Last month Rep McCaul (R,TX) introduced HR 1251, the Cyber Diplomacy Act of 2021. The bill would establish an international cyber policy “to work internationally to promote an open, interoperable, reliable, unfettered, and secure Internet governed by the multi-stakeholder model” {§4(a)}.
Definitions
Section 3 of the bill establishes the definitions for three key terms used in the bill, the most important of which is ‘information and communications technology’ (ICT). That term is defined as “hardware, software, and other products or services primarily intended to fulfill or enable the function of information processing and communication by electronic means, including transmission and display, including via the Internet” {§3(2)}.
Policy Objectives
In implementing this policy, the bill requires the President to pursue the following objectives {§4(b)}:
• Clarifying the applicability of
international laws and norms to the use of ICT.
• Reducing and limiting the risk of
escalation and retaliation in cyberspace, damage to critical infrastructure,
and other malicious cyber activity that impairs the use and operation of
critical infrastructure that provides services to the public,
• Cooperating with like-minded
democratic countries that share common values and cyberspace policies with the
United States, including respect for human rights, democracy, and the rule of
law, to advance such values and policies internationally,
• Encouraging the responsible
development of new, innovative technologies and ICT products that strengthen a
secure Internet architecture that is accessible to all,
• Securing and implementing
commitments on responsible country behavior in cyberspace based upon accepted
norms, and
• Advancing, encouraging, and supporting the development and adoption of internationally recognized technical standards and best practices.
Among the ‘accepted norms’ that the bill would require the President to support would be {§4(b)(5)(C)}:
“Countries should not conduct or knowingly support ICT activity that, contrary to international law, intentionally damages or otherwise impairs the use and operation of critical infrastructure providing services to the public, and should take appropriate measures to protect their critical infrastructure from ICT threats.”
Moving Forward
This bill was considered by the House Foreign Affairs Committee on February 25th, 2021. It was amended with substitute language (not currently available) and approved by the Committee (as part of an en bloc consideration) by voice vote. That would indicate wide bipartisan support for the bill which should carry over to the floor of the House. It is likely that the bill would be considered under the suspension of the rules process in the House.
Commentary
This is primarily an information and communications technology security bill. The new ICT terminology is an interesting expansion of the information technology concept to specifically include the necessary communications aspects that are really key to the efficacy of IT operations and security.
The one objective that seems to address industrial control system security is the oddly worded:
“Reducing and limiting the risk of escalation and retaliation in cyberspace, damage to critical infrastructure, and other malicious cyber activity that impairs the use and operation of critical infrastructure that provides services to the public,”
Parsing that out, there are two specifically operational technology related provisions that would attempt to reduce and limit:
• Damage to critical
infrastructure, and
• Other malicious cyber activity that that impairs the use and operation of critical infrastructure that provides services to the public.
That, combined with the ‘accepted norm’ described above,
would seem to make it clear that preventing cyber attacks on critical
operational technology will be a key part of the foreign policy of the United
States. How the crafters of this bill expect the President and the State Department
to accomplish this by diplomatic means is unclear.
Posts
No comments:
Post a Comment