Wednesday, February 20, 2019

Legislative Cybersecurity Definitions


Earlier today in my post about the introduction of HR 1062 I briefly mentioned my concerns about the definitions related to cybersecurity used in current law and legislative proposals. In this post, I will be taking a more detailed look at the problem and my proposals for solutions.

Current Definitions


In writing legislation, congressional staffs (personal and committee) usually rely on definitions that currently exist in the United States Code. This reliance on previous work helps to establish a coherent lexicon of terminology that ensures that different programs in the government mean the same thing when the use the same terminology.

For cybersecurity issues we find the following definitions be referred to in many disparate types of legislation referring to cybersecurity:

Information System:

44 USC 3502(8) - the term ‘‘information system’’ means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information;

6 USC 1501(9) - The term ‘‘information system’’—

(A) has the meaning given the term in section 3502 of title 44; and

(B) includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.

Cybersecurity Risk:

6 USC 659(a)(1) - the term "cybersecurity risk"-

(A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and
(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

Incident:

6 USC 659(a)(3) - the term "incident" means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system; [NOTE: Based upon §3502 IT restricted definition of ‘information system’.

Cybersecurity Purpose

6 USC 1501(4) The term ‘‘cybersecurity purpose’’ means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.

Cybersecurity threat


(A) In general
Except as provided in subparagraph (B), the term ‘‘cybersecurity threat’’ means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.

(B) Exclusion
The term ‘‘cybersecurity threat’’ does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

Definition Problems


When crafters of legislation describe computer systems, they generally use the term ‘information system’. Initially this was almost universally applied to systems that were used exclusively in the financial industry, but that expanded to include other types of information as legislators looked at protecting personally identifiable information (PII) and medical/healthcare information and more recently intellectual property.

As it became more and more evident that a variety of industrial control systems, transportation systems, medical devices and other computer systems that controlled physical processes were potentially subject to cyberattacks, legislative writers tried to squeeze these systems into the definition of ‘information system’. The one successful attempt at codifying that combination of IT and OT technology into a single term by adding the wording: “includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers” in a second subparagraph.

This bastardized definition still refers to “the collection, processing, maintenance, use, sharing, dissemination, or disposition of information” purpose of the ‘information systems’. This provides no connection to the physical processes controlled by control systems.

Similarly, the other cybersecurity related definitions listed above (including those based upon the OT inclusive definition of §1501) use IT limiting terms such as: “information that is stored on, processed by, or transiting an information system” or “the integrity, confidentiality, or availability of information”. This has been acceptable from a legislative perspective because control systems still rely on ‘information’ for their operation.

Unfortunately, it is becoming increasingly obvious to those in the control system community that the cybersecurity focus in that sector should be more intensely focused on the potential physical outcomes from a successful attack rather than the information used in the control processes.

Proposed Legislative Solution


With these problems in mind, I would like to propose that 6 USC 659(a) be amended to read:

(a) Definitions
In this section-

(1) the term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

(2) the term "cybersecurity risk"-

(A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(3) the terms "cyber threat indicator" and "defensive measure" have the meanings given those terms in section 102 of the Cybersecurity Act of 2015 [6 U.S.C. 1501];

(4) the term "incident" means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system;:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

(5) the term "information sharing and analysis organization" has the meaning given that term in section 671(5) of this title;

(6) the term "information system" has the meaning given that term in section 3502(8) of title 44; and

(7) the term "sharing" (including all conjugations thereof) means providing, receiving, and disseminating (including all conjugations of each of such terms).

No comments:

 
/* Use this with templates/template-twocol.html */