Earlier today in my post about the
introduction
of HR 1062 I briefly mentioned my concerns about the definitions related to
cybersecurity used in current law and legislative proposals. In this post, I
will be taking a more detailed look at the problem and my proposals for
solutions.
Current Definitions
In writing legislation, congressional staffs (personal and
committee) usually rely on definitions that currently exist in the United
States Code. This reliance on previous work helps to establish a coherent
lexicon of terminology that ensures that different programs in the government
mean the same thing when the use the same terminology.
For cybersecurity issues we find the following definitions
be referred to in many disparate types of legislation referring to
cybersecurity:
Information System:
44
USC 3502(8) - the term ‘‘information system’’ means a discrete set of
information resources organized for the collection, processing, maintenance,
use, sharing, dissemination, or disposition of information;
(A) has the meaning given the term
in section 3502 of title 44; and
(B) includes industrial control
systems, such as supervisory control and data acquisition systems, distributed
control systems, and programmable logic controllers.
Cybersecurity Risk:
6
USC 659(a)(1) - the term "cybersecurity risk"-
(A) means threats to and
vulnerabilities of information or information systems and any related
consequences caused by or resulting from unauthorized access, use, disclosure,
degradation, disruption, modification, or destruction of such information or
information systems, including such related consequences caused by an act of
terrorism; and
(B) does not include any action
that solely involves a violation of a consumer term of service or a consumer
licensing agreement;
Incident:
6
USC 659(a)(3) - the term "incident" means an occurrence that
actually or imminently jeopardizes, without lawful authority, the integrity,
confidentiality, or availability of information on an information system, or
actually or imminently jeopardizes, without lawful authority, an information
system; [NOTE: Based upon
§3502
IT restricted definition of ‘information system’.
Cybersecurity Purpose
6
USC 1501(4) The term ‘‘cybersecurity purpose’’ means the purpose of
protecting an information system or information that is stored on, processed
by, or transiting an information system from a cybersecurity threat or security
vulnerability.
Cybersecurity threat
(A) In general
Except as provided in subparagraph
(B), the term ‘‘cybersecurity threat’’ means an action, not protected by the
First Amendment to the Constitution of the United States, on or through an
information system that may result in an unauthorized effort to adversely
impact the security, availability, confidentiality, or integrity of an
information system or information that is stored on, processed by, or
transiting an information system.
(B) Exclusion
The term ‘‘cybersecurity threat’’
does not include any action that solely involves a violation of a consumer term
of service or a consumer licensing agreement.
Definition Problems
When crafters of legislation describe computer systems, they
generally use the term ‘information system’. Initially this was almost
universally applied to systems that were used exclusively in the financial
industry, but that expanded to include other types of information as
legislators looked at protecting personally identifiable information (PII) and
medical/healthcare information and more recently intellectual property.
As it became more and more evident that a variety of
industrial control systems, transportation systems, medical devices and other
computer systems that controlled physical processes were potentially subject to
cyberattacks, legislative writers tried to squeeze these systems into the definition
of ‘information system’. The one successful attempt at codifying that
combination of IT and OT technology into a single term by adding the wording: “includes
industrial control systems, such as supervisory control and data acquisition
systems, distributed control systems, and programmable logic controllers” in a
second subparagraph.
This bastardized definition still refers to “the collection,
processing, maintenance, use, sharing, dissemination, or disposition of information”
purpose of the ‘information systems’. This provides no connection to the
physical processes controlled by control systems.
Similarly, the other cybersecurity related definitions listed
above (including those based upon the OT inclusive definition of §1501) use IT limiting
terms such as: “information that is stored on, processed by, or transiting an
information system” or “the integrity, confidentiality, or availability of
information”. This has been acceptable from a legislative perspective because
control systems still rely on ‘information’ for their operation.
Unfortunately, it is becoming increasingly obvious to those
in the control system community that the cybersecurity focus in that sector
should be more intensely focused on the potential physical outcomes from a
successful attack rather than the information used in the control processes.
Proposed Legislative Solution
With these problems in mind, I would like to propose that 6
USC 659(a) be amended to read:
(a) Definitions
In this section-
(1)
the term ‘control system’ means a
discrete set of information resources, sensors, communications interfaces and
physical devices organized to monitor, control and/or report on physical
processes, including manufacturing, transportation, access control, and
facility environmental controls;
(2) the term "cybersecurity
risk"-
(A) means threats to and
vulnerabilities of information or information systems and any related
consequences caused by or resulting from unauthorized access, use, disclosure,
degradation, disruption, modification, or destruction of such information or
information systems, including such related consequences caused by an act of
terrorism; and
(B) does not include any action
that solely involves a violation of a consumer term of service or a consumer
licensing agreement;
(A) threats to and vulnerabilities of information, information systems,
or control systems and any related consequences caused by or resulting from
unauthorized access, use, disclosure, degradation, disruption, modification, or
destruction of such information, information systems, or control systems,
including such related consequences caused by an act of terrorism; and
(B) does not include any action that solely involves a violation of a
consumer term of service or a consumer licensing agreement;
(3) the terms "cyber threat
indicator" and "defensive measure" have the meanings given those
terms in section 102 of the Cybersecurity Act of 2015 [6 U.S.C. 1501];
(4) the term "incident" means
an occurrence that actually or imminently jeopardizes, without lawful authority,
the integrity, confidentiality, or availability of information on an
information system, or actually or imminently jeopardizes, without lawful
authority, an information system;:
(A) the integrity, confidentiality, or availability of information on
an information system,
(B) the timely availability of accurate process information, the
predictable control of the designed process or the confidentiality of process
information, or
(C) an information system or a control system;
(5) the term "information
sharing and analysis organization" has the meaning given that term
in section 671(5) of this title;
(6) the term "information
system" has the meaning given that term in section 3502(8) of title
44; and
(7) the term "sharing"
(including all conjugations thereof) means providing, receiving, and
disseminating (including all conjugations of each of such terms).