Last week Rep Schiff (D,CA) introduced HR 7856,
the Intelligence Authorization Act for Fiscal Year 2021. This is the House
version of the annual intel authorization bill that is typically considered ‘must
pass” legislation, though that has not been the case over the last couple of
years. The Senate version of this bill was included in S 4049, the FY 2021
National Defense Authorization Act. This version of the bill includes two
cybersecurity threat intelligence provisions that could affect private sector
entities. A third cybersecurity provision would require a study on the possibility
of mandating cybersecurity standards for intelligence agency contractors.
Threat Intelligence
The two cybersecurity threat intelligence provisions are
found in:
§605. Process for identifying cyber
threat intelligence needs and priorities (pg 95), and
§606. Reviews of intelligence
community cyber threat sharing posture and National Security Directive 42 (pg
99).
Section 605 would require the Director of National
Intelligence (DNI) to “establish a formal process to solicit and compile information
needs of covered entities to improve the defenses of such entities against
foreign cybersecurity threats” {§605(a)(1)}. This process would be developed in
coordination with DHS and those Sector-Specific Agencies deemed appropriate by
the DNI.
There are two key definitions in for this section; ‘covered
entities’ and ‘cybersecurity threat’. The term ‘covered entities’ is defined as
“owners and operators of critical infrastructure” {§605(d)(2)} as that term is
defined in 42
USC 5195c(e). This section uses the definition of ‘cybersecurity threat’
found in
6 USC 1501(5).
Based upon the information provided by the covered entities
the DNI is required to identify {§605(b)}:
• Common technologies or interdependencies
that are likely to be targeted by nation-state adversaries, and
• Identify foreign intelligence
gaps regarding foreign cybersecurity threats to covered entities.
Additionally, the DNI is required to “identify and execute
methods of empowering Sector-Specific Agencies to” {§605(b)(3)}:
• Identify specific critical lines
of businesses, technologies, and processes within their respective sectors; and
• Coordinate directly with the
intelligence community regarding sector-specific cybersecurity threat.
Finally, the DNI is required to “consider whether to enhance
or adjust national intelligence collection and analysis priorities” {§605(b)(4)}.
A report to Congress is required.
Section 606 addresses threat intelligence information
sharing with ‘covered entities’. The definition of ‘covered entities’ is
expanded from the previous section. It is defined as {§606(c)(2)}:
• Owners and operators of critical
infrastructure; and
• Academic institutions in the
United States, corporations incorporated in the United States, and corporations
operating inside the United States.
Section 606(a)(1) requires the DNI to “conduct a review of
applicable laws, policies, procedures, and resources of the intelligence
community that apply to the intelligence community’s understanding of
cybersecurity threats to covered entities” including an analysis of “the
ability of the intelligence community to share cyber threat information with
the Federal departments and agencies responsible for providing warning and
indicators to covered entities to enable them to de- fend against such threats”.
The review would specifically include {§606(a)(2)}:
• The capabilities and limitations
of the intelligence community in collection on foreign adversary malicious
cyber activity targeting covered entities,
• The ability of the intelligence
community to share cyber threat intelligence information with covered entities,
• Procedures for the sanitization
and declassification of intelligence, including the efficiency of such
procedures,
• Which criteria and procedures
should be implemented to identify intelligence community products for expedited
sharing,
• Current and projected national
intelligence requirements that relate to cybersecurity threats to covered
entities,
• Budgetary changes to ensure that
the intelligence community is postured to provide adequate indicators and
warning of cybersecurity threats to covered entities.
Cybersecurity Standards
Section 607 of the bill would require the DNI to “conduct a
feasibility study with respect to requiring contractors (including
subcontractors) of departments or agencies of the Federal Government that own
or operate national security systems to implement mandatory cybersecurity
policies or defensive measures” {§607(a)}. The study would include:
• The estimated cost to the Federal
Government of deploying such mandatory cybersecurity policies or defensive
measures,
• Whether there are sufficient
legal and policy authorities in place to implement such mandatory cybersecurity
policies or defensive measures,
• A description of enforcement
mechanisms for such mandatory cybersecurity policies or defensive measures, and
• The timeline for implementation
of such mandatory cybersecurity policies or defensive measures.
Moving Forward
The bill was ordered to be reported favorably by the House Permanent
Select Committee on Intelligence. It is very likely that the bill will be
considered by the whole House, probably after the November election. According
to a Committee press
release on the bill, it was adopted in Committee along party lines. Thus
the bill will be considered under rule and will almost certainly pass with
minimal bipartisan support.
The Senate is unlikely to take up the bill, both for both
political and procedural issues. If the Republicans in the House will not
support the bill, neither will the Republican controlled Senate. But more
importantly, the Senate already passed their version of the Act as part (Division
F) of HR 4049, the FY 2021 National Defense Authorization Act. Thus, the Intel
Authorization Act will be resolved (probably) as part of that bill in
conference. It is possible that the provisions that I have discussed here could
make it into that final revised version of the NDAA.
Posts
No comments:
Post a Comment