Last week Sen. Inhofe (R,OK) introduced S 2987, the John S.
McCain National Defense Authorization Act for Fiscal Year 2019. The bill
contains one subtitle (Subtitle C of Title XVI) that specifically address cyber
matters including cybersecurity for industrial control systems (ICS).
Subtitle C
Part 1 of Subtitle C deals with general cyber matters. The
sections include:
§ 1621. Policy of the United States
on cyberspace, cybersecurity, cyber warfare,
and cyber deterrence.
§1622. Affirming the authority of
the Secretary of Defense to conduct military
activities and operations in
cyberspace.
§1623. Active defense and
surveillance against Russian Federation attacks
in cyberspace.
§1624. Reorganization and
consolidation of certain cyber provisions.
§1625. Designation of official for
matters relating to integrating cybersecurity and industrial control systems
within the Department of Defense.
§1626. Assistance for small
manufacturers in the defense industrial supply chain on matters relating to
cybersecurity.
§1627. Modification of acquisition
authority of the Commander of the United States Cyber Command.
§1628. Email and Internet website
security and authentication.
§1629. Matters pertaining to the
Sharkseer cybersecurity program.
§1630. Pilot program on modeling
and simulation in support of military homeland defense operations in connection
with cyber attacks on critical infrastructure.
§1631. Security product integration
framework.
§1632. Report on enhancement of
software security for critical systems.
§1633. Comply to connect and
cybersecurity scorecard.
§1634. Cyberspace Solarium
Commission.
§1635. Program to establish cyber
institutes at institutions of higher learning.
§1636. Establishment of
Cybersecurity for Defense Industrial Base Manufacturing
Part II of Subtitle C deals with the mitigation of risks
posed by providers of information technology with obligations to foreign
governments. This part uses an unusual definition of ‘information technology’
from 40
USC 11101 that specifically includes “imaging peripherals, input, output,
and storage devices necessary for security and surveillance” {§11101(6)(B)}. The part
also specifically refers to ‘industrial control system’ without providing a
definition of the term.
The sections in Part II include:
§1637. Definitions.
§1638. Identification of countries
of concern regarding cybersecurity.
§1639. Mitigation of risks to
national security posed by providers of information technology products and
services who have obligations to foreign governments.
§1640. Establishment of registry of
disclosures.
ICS Cybersecurity
Section 1625 (on pgs 731-2) requires DOD to designate one
official “to be responsible for matters relating to integrating cybersecurity
and industrial control systems within the Department of Defense” {§1625(a)}. That official
would be responsible for all ICS cybersecurity matters for all levels of
command down to the “facility using industrial control systems, including
developing Department-wide certification standards for integration of
industrial control systems” {§1625(b)}.
Section l636 (on pgs 769-70) requires DOD “establish an
activity to assess and strengthen the cybersecurity resiliency of the defense
industrial base of the United States” {§1636(a)(1)}.
It would be known as the ‘Cybersecurity for Defense Industrial Base
Manufacturing Activity’. The purpose of the Activity would be “to explore ways
to increase the
cybersecurity
resilience of the defense industrial supply chain” {§1636(b)} to include:
• Developing cybersecurity test
capabilities to support identifying and reducing security vulnerabilities in
defense industrial base manufacturing processes.
• Developing in-person and online
training to help small defense industrial base manufacturers improve their
cybersecurity.
• Ensuring that cybersecurity for
defense industrial base manufacturing is included in Department of Defense research
and development roadmaps and threat assessments.
• Aggregating, developing, and disseminating
capabilities to address cybersecurity threats that can be provided to and
adopted by defense industrial base manufacturers of all sizes.
The definition of ‘security vulnerability’ used by this
section relies on the ICS-inclusive definition of ‘information system’ found in
6 USC 1501.
Foreign Government Influence
Section 1638 would require DOD to produce a “prioritized
list of countries of concern regarding cybersecurity" {§1638(a)} based upon:
• A foreign government’s engagement
in acts of violence against personnel of the United States or coalition forces.
• A foreign government’s
willingness and record of providing financing, logistics, training or intelligence
to other persons, countries or entities posing a force protection or
cybersecurity risk to the personnel, financial systems, critical
infrastructure, or information systems of the United States or coalition
forces.
• A foreign government’s engagement
in foreign intelligence activities against the United States.
• A foreign government’s direct or
indirect participation in transnational organized crime or criminal activity.
• A foreign government’s ability and intent to conduct
operations to affect the supply chain of the United States Government.
Section 1639 would prohibit DOD from using any “product,
service, or system relating to information or operational technology,
cybersecurity, an industrial control system, a weapons system, or computer
antivirus” {§1639(a)}
unless the provider discloses whether the provider has allowed:
A foreign government to review or
access the code of a product, system, or service custom-developed for the Department,
or is under any obligation to allow a foreign person or government to review or
access the code of a product, system, or service custom-developed for the
Department as a condition of entering into an agreement for sale or other
transaction with a foreign government or with a foreign person on behalf of
such a government.
A foreign government listed in
section 1638(a) to review or access the source code of a product, system, or
service that the Department is using or intends to use, or is under any
obligation to allow a foreign person or government to review or access the
source code of a product, system, or service that the Department is using or
intends to use as a condition of entering into an agreement for sale or other
transaction with a foreign government or with a foreign person on behalf of
such a government.
DOD would have to evaluate if any of the disclosure required
above would reveal “a risk to the national security infrastructure or data of
the United States, or any national security system under the control of the
Department” {§1636(c)(1)}.
If such a risk were present DOD would be required to determine what actions
would be necessary to mitigate such risks.
Moving Forward
This bill will not be considered on the floor of the Senate.
It was offered as amendment
SA 2282 as substitute language to HR 5515 that is currently being
considered in the Senate. The S 2987 language was adopted in Committee by a strongly
bipartisan vote of 25 to 2. This means that the base language will be
relatively easy to bring to the floor of the Senate. In fact, the first cloture
vote on HR 5515 was agreed to on a vote of 92 to 4 on Thursday. The Senate will
begin actual consideration of HR 5515 on Monday.
Posts
No comments:
Post a Comment