Last month Sen Peters (D,MI) introduced S 3929,
a bill that would provide for a pilot program to demonstrate remote, inter-state
support for cybersecurity activities of the National Guard. The bill would
authorize both the Department of the Army and the Department of the Air Force
to each carry out such a pilot program in coordination with the National Guard
Bureau, the Department of Homeland Security and appropriate State entities.
Pilot Program
The pilot programs authorized by this bill would be designed
“to assess the feasibility and advisability of the development of a capability
within the National Guard through which a National Guard of a State remotely
provides State governments and the National Guard of other States (whether or
not in the same Armed Force as the providing National Guard) with cybersecurity
technical assistance in training, preparation, and response to cyber incidents”
{§1(a)(1)}.
Prior to conducting a pilot program authorized by this bill,
the Secretary would be required to conduct an assessment of existing {§1(b)(1)}:
• Cyber capabilities available to
States,
• Cyber response capacities of the National
Guard in each State,
• Platforms, technologies, or
capabilities of a National Guard that provides the capability for remote cyber
support operations.
The pilot program will include a technical capability to allow
a National Guard unit to “remotely provide cybersecurity technical assistance
to State governments and the National Guard of other States, without the need
to deploy outside its home State” {§1(c)(1)}. While the use of existing
technologies is authorized, any newly developed technologies or capabilities would
be designed/developed in consultation with DHS. Newly developed technology or capabilities
would be required to demonstrate interoperability “with other Federal and
non-Federal cyber response entities, including the Department of Homeland Security”
{§1(c)(1)(B)}.
The pilot program would also include the development of policies,
processes, procedures, and authorities for use of such a capability to include {§1(c)(2)}:
• The roles, responsibilities, and
authorities of both requesting and deploying State governments, National
Guards, and DHS,
• Program management and governance
structures for deployment and maintenance of the capability.
• Security when performing remote
support, including such in matters such as authentication and remote sensing,
and
• The efficient and effective use
by Federal and non-Federal entities of the interoperability functionality of
the capability.
Each pilot program would run for no more than three years.
The bill would authorize $6 million to DOD for support of
the pilot programs; the use of existing DOD funding would also be authorized.
Moving Forward
Peters is a member of the Senate Armed Services Committee to
which this bill was referred for consideration. This means that there would be
a chance that the bill would be considered in Committee. I see nothing in the
bill that would raise any serious opposition to the approval of the bill in
Committee or on the floor of the Senate. The miniscule amount authorized to
support the pilot program should not be an impediment.
Peters has submitted language similar to this bill as a
proposed amendment (SA
1751, pg S 3258) to S 4049, the FY 2021 National Defense Authorization Act.
It was not included as part of the en
bloc amendment adoption on July 2nd, but it still could be considered
when the Senate returns from their 4th of July recess on July 20th.
Commentary
There is nothing in the language in this bill that would
specifically include (or exclude, for that matter) the protection of industrial
control systems as part of the proposed pilot program. I think that this is an
oversight on the part of Peters’ staff since the support provided by the pilot
program would be specifically targeted at protecting State and local
governments. While most people naturally think of information technology when
they consider governmental cybersecurity, there are a large number of
operational technology systems in operation in various State and local
governmental agencies, particularly (but not exclusively by any means) in
governmental utilities.
With that in mind, I would have liked to have seen specific
language requiring the pilot programs to address control system cybersecurity
capabilities. That being the case, I would like to suggest the following
changes:
§1(b)(1) conduct an assessment
of—
(A) existing cyber capabilities
available to States, specifically
including capabilities to protect operational technology and control systems
used by government owned/operated utilities;
(B) existing cyber response
capacities, including industrial control system security capabilities, of the Army National Guard or Air
National Guard, as applicable, in each State;
§1(c)(1) A technical capability
that enables the National Guard of a State to remotely provide cybersecurity
technical assistance to State governments and the National Guard of other
States, without the need to deploy outside its home State. The design and any
development of such capability shall—
(A) occur in consultation with
the Secretary of Homeland Security; and
(B) enable, upon deployment and
operation of the capability, interoperability with other Federal and
non-Federal cyber response entities, including the Department of Homeland Security.; and
(C) specifically include capabilities to address cybersecurity
issues with industrial control systems typically found in:
(i) electric, water, and gas utilities;
(ii) transit systems; and
(iii) building control systems.
Posts
No comments:
Post a Comment