Earlier this month Sen. Daines (R,MT) introduced S 2392,
the Cyber Support for Anti-Terrorism by Fostering Effective Technologies (Cyber
SAFETY) Act of 2018. The bill would extend the protections of the SAFETY Act (6
USC 441 et seq) to cybersecurity technology in addition to the existing
protections for anti-terrorism technology.
SAFETY Act Background
The DHS Science and Technology Directorate administers the
SAFETY Act and describes it on their web site this
way:
“The SAFETY Act provides incentives
for the development and deployment of anti-terrorism technologies by creating
systems of risk and litigation management. The purpose of the Act is to ensure
that the threat of liability does not deter potential manufacturers or sellers
of effective anti-terrorism technologies from developing and commercializing
technologies that could save lives.”
After appropriate review of proposed technologies {see 6
USC 441(b)}, the Secretary certifies an anti-terrorism technology {“any product,
equipment, service (including support services), device, or technology
(including information technology) designed, developed, modified, or procured
for the specific purpose of preventing, detecting, identifying, or deterring acts
of terrorism or limiting the harm such acts might otherwise cause”; 6
USC 444(1)} as qualified anti-terrorism technology. When that qualified
technology is employed in response to an act of terrorism, the seller/provider
of that technology is provided some protections against 3rd party
liability claims resulting from the approved use of the technology.
Amendments to SAFETY Act
The bill would make a number of amendments to the existing
language of the SAFETY Act. Most of those changes consist of adding the words “cybersecurity”
or “qualifying cyber incidents” in places in the Act which make reference to “anti-terrorism”
or “acts of terrorism”.
There is only one definition supplied by this bill; adding the
term “qualifying cyber incident” to the list of definitions in §444. That new definition
applies the definition of ‘incident’ from 44
USC 3552(b)(2). That definition is a very IT centric definition that applies
to any occurrence that “actually or imminently jeopardizes, without lawful
authority, the integrity, confidentiality, or availability of information or an
information system” {§3552(b)(2)(A)}.
It also specifically includes “a violation or imminent threat of violation of
law, security policies, security procedures, or acceptable use policies” {§3552(b)(2)(B)}.
Moving Forward
Daines is a relatively low-ranking member of the Senate
Homeland Security and Governmental Affairs Committee to which this bill was
assigned for consideration. This means that he may have enough influence to
have this bill be considered in Committee.
I do not see anything in this bill that would engender any
significant opposition. If the bill were to be considered in Committee, it
would probably pass with bipartisan support as it would if it were to ever reach
the floor of the Senate.
Commentary
While the provision for limited protections against 3rd
party liability claims for qualifying cybersecurity technology certainly has its
merits, there are a couple of very serious problems with this bill. And those
deal with definitions, both those that are missing and those that are lacking.
The most glaring problem with the bill is the lack of a
definition of ‘cybersecurity’ or more importantly ‘cybersecurity technologies’
as the term is usually used in the proposed revision to the SAFETY Act. The
definition of ‘qualified anti-terrorism technology’ can help provide a framework
for a definition once we add terminology appropriate to ‘cybersecurity’. I
would propose that the following definition be added at the end of the bill:
“(8)
CYBERSECURITY TECHNOLOGY – The term “cybersecurity technology” means any product,
equipment, service (including support services), device, or technology
(including information technology) designed, developed, modified, or procured
for a cybersecurity purpose as that term is defined in 6 USC 1501(4).”
That ‘cybersecurity purpose’ term, in turn, relies on the expansive
definition of ‘information system’ in §1501(9)
that specifically includes industrial control system components. Thus, the ‘cybersecurity
technology’ would also encompass ICS protections, which are mostly missing from
this bill.
The other major problem with definitions in this bill is the
definition of “qualifying [emphasis added] cyber incident” does not
include any mention of a requirement for the Secretary to designate an incident
as a ‘qualifying cyber incident’. Thus, any incident meeting the IT centric and
very expansive definition in §3552(b)(2),
would, a priori, be a ‘qualifying cyber incident’. This could easily be rectified
by changing the wording of the definition to:
“(7)
QUALIFYING CYBER INCIDENT –
(A) The term “qualifying cyber incident” means any incident, as that
term is defined in section 3552(b) of title 44, United States Code, that the Secretary
determines meets the requirements under subparagraph (B), as such requirements
are further defined and specified by the Secretary.
(B) REQUIREMENTS.— An act meets the requirements of this subparagraph
if the act—
(i) is unlawful;
(ii) causes harm to a person, information system (as that term is
defined in section 1501(9) of title 6, United States Code), property, or entity,
in the United States, or in the case of a domestic United States air carrier or
a United States-flag vessel (or a vessel based principally in the United States
on which United States income tax is paid and whose insurance coverage is
subject to regulation in the United States), in or outside the United States;
and
(iii) uses a cybersecurity threat or malicious cybercommand and control
as those terms are defined in section 1501(5) and (11) of title 6, United States
Code.
No comments:
Post a Comment