S 3207 Introduced – State Cybersecurity Coordinators

Earlier this month Sen Hassan (D,NH) introduced S 3207, the Cybersecurity State Coordinator Act of 2020. The bill would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to appoint Cybersecurity State Coordinators in each of the 50 states.

Definitions

The bill does not include any definitions. Because the bill amends 6 USC 652 and adds a new section to the same Part, the following definitions from §651 apply to the following terms used in this bill:

• Cybersecurity risk –  means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism {referenced to §659(a)}.

• Cyber threat - means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system {referenced to §1501(5)}.

The following critical terms are not defined for §652 or Part A:

• Cybersecurity threat information – Nearest term defined in 6 USC is ‘cyber threat indicator’ at §1501(6);

•  Non-Federal entity - §1501(14), but not incorporated by reference.

• Cybersecurity incidents –  §659(a)(3)}, but not incorporated by reference.

Responsibilities

The duties of the State Cybersecurity Coordinators would be set forth in the new section added to Part A (probably §665, so §665(b)}:

• Building strategic relationships across Federal and non-Federal entities by advising on establishing governance structures to facilitate developing and maintaining secure and resilient infrastructure;

• Serving as a principal Federal cybersecurity risk advisor and coordinating between Federal and non-Federal entities to support preparation, response, and remediation efforts relating to cybersecurity risks and incidents;

• Facilitating the sharing of cyber threat information between Federal and non-Federal entities to improve understanding of cybersecurity risks and situational awareness of cybersecurity incidents;

• Raising awareness of the financial, technical, and operational resources available from the Federal Government to non-Federal entities to increase resilience against cyber threats;

• Supporting training, exercises, and planning for continuity of operations to expedite recovery from cybersecurity incidents, including ransomware;

• Serving as a principal point of contact for non-Federal entities to engage with the Federal Government on preparing, managing, and responding to cybersecurity incidents;

• Assisting non-Federal entities in developing and coordinating vulnerability disclosure programs consistent with Federal and information security industry standards; and

• Performing such other duties as necessary to achieve the goal of managing cybersecurity risks in the United States and reducing the impact of cyber threats to non-Federal entities.

No funding is provided in the bill for the new requirements.

Moving Forward

Hassan and her three cosponsors {Sen Cornyn (R,TX), Sen Portman (R,OH) and Sen Peters (D,MI)} are all influential members of the Senate Homeland Security and Government Affairs Committee to which this bill was assigned for consideration. There is a high likelihood that this bill will be considered in Committee. I see nothing in the bill that would draw any serious opposition and it should be approved in Committee with strong bipartisan support.

This bill is not important enough to be considered in normal order on the floor of the Senate, particularly in an election year. I suspect that the bill could be approved under the unanimous consent process, but there is always the prospect of a single Senator raising an objection to that consideration for reasons unrelated to the bill’s provisions.

Commentary

This bill once again brings up the basic system discrepancy found in the definitions used in the authorizing language for CISA. The ‘cyber risk’ definition is based upon the IT restrictive definition of ‘information system’ found in §659 and the ‘cyber threat’ definition is based upon the OT inclusive definition in §1501. Again, I have addressed these definitional problems in detail in an earlier post.

For this bill a separate issue is the use of three critical undefined terms. For these terms I would recommend adding the following language to the new §665:

Insert (d):

“(d) Definitions – In this section

“(1) Cybersecurity threat information – the term ‘cybersecurity threat information’ has the meaning given to the term ‘cyber threat indicator’ in 6 USC 1501(6);

“(2) Non-Federal entity – the term ‘non-Federal entity’ has the meaning given to that term in 6 USC 1501(14);

{(3) Cybersecurity incidents – the term ‘cybersecurity incidents’ has the meaning given to the term ‘incidents’ in 6 USC 659(a)(3).”

While the above definitions, if not corrected, will still include the IT/OT confusion, they will ensure that the State Coordinators will have the authority to work with private sector organizations to coordinate cybersecurity programs. I am sure that CISA, even with the definitional confusion, would expansively interpret things to be able to include control system security issues with both governmental and private sector organizations.

Another problem with the bill is the perennial lack of funding issue. With no additional funding being authorized for these positions, CISA will theoretically need to take these new 50 coordinator positions out of their current headcount and provide the necessary office staff (at least a secretary and a driver) and office space funding out of the current authorization. Unless the spending process for the next fiscal year provides for extra money (an open question) the additional funding and headcount will come at the expense of some other CISA program.

One final issue, the bill does not address the provision of any cybersecurity coordinators for the District of Columbia, Puerto Rico or any of the Pacific territories.