Review - HR 3388 Introduced - Protecting Critical Infrastructure Act

Rep Fallon (R,TX) introduced HR 3388, the Protecting Critical Infrastructure Act of 2021. The bill adds enhanced penalties for cyber fraud against critical infrastructure and establishes sanction requirements for foreign persons that “knowingly accesses or attempts to access critical infrastructure”.

CI Computer Fraud

Section 2 of the bill amends 18 USC 1030(c) adding an additional penalty listing as paragraph (5):

“(5) a fine under this title and imprisonment for not less than 30 years or for life, in the case of an offense that involves critical infrastructure (as such term is defined in section 1016(e) of Public Law 107–56 (42 U.S.C. 5195c(e))).”.

Sanctions

Section 3 requires the President to “impose the sanctions described in subsection (b) with respect to any foreign person that the President determines knowingly accesses or attempts to access critical infrastructure”. The sanction listed in subsection (b) are:

• Asset blocking,

• Ineligibility for visas, admission, or parole, and

• Revoking current visas,

The President is also specifically allowed to apply the sanctions listed in 50 USC 1702 and 1704.

Moving Forward

Fallon is not a member of either the House Judiciary Committee or the Committee on Foreign Affairs. This means that the bill is unlikely to receive a hearing in either committee. This is one of those feel good bills that sounds like it would address a clearly dangerous situation. I suspect that the bill would receive some bipartisan support if it were considered on the floor of the House, but there would be enough members in either committee that would vote against the bill because of the inherent problems associated with the poorly considered sanctions program. In short, this bill is not going anywhere except into Fallon’s campaign literature.

For a more detailed look at this bill, including potential changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3388-introduced - subscription required.

Bills Introduced – 5-20-21

Yesterday, with both the House and Senate in session, there were 177 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 3386 To promote the use of smart technologies and systems in communities, and for other purposes. Rep. DelBene, Suzan K. [D-WA-1]

HR 3388 To amend title 18, United States Code, to increase penalties for certain computer fraud and related offenses that involve critical infrastructure, and for other purposes. Rep. Fallon, Pat [R-TX-4]

I will be watching both bills for language and definitions that would specifically include industrial control systems in their coverage.

New Language for S 1885 Considered – Automated Vehicles

There is an interesting article over on Wired.com about a last minute effort to get S 1885, the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (AV START) Act, through the Senate. Apparently a key to that effort is revised language (not taken from an official Senate site) for that bill with provisions to appease various critics of the bill. That proposed revision includes changes to the cybersecurity provisions in the bill and a new section that would require an additional study of the cybersecurity tools implemented by the automotive industries in support of this new technology.

Changes in Cybersecurity Language

The version of S 1885 reported in the Senate includes three sections that address with varying effectiveness cybersecurity issues.

§14. Cybersecurity.

§16. Cybersecurity consumer education information.

§17. Provision of cybersecurity resource information.

Sections 16 and 17 of the draft currently circulating are essentially identical to those sections in the reported version of the bill. Section 14 is where we see the changes being made.

The most obvious change is found in paragraph (a) of the newly proposed 49 USC 30108, the definition paragraph. All of the definitions in the reported version have been removed and a ‘new definition’ has been provided for the single remaining term ‘cybersecurity incident’. The definition now refers to the term ‘significant cybersecurity incident’ in Presidential Policy Directive 4. The previous definition referred to the term ‘incident’ in 6 USC 148(a)(3). This change restricts covered incidents to those that “result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people”. In practice the last two targets (‘public health and safety of the American people’) are what would most likely apply to the automated driving systems covered in this bill.

The second and final change to §14 is also a subtle change. In paragraph (b) of the new §30108 description of the written ‘cybersecurity plan’ manufacturers will be required to “develop, maintain, and execute” {new §30108(b)(1)”}, the new language for subparagraph (b)(2)(I) requirements to align the cybersecurity plan with requirements of 15 USC 272(e), removes the requirement for the alignment to be supportive of “voluntary efforts by industry and standards-setting organizations to develop and identify consistent standards and guidelines relating to vehicle cybersecurity, consistent, and to the extent appropriate with…”. Instead it replaces that language with the slightly more directive “considering consistency and alignment with” the cybersecurity risk management approach of §272(e).

New Cybersecurity Provision

The substitute language would add a new §24, Cybersecurity Tools Study. This would require DOT to conduct a study and submit a report to Congress within 2 years of the passage of this bill. The report would identify existing “measures, guidelines, or practices used to identify, protect, detect, respond to, or recover from cybersecurity incidents affecting the safety of a passenger motor vehicle” {§24(b)(1)(A)}, and the extent to which those measures are being used. The report would also be required to describe the susceptibility of passenger motor vehicles to cybersecurity incidents and the “degree of cybersecurity risk to the safety of a passenger motor vehicle” {§24(b)(1)(B)(iii)}.

Moving Forward

Two different blogs (here and here) are reporting that Sen. Feinstein (D,CA) and Sen. Markey (D,MA) will object to this draft language if it were offered in the Senate. At this late date, it would almost certainly be offered under the unanimous consent process and the objection of either Feinstein or Markey would kill that consideration.

If this bill were passed in the Senate (and it probably would if there were time for it to be considered under regular order) it would also have to be taken up by the House before the end of the month. While there was bipartisan support for a similar bill (HR 3388) in the House last year, it is unlikely that the House would be able to fit this bill into their limited schedule.

There are some indications that some version of this bill could be added to the final spending bill that is supposed to be considered by December 21^st. 2018. The inclusion of such language is unlikely to affect the passage of that bill.

S 1885 – Introduced – Automated Vehicles

Last week Sen. Thune (R,SD) introduced S 1885, the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (AV START) Act. As I mentioned in an earlier post I am writing this analysis based, not upon the official GPO version of the bill (not yet released), but a committee draft because the bill will be marked up in the Senate Commerce, Science, and Transportation Committee on Wednesday.

While this bill is, according to the Thune press release, based upon the “bipartisan provisions from the SELF-DRIVE Act (H.R. 3388) [link added]”, it is actually a fairly comprehensive rewrite of the provisions of that bill.

Definitions

The bill does not use many of the definitions provided in HR 3388, preferring instead to us technical definitions from the Society of Automotive Engineers (SAE J3016A) for most of the automated vehicle terminology. It does add some definitions {new §30108(a)} missing from the house bill concerning cybersecurity. Those definitions are based upon exiting definitions in US law:

• ‘Cybersecurity incident’ – 6 USC 148(a)(3);

• ‘Cybersecurity risk’ – 6 USC 148(a)(1); and

• ‘Cybersecurity vulnerability’ – 6 USC 1501(17).

Actually, there is no term ‘cybersecurity vulnerability’ in §1501, the term used there is ‘security vulnerability’. All three of these terms are based upon the IT-centric security concern with the confidentiality, integrity, and availability of an information system or its information. Section 1501(9) does, however, specifically include control systems in its definition of ‘information system’.

Cybersecurity Provisions

Section 14 of the bill adds a new §30108 to 49 USC Chapter 301. This new section specifically addresses cybersecurity issues with automated vehicles. In addition to adding the definitions describe above, it requires each manufacturer to “develop, maintain, and execute a written plan for identifying and reducing cybersecurity risks [emphasis added] to the motor vehicle safety of such vehicles and systems” {new §30108(b)(1)}. That plan would include process to address {new §30108(b)(2)}:

• The risk-based prioritized identification and protection of safety-critical vehicle control systems and the broader transportation ecosystem, as applicable;

• The efficient detection and response to potential vehicle cybersecurity incidents [emphasis added] in the field;

• Facilitating expeditious recovery from incidents as they occur;

• The institutionalization of methods for the accelerated adoption of lessons learned across industry through voluntary exchange of information pertaining to cybersecurity incidents, threats, and vulnerabilities [emphasis added], including the consideration of a coordinated cybersecurity vulnerability disclosure policy or other related practices for collaboration with third-party cybersecurity researchers;

• The identification of the point of contact of the manufacturer with responsibility for the management of cybersecurity;

• The use of segmentation and isolation techniques in vehicle architecture design, as appropriate; and

• Supporting voluntary efforts by industry and standards-setting organizations to develop and identify consistent standards and guidelines relating to vehicle cybersecurity, consistent, and to the extent appropriate, with the cybersecurity risk management activities described in section 15 USC 272(e).

Paragraph (c) broadly address the issue of coordinated disclosure. It requires DOT “to incentivize manufacturers to voluntarily adopt a coordinated vulnerability disclosure policy and practice in which a security researcher privately discloses information related to a discovered vulnerability to a manufacturer and allows the manufacturer time to confirm and remediate the vulnerability”.

Moving Forward

As I mentioned earlier this bill is being marked up this week. With the support of both Chairman Thune and the two Detroit (er… Michigan) senators (Democrats Peters and Stabenow), I suspect that this bill will fly through Committee with no significant opposition (and probably no amendments). The question then will be, if the Senate leadership decides to take up automated vehicle legislation this session (an open question), whether it will move this bill or HR 3388 to the floor. I suspect that the House bill will be considered and then this bill will be used as substitute language.

Commentary

First off, the cybersecurity provisions of this bill are going to be affected by the existing cybersecurity definitions adopted by the bill. Attacks on the vehicle control systems could cause death and destruction without ever having any effect on “confidentiality, integrity, and availability of an information system”. The sooner politicians begin to realize that information systems and operations systems are inherently different and require different security approaches the better.

In an earlier blog post on a port cybersecurity bill, I attempted to provide a useful series of definitions that could be used to address both information security and control system security in instances where both could be considered at risk. I included the existing definition of ‘information system’ and provided a very broad definition for ‘control system’. Then I provided the following definition of ‘cybersecurity risk’:

The term ‘cybersecurity risk’ means:

(A) threats to, and vulnerabilities of, information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

The next problem with this bill is that it only requires DOT to provide incentives for manufacturers to establish a coordinated disclosure policy. This is keeping with the Republican abhorrence of regulations, but it is demonstrably ineffective in this instance. Without an outside referee between the security researcher and the manufacturer there is nothing to stop manufacturers from attempting to quash any inconvenient vulnerability disclosure. This is especially true with automotive manufacturers who have already attempted to stop automotive hobbyists from hacking their cars control systems to improve or modify performance.

The bill should have established the National Highway Transportation Safety Administration (NHTSA) as the clearing house for reporting automotive cybersecurity vulnerabilities. This easily could have been incorporated in the existing safety defects reporting systems under 49 USC 30118. Security researchers could then have been required to report vulnerabilities to NHTSA, who would then investigate/coordinate with the manufacturer to ensure that the vulnerabilities are corrected.

Finally, the bill is missing the ultimate measure to protect the cybersecurity of automated vehicles. There are no provisions that specifically make it a crime to hack a motor vehicle control system in a manner that jeopardizes the life or safety of the vehicle occupants, endanger people outside of the affected vehicle, or damage property.

House Passes HR 3388 - SELF DRIVE Act

Today the House passed HR 3388, the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution (SELF DRIVE) Act by a voice vote. The bill provides for a regulatory scheme for the introduction of highly automated (self-driving) automobiles. It includes significant and relatively comprehensive requirements for the establishment of cybersecurity regulations for these vehicles (see my posts here, here, here and here).

It the Senate take up this bill (always a difficult to predict) I suspect that it would pass with substantial bipartisan support.

Committee Hearings – Week of 09-04-17

Yes, the House and Senate have actually returned to Washington; it must be September. Spending (including Harvey Relief) and debt limits are the big items that will have to be addressed before the end of the month. But, this week, in addition to the spending bill hearing this evening, there are two cybersecurity hearings scheduled and one cybersecurity bill on the floor of the House that may be of interest to readers of this blog.

Cybersecurity Hearings

The House Homeland Security Committee will hold a markup hearing on Thursday with four bills under consideration. The one of specific interest here is HR 3101, the Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017. No amendments to this bill are currently listed on the Committee web site.

The Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee will be holding an information hearing on Thursday. It will address “Challenges of Recruiting and Retaining a Cybersecurity Workforce”. The witness list is not currently available.

On the Floor

As I mentioned earlier, there is one cybersecurity related bill scheduled to be considered by the House this week; HR 3388, the SELF DRIVE Act. Additional cybersecurity provisions found in this bill are addressed here, here and here. This bill contains some of the most comprehensive cybersecurity provisions that I have seen to date and may end up having far ranging indirect impacts outside of the automotive world. This will be considered Wednesday under the suspension of the rules provisions that limit debate and require a supermajority for passage.

The bulk of the time on the floor of the House this week will be consumed with the consideration of HR 3354, the Make America Secure and Prosperous Appropriations Act, 2018. The House is taking this up early to provide time to recover if it fails in either the House or Senate. There is still a reasonable chance that we are going to end up with a last minute continuing resolution to keep the government operating at the end of the month.

Energy and Commerce Amends and Passes HR 3388 – DECAL Act

Last month the House Energy and Commerce Committee amended and passed HR 3388, the Designating Each Car’s Automation Level (DECAL) Act, by a strongly bipartisan 54 to 0 vote. The adopted bill was a complete re-write of the original that had been little more than a truth in labeling bill that did not even mention cybersecurity. The new version of the bill establishes cybersecurity requirements for highly-automated vehicles as well as requiring DOT’s National Highway and Traffic Safety Administration to establish new safety standards for the same.

Cybersecurity Requirements

Section 5 of the bill would amend 49 USC by adding a new section, §30130; Cybersecurity of automated driving systems. The new section would require manufacturers to establish cybersecurity plan for ‘highly automated vehicles’ [which “means a motor vehicle equipped with an automated driving system” {revised 49 USC 30102(a)(7)}, see §13(a) of the revised bill]. That plan would include {new §30130(a)}:

• A written cybersecurity policy with respect to the practices of the manufacturer for detecting and responding to cyber-attacks, unauthorized intrusions, and false and spurious messages or vehicle control commands;

• The identification of an officer or other individual of the manufacturer as the point of contact with responsibility for the management of cybersecurity;

• A process for limiting access to automated driving systems; and

• A process for employee training and supervision for implementation and maintenance of the policies and procedures required by this section, including controls on employee access to automated driving systems.

That ‘written cybersecurity policy’ would include {new §30130(a)(1)}:

• A process for identifying, assessing, and mitigating reasonably foreseeable vulnerabilities from cyber-attacks or unauthorized intrusions, including false and spurious messages and malicious vehicle control commands; and

• A process for taking preventive and corrective action to mitigate against vulnerabilities in a highly automated vehicle or a vehicle that performs partial driving automation, including incident response plans, intrusion detection and prevention systems that safeguard key controls, systems, and procedures through testing or monitoring, and updates to such process based on changed circumstances.

Moving Forward

The fact that this bill passed out of committee with unanimous support clearly indicates that the bill is prepared to move forward to the floor of the House for consideration. Typically, I would suggest that it would be considered under the suspension of rules provision allowing limited debate and no amendments. In this case, however, the fact that Committee members also submitted at least nine other bills on the same day that potentially (I have only seen the language on one of those) addressed additional cybersecurity requirements, there may be some resistance to the bill being considered in such a cavalier fashion.

I suspect that the House leadership will come up with one of two solutions to this potential problem. The easiest (politically) would be for the Rules Committee to draft a structured rule that would allow the consideration of amendments based mainly on these other bills to be offered in a limited floor debate. This process, however, would take up substantial floor time, making it unlikely that the bill would be considered before October 1^st. It also might result in some amendments being approved that are not supported by the leadership.

If there is substantial political support for moving this forward quickly (and that is unclear at this time), then an alternative scenario would be to include a carefully (read politically) selected number of the additional bills to also be considered under the suspension of the rules process and let their sponsors worry about if there are enough votes to meet the supermajority requirements of that process.

Commentary

First, I would like to note that the bill completely separates the cybersecurity provisions of §5 from the privacy protection provisions of §12. This is very unusual in that Congress has a long history of equating cybersecurity and privacy protection. What is more interesting is that the privacy protection provisions do not include any mention of using the cybersecurity protections of vehicle systems to protect the privacy of information stored on or developed by those automated driving systems.

To my mind, there are two major cybersecurity shortcomings in this bill; the lack of information sharing provisions and the failure to address vulnerability reporting and coordination.

Given the automotive industry’s history of sharing components between vehicle lines of multiple manufacturers (most recently see the Takata air bag controversy) it would seem very likely that there will be instances where a cybersecurity vulnerability will occur in a device which is found in multiple vehicle lines. Failing to share that information between manufacturers will leave a large number of vehicles vulnerable to known vulnerabilities. I would prefer to see NHTSA as the designated information sharing agency there should be at least a requirement to share information with the Automotive ISAC.

Similarly, given the reality that most cybersecurity vulnerabilities seem to be found by independent security researchers or outside cybersecurity firms, there should be language in this bill providing for an agency to act as a receiver and coordinator of cybersecurity vulnerability information. Again, I would prefer to see NHTSA be given this role, but ICS-CERT would be an acceptable alternative (with information coordination requirements with NHTSA being specified). Using the Automotive ISAC would be a poor choice, since they are likely to take the manufacturers side in any dispute between researchers and vendors.

There is another cybersecurity related provision that I am surprised to see missing from this revised bill, a measure to address recall authority and recall mitigation measures for cybersecurity related problems with the highly automated vehicles. While the requirement for establishing a new safety standard for highly automated vehicles in §4 of the bill would provide general recall authority for cybersecurity related vulnerabilities under existing rules, it would not specifically authorize NHTSA to address cybersecurity vulnerabilities that have not actually resulted in problems in vehicle operations. It also would not provide NHTSA authority to require recalls for purely privacy related cybersecurity issues. To ease industry concerns about cybersecurity recalls, a specific provision allowing for remote updates of cyber systems as a cyber recall measure would need to be included in the bill.

Finally, the bill specifically excludes commercial vehicles from the requirements of the bill. There are significant and very advanced programs to automate commercial trucks. I understand that safety standards for those vehicles are separate from standard automotive safety standards. That means that coverage of those vehicles in this bill would probably be inappropriate from a regulatory standpoint, but I have seen no other attempt to regulate the cybersecurity of those heavier vehicles.

It will be interesting to see if any of these issues are addressed in the nine other bills pending publication by the GPO.

BTW: The revised language approved by the Committee will change the name of the bill from the DECAL Act to the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution (SAFTE DRIVE) Act. That will take effect when the Committee Report on the bill is published.