Earlier this month Sen Hassan (D,NH) introduced
S 3207,
the Cybersecurity State Coordinator Act of 2020. The bill would require the DHS
Cybersecurity and Infrastructure Security Agency (CISA) to appoint
Cybersecurity State Coordinators in each of the 50 states.
Definitions
The bill does not include any definitions. Because the bill
amends
6
USC 652 and adds a new section to the same Part, the following definitions
from §651 apply to the following terms used in this bill:
• Cybersecurity risk – means threats to and vulnerabilities of information
or information systems and any related consequences caused by or resulting from
unauthorized access, use, disclosure, degradation, disruption, modification, or
destruction of such information or information systems, including such related
consequences caused by an act of terrorism {referenced to §659(a)}.
• Cyber threat - means an action,
not protected by the First Amendment to the Constitution of the United States,
on or through an information system that may result in an unauthorized effort
to adversely impact the security, availability, confidentiality, or integrity
of an information system or information that is stored on, processed by, or
transiting an information system {referenced to §1501(5)}.
The following critical terms are not defined for §652 or
Part A:
• Cybersecurity threat information –
Nearest term defined in 6 USC is ‘cyber threat indicator’ at §1501(6);
• Non-Federal entity - §1501(14), but not
incorporated by reference.
• Cybersecurity incidents – §659(a)(3)}, but not incorporated by reference.
Responsibilities
The duties of the State Cybersecurity Coordinators would be
set forth in the new section added to Part A (probably §665, so §665(b)}:
• Building strategic relationships
across Federal and non-Federal entities by advising on establishing governance
structures to facilitate developing and maintaining secure and resilient
infrastructure;
• Serving as a principal Federal
cybersecurity risk advisor and coordinating between Federal and non-Federal
entities to support preparation, response, and remediation efforts relating to
cybersecurity risks and incidents;
• Facilitating the sharing of cyber
threat information between Federal and non-Federal entities to improve
understanding of cybersecurity risks and situational awareness of cybersecurity
incidents;
• Raising awareness of the
financial, technical, and operational resources available from the Federal
Government to non-Federal entities to increase resilience against cyber
threats;
• Supporting training, exercises,
and planning for continuity of operations to expedite recovery from
cybersecurity incidents, including ransomware;
• Serving as a principal point of
contact for non-Federal entities to engage with the Federal Government on
preparing, managing, and responding to cybersecurity incidents;
• Assisting non-Federal entities in
developing and coordinating vulnerability disclosure programs consistent with
Federal and information security industry standards; and
• Performing such other duties as
necessary to achieve the goal of managing cybersecurity risks in the United
States and reducing the impact of cyber threats to non-Federal entities.
No funding is provided in the bill for the new requirements.
Moving Forward
Hassan and her three cosponsors {Sen Cornyn (R,TX), Sen
Portman (R,OH) and Sen Peters (D,MI)} are all influential members of the Senate
Homeland Security and Government Affairs Committee to which this bill was assigned
for consideration. There is a high likelihood that this bill will be considered
in Committee. I see nothing in the bill that would draw any serious opposition
and it should be approved in Committee with strong bipartisan support.
This bill is not important enough to be considered in normal
order on the floor of the Senate, particularly in an election year. I suspect
that the bill could be approved under the unanimous consent process, but there
is always the prospect of a single Senator raising an objection to that
consideration for reasons unrelated to the bill’s provisions.
Commentary
This bill once again brings up the basic system discrepancy found
in the definitions used in the authorizing language for CISA. The ‘cyber risk’
definition is based upon the IT restrictive definition of ‘information system’
found in §659 and the ‘cyber threat’ definition is based upon the OT inclusive
definition in §1501. Again, I have addressed these definitional problems in
detail in an
earlier
post.
For this bill a separate issue is the use of three critical
undefined terms. For these terms I would recommend adding the following
language to the new §665:
Insert (d):
“(d) Definitions – In this
section
“(1) Cybersecurity threat
information – the term ‘cybersecurity threat information’ has the meaning given
to the term ‘cyber threat indicator’ in 6 USC 1501(6);
“(2) Non-Federal entity – the term
‘non-Federal entity’ has the meaning given to that term in 6 USC 1501(14);
{(3) Cybersecurity incidents –
the term ‘cybersecurity incidents’ has the meaning given to the term ‘incidents’
in 6 USC 659(a)(3).”
While the above definitions, if not corrected, will still include
the IT/OT confusion, they will ensure that the State Coordinators will have the
authority to work with private sector organizations to coordinate cybersecurity
programs. I am sure that CISA, even with the definitional confusion, would
expansively interpret things to be able to include control system security
issues with both governmental and private sector organizations.
Another problem with the bill is the perennial lack of funding
issue. With no additional funding being authorized for these positions, CISA
will theoretically need to take these new 50 coordinator positions out of their
current headcount and provide the necessary office staff (at least a secretary
and a driver) and office space funding out of the current authorization. Unless
the spending process for the next fiscal year provides for extra money (an open
question) the additional funding and headcount will come at the expense of some
other CISA program.
One final issue, the bill does not address the provision of
any cybersecurity coordinators for the District of Columbia, Puerto Rico or any
of the Pacific territories.