Earlier this month, Sen Peters (D,MI) introduced S 3511, the Satellite Cybersecurity Act. The bill would require CISA to establish a commercial satellite system cybersecurity clearinghouse and to develop voluntary cybersecurity recommendations designed to assist in the development, maintenance, and operation of commercial satellite systems. No funding is authorized by this bill.
Peters is the Chair of the Senate Homeland Security and Governmental Affairs Committee the committee to which this bill was assigned for consideration. This should ensure that there is adequate influence to see this bill considered in Committee. Since the bill only requires the development of ‘voluntary’ security measures, I do not see any significant organized objections interfering with the consideration of this bill. I suspect that the bill will pass out of Committee with at least some level of bipartisan support.
Commentary
We continue to see problems with the definition used by congressional staff in the crafting of cybersecurity legislation that affects operational technology or control systems that directly affect physical systems. In this case, the two cybersecurity terms defined in §2 are IT restrictive definitions. The term ‘cybersecurity risk’ for 6 USC 659 is based upon the IT restricted definition of ‘information system’. Even the term ‘cybersecurity threat’, while based upon the control system inclusive definition of ‘information systems from 6 USC 1501, refers to actions that “adversely impact the security, availability, confidentiality, or integrity of an information system”.
These definitions would suffice if the legislation were only concerned with the information transiting commercial satellites, but the required cybersecurity recommendations from CISA are specifically required to address protecting ‘vital commercial satellite system functions’ and the ‘satellite system’s command, control, and telemetry receiver systems’. Again, the definitions just do not match the requirements.
For more information on what changes to cybersecurity definitions need to be made to adequately reflect control system and operational technology cybersecurity needs, please see my post from February 2019.
For more details about the provisions of this bill, see my
article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3511-introduced
- subscription required.
No comments:
Post a Comment