S 1475 Introduced – Cyber Hygiene

Last month Sen. Hatch (R,UT) introduced S 1475, the Promoting Good Cyber Hygiene Act of 2017. This is very similar to HR 3010. While not strictly a companion measure (due to changes in formatting, word order and organization) this bill would establish the same voluntary cybersecurity program; principally for use by the Federal Government.

Moving Forward

Unlike the sponsorship situation with HR 3010, Sen. Markey (D,MA), a cosponsor of this bill, is a member of the Senate Commerce, Science, and Transportation Committee (Hatch is not) so there is a possibility that this bill could be considered by that Committee.

Markey has worked hard on establishing a reputation as a cybersecurity gadfly (I use that term with a certain amount of admiration) in the Senate. Unfortunately, his scattergun approach to crafting cybersecurity language has left him with a significant amount of inherent opposition to his bills; none of the bills that he has offered to date (admittedly still early in the session) has been considered in Committee.

Commentary

This bill sounds good, but, like its companion, it has some serious definition problem in the IoT provisions. That ICS-inclusive definition has essentially no effect on the study required because that study is to be to consider the effects of the identified cybersecurity concerns upon Federal IT systems.

HR 3010 Introduced – Cyber Hygiene

Last week Rep. Eshoo (D,CA) introduced HR 3010, the Promoting Good Cyber Hygiene Act of 2017. The bill would require the National Institute of Standards and Technology to establish a list of best practices for effective and usable cyber hygiene based upon the Cybersecurity Framework (CSF) established pursuant to EO 13636.

Information System Guidelines

The best practice guidelines would be available to all personnel “utilizing an information system or device”. Adoption of the best practices would be voluntary and should serve as a baseline upon which additional cybersecurity practices are established. NIST would be required to update the guidelines on an annual basis.

The guidelines would {§2(a)}:

• Be a list of simple, basic controls that have the most impact in defending against common cybersecurity threats and risks; and

• Utilize technologies that are commercial off-the-shelf and based on international standards

IOT Cyber Hygiene

Paragraph 2(h) of the bill would require DHS (in coordination with NIST and the Federal Trade Commission)  to conduct a study of “cybersecurity threats relating to the Internet of Things” (IoT) {§2(h)(2)}. The study would {§2(h)(3)}:

• Assess cybersecurity threats relating to the Internet of Things;

• Assess the effect such threats may have on the cybersecurity of the information systems and networks of the Federal Government; and

• Develop recommendations for addressing such threats.

In this paragraph IoT is defined as “the set of physical objects embedded with sensors or actuators and connected to a network” {§2(h)(1)}.

Moving Forward

Neither Eshoo nor her co-sponsor, Rep. Brooks (R,IN), is a member of the House Science, Space, and Technology Committee, the Committee to which this bill was assigned for consideration. This means that it is extremely unlikely that the bill will be considered in that Committee.

There is nothing in this bill that would cause any serious opposition to the bill if it was considered in committee or on the floor of the House or Senate.

Commentary

The lack of a definition of ‘information system or device’ would typically mean that the common usage of that term, the narrow IT centric definition, would probably exclude industrial control systems (ICS) from specific inclusion in the cyber hygiene guidelines.

Having said that, the very wide and ICS-inclusive definition of IoT that would support Federal information systems and networks throws the whole meaning of ‘information system’ open to serious interpretive problems.

For the purposes of this bill, however, since neither NIST nor DHS would be provided any funding to establishing the guidelines or conducting the study, the two agencies would use the narrowest, IT-centric definition. They would certainly be ignoring the much more complex ICS cybersecurity issues for the NIST guidelines.

This would greatly reduce the scope of any IoT study conducted under provisions of this bill. The only devices that would probably be considered would be devices supporting network communications and server farms. That is a very small part of the IoT cybersecurity problem. Including the IoT study in this bill underlines how poorly congresscritters and their staffs understand the potential scope of IoT cybersecurity issues.

Bills Introduced – 6-22-17

Yesterday, with both the House and Senate in session there were 67 bills introduced. Of those, two may be of specific interest to readers of this blog:

HR 3010 To provide for the identification and documentation of best practices for cyber hygiene by the National Institute of Standards and Technology, and for other purposes. Rep. Eshoo, Anna G. [D-CA-18]

S 1405 A bill to amend title 49, United States Code, to authorize appropriations for the Federal Aviation Administration, and for other purposes. Sen. Thune, John [R-SD]

As readers of this blog would expect, HR 3010 will only receive further coverage here if it contains specific control system security language.

The FAA authorization act will be watched for cybersecurity provisions.