Thursday, July 9, 2020

S 3929 Introduced – NG Cyber Response Pilot


Last month Sen Peters (D,MI) introduced S 3929, a bill that would provide for a pilot program to demonstrate remote, inter-state support for cybersecurity activities of the National Guard. The bill would authorize both the Department of the Army and the Department of the Air Force to each carry out such a pilot program in coordination with the National Guard Bureau, the Department of Homeland Security and appropriate State entities.

Pilot Program


The pilot programs authorized by this bill would be designed “to assess the feasibility and advisability of the development of a capability within the National Guard through which a National Guard of a State remotely provides State governments and the National Guard of other States (whether or not in the same Armed Force as the providing National Guard) with cybersecurity technical assistance in training, preparation, and response to cyber incidents” {§1(a)(1)}.

Prior to conducting a pilot program authorized by this bill, the Secretary would be required to conduct an assessment of existing {§1(b)(1)}:

• Cyber capabilities available to States,
• Cyber response capacities of the National Guard in each State,
• Platforms, technologies, or capabilities of a National Guard that provides the capability for remote cyber support operations.

The pilot program will include a technical capability to allow a National Guard unit to “remotely provide cybersecurity technical assistance to State governments and the National Guard of other States, without the need to deploy outside its home State” {§1(c)(1)}. While the use of existing technologies is authorized, any newly developed technologies or capabilities would be designed/developed in consultation with DHS. Newly developed technology or capabilities would be required to demonstrate interoperability “with other Federal and non-Federal cyber response entities, including the Department of Homeland Security” {§1(c)(1)(B)}.

The pilot program would also include the development of policies, processes, procedures, and authorities for use of such a capability to include {§1(c)(2)}:

• The roles, responsibilities, and authorities of both requesting and deploying State governments, National Guards, and DHS,
• Program management and governance structures for deployment and maintenance of the capability.
• Security when performing remote support, including such in matters such as authentication and remote sensing, and
• The efficient and effective use by Federal and non-Federal entities of the interoperability functionality of the capability.

Each pilot program would run for no more than three years.

The bill would authorize $6 million to DOD for support of the pilot programs; the use of existing DOD funding would also be authorized.

Moving Forward


Peters is a member of the Senate Armed Services Committee to which this bill was referred for consideration. This means that there would be a chance that the bill would be considered in Committee. I see nothing in the bill that would raise any serious opposition to the approval of the bill in Committee or on the floor of the Senate. The miniscule amount authorized to support the pilot program should not be an impediment.

Peters has submitted language similar to this bill as a proposed amendment (SA 1751, pg S 3258) to S 4049, the FY 2021 National Defense Authorization Act. It was not included as part of the en bloc amendment adoption on July 2nd, but it still could be considered when the Senate returns from their 4th of July recess on July 20th.

Commentary


There is nothing in the language in this bill that would specifically include (or exclude, for that matter) the protection of industrial control systems as part of the proposed pilot program. I think that this is an oversight on the part of Peters’ staff since the support provided by the pilot program would be specifically targeted at protecting State and local governments. While most people naturally think of information technology when they consider governmental cybersecurity, there are a large number of operational technology systems in operation in various State and local governmental agencies, particularly (but not exclusively by any means) in governmental utilities.

With that in mind, I would have liked to have seen specific language requiring the pilot programs to address control system cybersecurity capabilities. That being the case, I would like to suggest the following changes:

§1(b)(1) conduct an assessment of—
(A) existing cyber capabilities available to States, specifically including capabilities to protect operational technology and control systems used by government owned/operated utilities;
(B) existing cyber response capacities, including industrial control system security capabilities, of the Army National Guard or Air National Guard, as applicable, in each State;

§1(c)(1) A technical capability that enables the National Guard of a State to remotely provide cybersecurity technical assistance to State governments and the National Guard of other States, without the need to deploy outside its home State. The design and any development of such capability shall—
(A) occur in consultation with the Secretary of Homeland Security; and
(B) enable, upon deployment and operation of the capability, interoperability with other Federal and non-Federal cyber response entities, including the Department of Homeland Security.; and
(C) specifically include capabilities to address cybersecurity issues with industrial control systems typically found in:
(i) electric, water, and gas utilities;
(ii) transit systems; and
(iii) building control systems.

No comments:

 
/* Use this with templates/template-twocol.html */