Thursday, May 13, 2021

S 1316 Introduced - Cyber Response and Recovery Act

Last month Sen Peters (D,MI) introduced S 1316, the Cyber Response and Recovery Act of 2021. The bill would add a new subchapter to Title XXII of the Homeland Security Act of 2002. It would allow DHS to declare a ‘a significant incident’. It would also provide for the establishment of a Cyber Response and Recovery Fund.

Definitions

Section 2231 provides definitions for unique terms to be used in the new subchapter. The eight definitions include two new significant terms: ‘asset response activity’ and ‘significant incident’.

The term ‘asset response activity’ is defined as an activity to support an entity impacted by an incident with the response to, remediation of, or recovery from, the incident, including {§2231(2)}:

• Furnishing technical and advisory assistance to the entity to protect the assets of the entity, mitigate vulnerabilities, and reduce the related impacts,

• Assessing potential risks to the critical infrastructure sector or geographic region impacted by the incident, including potential cascading effects of the incident on other critical infrastructure sectors or geographic regions,

• Developing courses of action to mitigate the risks assessed above,

• Facilitating information sharing and operational coordination with entities performing threat response activities, and

• Providing guidance on how best to use Federal resources and capabilities in a timely, effective manner to speed recovery from the incident.

The term ‘significant incident’ is defined as an incident or a group of related incidents that results, or is likely to result, in demonstrable harm to {§2231(8)}:

• The national security interests, foreign relations, or economy of the United States, or

• The public confidence, civil liberties, or public health and safety of the people of the United States.

A significant incident does not include an incident that takes place on a national security systems {44 USC 3552(6)} or on a DOD or intelligence community information systems {44 USC 3353(e)}.

Neither of the two definitions above mentions anything to do with computer systems, cyber systems or information systems. This is because the term ‘incident’ is defined by reference to 44 USC 3552(2). There it is defined as an occurrence that:

• Actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or

• Constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

Significant Incident Declaration

Section 2232 authorizes the Secretary of DHS (not to be delegated), in consultation with the National Cyber Director, to make a declaration of a significant incident if such incident occurs or is imminently expected to occur if it is determined that available resources “are likely insufficient to respond effectively to, or to mitigate effectively, the specific significant incident” {§2232(a)(1)(B)}.

Section 2232(b) requires CISA to coordinate “the asset response activities of each Federal agency in response to the specific significant incident associated with the declaration” {§2232(b)(1)}. CISA will also coordinate with {§2232(b)(2)}:

• Public and private entities and State and local governments with respect to the asset response activities of those entities and governments; and

• Federal, State, local, and Tribal law enforcement agencies with respect to investigations and threat response activities of those law enforcement agencies

The section provides that a declaration will last up to 120-days and the Secretary may extend the declaration as required. Declarations will be published in the Federal Register.

Section 2232(f) authorizes the Secretary to take preparatory actions before an incident in declared including “entering into standby contracts with private entities for cybersecurity services or incident responders in the event of a declaration” {§2232(f)(2)}.

Cyber Response and Recovery Fund

Section 2233 establishes the Cyber Response and Recovery Fund. The funds could be used for coordination activities. They could also be used for response and recovery support for “Federal, State, local, and Tribal, entities and public and private entities on a reimbursable or non-reimbursable basis”. That support would be for asset response activities and technical assistance, such as {§2233(a)(2)}:

• Vulnerability assessments and mitigation,

• Technical incident mitigation,

• Malware analysis,

• Analytic support,

• Threat detection and hunting, and

• Network protections.

Section 2236 authorizes $20 million for the Fund.

Moving Forward

As I mentioned yesterday, this bill was adopted by the Senate Homeland Security and Governmental Affairs Committee after it was amended with substitute language. The unanimous consent adoption of the substitute language indicates that the bill has strong bipartisan support. This is not unexpected in the face of the recent cybersecurity incidents to which the country has been responding. We will not be able to see the substitute language until the Committee publishes their report.

After the Colonial Pipeline incident, I suspect that this bill could be brought to the floor of the Senate. That would provide Senators with a chance to demonstrate their active support for cybersecurity response activities by CISA. This would also allow for significant amendment activities that could provide a vessel for other cybersecurity bills that might not be able to be able to justify full floor proceedings and might face limited objections that could prevent the use of the Senate’s unanimous consent process.

While this bill could be considered under that unanimous consent process, I suspect that there are Senators that would use their potential objection as a threat to get their own cybersecurity language considered.

Commentary

Definition RANT: The incident definition upon which this legislation relies is based upon the IT restrictive definition of ‘information system’ found in 44 USC 3352. This means that an incident that is primarily affecting an operational system rather than an IT system could not properly be eligible for a definition of a significant incident.

There is currently no definition of ‘incident’ that relies on a more ICS inclusive definition of ‘information system’. That could be remedied by adding a definition of ‘information system’ in §2331 with a reference to the definition in 6 USC 1501(9).

I think that this would be a good vessel for making definitional changes to 6 USC 659 that could be made applicable to this proposed legislation. I have written about these proposed changes on a number of occasions (see here for example). I would suggest adding a new §3 to the bill, entitled ‘Cybersecurity Definitions:

Sec. 3. Cybersecurity Definitions.

(a) The following term and definition will be added to 6 USC 659(a):

“(1) the term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;”

(b) The definition of the term “incident” will be revised to read:

“(4) the term "incident" means an occurrence that actually or imminently jeopardizes, without lawful authority:

“(A) the integrity, confidentiality, or availability of information on an information system,

“(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

“(C) an information system or a control system;”

This would then allow the definition in §2231 for the term ‘incident’ to be changed to refer to the revised definition in 6 USC 659(a).

Finally, for clarity’s sake, I would change the term ‘significant incident’ to ‘significant cyber incident’.

No comments:

 
/* Use this with templates/template-twocol.html */