qualified anti-terrorism technology’ can help provide a framework for a definition once we add terminology appropriate to ‘cybersecurity’. I would propose that the following definition be added at the end of the bill:

“(8) CYBERSECURITY TECHNOLOGY – The term “cybersecurity technology” means any product, equipment, service (including support services), device, or technology (including information technology) designed, developed, modified, or procured for a cybersecurity purpose as that term is defined in 6 USC 1501(4).”

That ‘cybersecurity purpose’ term, in turn, relies on the expansive definition of ‘information system’ in §1501(9) that specifically includes industrial control system components. Thus, the ‘cybersecurity technology’ would also encompass ICS protections, which are mostly missing from this bill.

The other major problem with definitions in this bill is the definition of “qualifying [emphasis added] cyber incident” does not include any mention of a requirement for the Secretary to designate an incident as a ‘qualifying cyber incident’. Thus, any incident meeting the IT centric and very expansive definition in §3552(b)(2), would, a priori, be a ‘qualifying cyber incident’. This could easily be rectified by changing the wording of the definition to:

“(7) QUALIFYING CYBER INCIDENT –

(A) The term “qualifying cyber incident” means any incident, as that term is defined in section 3552(b) of title 44, United States Code, that the Secretary determines meets the requirements under subparagraph (B), as such requirements are further defined and specified by the Secretary.

(B) REQUIREMENTS.— An act meets the requirements of this subparagraph if the act—

(i) is unlawful;

(ii) causes harm to a person, information system (as that term is defined in section 1501(9) of title 6, United States Code), property, or entity, in the United States, or in the case of a domestic United States air carrier or a United States-flag vessel (or a vessel based principally in the United States on which United States income tax is paid and whose insurance coverage is subject to regulation in the United States), in or outside the United States; and

(iii) uses a cybersecurity threat or malicious cybercommand and control as those terms are defined in section 1501(5) and (11) of title 6, United States Code.