Last month Sen Markey (D,MA) introduced S 4023, the Enhancing
Maritime Cybersecurity Act of 2020. The bill would require that the DHS Cybersecurity
and Infrastructure Security Agency (CISA) ensure the availability of a
resource, or a consolidated series of resources, to assist maritime operators
in identifying, detecting, protecting against, responding to, and recovering
from cyber incidents. No funding is authorized by this bill.
Definitions
Section 2(a) of the bill provides the definition of key
terms used in the legislation. It takes the definition of the term ‘cyber
incident’ from the Presidential
Policy Directive #41 (July 26th, 2016). That document defines
the term as:
“An event occurring on or conducted
through a computer network that actually or imminently jeopardizes the
integrity, confidentiality, or availability of computers, information or
communications systems or networks, physical or virtual infrastructure controlled
by computers or information systems, or information resident thereon. For
purposes of this directive, a cyber incident may include a vulnerability in an
information system, system security procedures, internal controls, or
implementation that could be exploited by a threat source.”
Cybersecurity Resources
Section 2(b) of the bill would require CISA, in consultation
with the Maritime Administration and the Coast Guard, to make available cyber
security resources designed to “to assist maritime operators in identifying,
detecting, protecting against, responding to, and recovering from cyber
incidents” {2(b)(1)}. The cybersecurity resources would be based upon the NIST Cybersecurity
Framework and the IMO “Guidelines
on Maritime Cyber Risk Management”. The resources directive includes a mandate
for CISA to “establish a structured cybersecurity assessment and development
program” {§2(b)(2)(C)}.
Cyber Coordinator
Section 2(c) would require the DOT’s Maritime Administration
to “designate an office as a ‘cyber coordinator’. That office would be responsible
for:
• Coordinating with the CISA and
the Coast Guard on cybersecurity activities for the commercial maritime sector
and cyber incidents that affect maritime operators,
• Ensuring that maritime operators are aware of available secure methods of notifying the United States Government of cyber incidents,
• Notifying the CISA and the Coast Guard of unaddressed cyber incidents that affect maritime operators,
• Ensuring that maritime operators have access to educational resources, conducting outreach, and ensuring awareness on fundamental principles and best practices in cybersecurity for maritime systems, including the cyber resource developed under this section.
• Ensuring that maritime operators are aware of available secure methods of notifying the United States Government of cyber incidents,
• Notifying the CISA and the Coast Guard of unaddressed cyber incidents that affect maritime operators,
• Ensuring that maritime operators have access to educational resources, conducting outreach, and ensuring awareness on fundamental principles and best practices in cybersecurity for maritime systems, including the cyber resource developed under this section.
Moving Forward
Markey is a member of the Senate Commerce, Science, and Transportation
Committee to which this bill was assigned for consideration. Markey is the
Ranking Member of the Security Subcommittee. This should mean that he would
have enough influence to see this bill considered in Committee. Unfortunately,
this is a COVID-19 reduced election year where minor bills like this are
unlikely to receive consideration.
I see nothing in this bill that would engender serious
opposition to the bill, especially since no monies are authorized.
Commentary
With no cosponsors associated with the bill, this looks like
another stone in Markey’s cybersecurity house that will not be going anywhere.
It will help to establish Markey as a cybersecurity legislator but will do
nothing to see actual cybersecurity law or policy affected.
Posts
No comments:
Post a Comment