Last month Rep. Katko (R,NY) introduced
HR 4217,
the State and Local Cybersecurity Improvement Act. The bill would add two grant
programs for State and local government cybersecurity programs, including supporting
State cybersecurity exercises.
Supporting Requirements
Section 2 of the bill would add three new sections to the
Homeland Security Act of 2002 under the Cybersecurity and Infrastructure
Security (CISA) part (
6
USC 651 et seq). Section 2115 would require the DHS Cybersecurity and
Infrastructure Security Agency, to develop a “resource guide for use by State,
local, and Tribal officials, including law enforcement officers, to help such
officials prepare for, protect against, respond to, recover from, and mitigate
against cyber-attacks”.
Grant Programs
Section 2116 would require CISA to establish a grant program
for “State and local governments to identify high value assets and critical
system architecture in order to assess cybersecurity risks” {new §2116(a)}. The
bill would appropriate “$5,000,000 for each of fiscal years 2020 through 2024”
{new §2116(d)}.
Section 2117 would require CISA to establish a second grant
program for “grants to State and local governments to conduct tabletop and live
training exercises to assess the capability of the State or local government to
respond to a cyberattack” {§2117(a)}. The bill would appropriate “$5,000,000
for each of fiscal years 2020 through 2024” {§2117(d)}.
Moving Forward
Katko is the Ranking Member of the Cybersecurity,
Infrastructure Protection, & Innovation Subcommittee of the House Homeland
Security Committee to which this bill was assigned for consideration. There is
no doubt that he has enough influence to see this bill considered in Committee.
While the inclusion of new appropriations is typically a bad
sign for support in legislation (the money has to come from somewhere), the
recent spate of cyber attacks on cities across the country may lend a level of
support necessary to overcome the reluctance to appropriate new money.
Commentary
There is a serious lack of detail in the grant programs
being established in this bill. The only requirements for grant submissions is
that the potential grantee provide a description of how the State or local
government plans to allocate grant funds and document budget support for the program
with 20% non-grant funding. Typically, grant authorization language provides a
list of programs or activities that the grant monies could be applied to. The generic,
one sentence, grant purposes outlined in the legislation would cover a wide
variety of State and local government cybersecurity activities.
The one definition that is provided in this bill (by
reference) is that of ‘cybersecurity risk’. That definition is taken from the
CISA authorization and is focused strictly on information systems and that
definition relies on the IT restrictive definition of ‘information systems’ in
44
USC 3502(8). This means that State and local governments would not be able
to use the grant monies for control systems like traffic control systems, building
maintenance systems or security systems, or even for municipal water treatment,
waste-water treatment or power generation systems.
This goes back to the problems with the definitions of the
CISA authorization language. I addressed this problem in a
detailed
blog post on cybersecurity definitions last February. It would be too much
to expect a bill on cybersecurity grants to address all of the definition
problems from the CISA authorization. To correct the problem in this bill we can
simply add a new identical subsection in each of the three sections proposed in
this bill:
(a) Definitions – In this section:
(1) the term ‘control system’
means a discrete set of information resources, sensors, communications
interfaces and physical devices organized to monitor, control and/or report on
physical processes, including manufacturing, transportation, access control,
and facility environmental controls;
(2) the term ‘cyber-attack’
means any action taken to actually or imminently jeopardizes, without lawful
authority;
(A) the integrity,
confidentiality, or availability of information on an information system,
(B) the timely availability of
accurate process information, the predictable control of the designed process
or the confidentiality of process information, or
(C) an information system or a
control system;
(3) the term ‘cybersecurity
risk’ means:
(A) threats to and
vulnerabilities of information, information systems, or control systems and any
related consequences caused by or resulting from unauthorized access, use,
disclosure, degradation, disruption, modification, or destruction of such
information, information systems, or control systems, including such related
consequences caused by an act of terrorism; and
(B) does not include any action
that solely involves a violation of a consumer term of service or a consumer
licensing agreement;
Then, I would suggest the following change to the proposed
§2216:
“(a) IN GENERAL.—The Director shall
establish a State and local government cybersecurity initiative to make grants
to State and local governments to identify high value assets and critical
system architecture value
information systems and control systems in order to assess cybersecurity
risks (as such term is defined in section 2209).” In identifying high
value systems governments should consider identifying:
(1) Information systems that
include systems that:
(A)
contain large amounts of personally identifiable information (as defined in 2
USC 200.79);
(B) are critical to operations of
public safety agencies; or
(C)
affect the safe operations of schools, prisons, or large public venues;
(2) Control systems that
include
(I) traffic control systems;
(II) building security systems and/or
building maintenance systems for government offices, schools, courts, prisons
or large public venues; or
(III) operating systems for public
water systems (as defined in 42 USC 300) or treatment works (as defined in 33 USC
1292).