Last month Sen Peters (D,MI) introduced S 1316,
the Cyber Response and Recovery Act of 2021. The bill would add a new subchapter
to Title XXII of the Homeland Security Act of 2002. It would allow DHS to
declare a ‘a significant incident’. It would also provide for the establishment
of a Cyber Response and Recovery Fund.
Definitions
Section 2231 provides definitions for unique terms to be
used in the new subchapter. The eight definitions include two new significant terms:
‘asset response activity’ and ‘significant incident’.
The term ‘asset response activity’ is defined as an activity
to support an entity impacted by an incident with the response to, remediation
of, or recovery from, the incident, including {§2231(2)}:
• Furnishing technical and advisory
assistance to the entity to protect the assets of the entity, mitigate
vulnerabilities, and reduce the related impacts,
• Assessing potential risks to the
critical infrastructure sector or geographic region impacted by the incident,
including potential cascading effects of the incident on other critical
infrastructure sectors or geographic regions,
• Developing courses of action to
mitigate the risks assessed above,
• Facilitating information sharing
and operational coordination with entities performing threat response
activities, and
• Providing guidance on how best to
use Federal resources and capabilities in a timely, effective manner to speed
recovery from the incident.
The term ‘significant incident’ is defined as an incident or
a group of related incidents that results, or is likely to result, in
demonstrable harm to {§2231(8)}:
• The national security interests,
foreign relations, or economy of the United States, or
• The public confidence, civil
liberties, or public health and safety of the people of the United States.
A significant incident does not include an incident that
takes place on a national security systems {44
USC 3552(6)} or on a DOD or intelligence community information systems {44
USC 3353(e)}.
Neither of the two definitions above mentions anything to do
with computer systems, cyber systems or information systems. This is because
the term ‘incident’ is defined by reference to 44 USC 3552(2). There it is defined
as an occurrence that:
• Actually or imminently
jeopardizes, without lawful authority, the integrity, confidentiality, or
availability of information or an information system; or
• Constitutes a violation or
imminent threat of violation of law, security policies, security procedures, or
acceptable use policies.
Significant Incident Declaration
Section 2232 authorizes the Secretary of DHS (not to be
delegated), in consultation with the National Cyber Director, to make a
declaration of a significant incident if such incident occurs or is imminently
expected to occur if it is determined that available resources “are likely
insufficient to respond effectively to, or to mitigate effectively, the
specific significant incident” {§2232(a)(1)(B)}.
Section 2232(b) requires CISA to coordinate “the asset
response activities of each Federal agency in response to the specific
significant incident associated with the declaration” {§2232(b)(1)}.
CISA will also coordinate with {§2232(b)(2)}:
• Public and private entities and
State and local governments with respect to the asset response activities of those
entities and governments; and
• Federal, State, local, and Tribal
law enforcement agencies with respect to investigations and threat response
activities of those law enforcement agencies
The section provides that a declaration will last up to
120-days and the Secretary may extend the declaration as required. Declarations
will be published in the Federal Register.
Section 2232(f) authorizes the Secretary to take preparatory
actions before an incident in declared including “entering into standby
contracts with private entities for cybersecurity services or incident
responders in the event of a declaration” {§2232(f)(2)}.
Cyber Response and Recovery Fund
Section 2233 establishes the Cyber Response and Recovery
Fund. The funds could be used for coordination activities. They could also be
used for response and recovery support for “Federal, State, local, and Tribal,
entities and public and private entities on a reimbursable or non-reimbursable
basis”. That support would be for asset response activities and technical
assistance, such as {§2233(a)(2)}:
• Vulnerability assessments and
mitigation,
• Technical incident mitigation,
• Malware analysis,
• Analytic support,
• Threat detection and hunting, and
• Network protections.
Section 2236 authorizes $20 million for the Fund.
Moving Forward
As I mentioned yesterday, this bill was adopted by the
Senate Homeland Security and Governmental Affairs Committee after it was
amended with substitute language. The unanimous consent adoption of the
substitute language indicates that the bill has strong bipartisan support. This
is not unexpected in the face of the recent cybersecurity incidents to which
the country has been responding. We will not be able to see the substitute
language until the Committee publishes their report.
After the Colonial Pipeline incident, I suspect that this
bill could be brought to the floor of the Senate. That would provide Senators
with a chance to demonstrate their active support for cybersecurity response
activities by CISA. This would also allow for significant amendment activities
that could provide a vessel for other cybersecurity bills that might not be
able to be able to justify full floor proceedings and might face limited objections
that could prevent the use of the Senate’s unanimous consent process.
While this bill could be considered under that unanimous
consent process, I suspect that there are Senators that would use their
potential objection as a threat to get their own cybersecurity language
considered.
Commentary
Definition RANT: The incident definition upon which this
legislation relies is based upon the IT restrictive definition of ‘information
system’ found in 44 USC 3352. This means that an incident that is primarily
affecting an operational system rather than an IT system could not properly be
eligible for a definition of a significant incident.
There is currently no definition of ‘incident’ that relies
on a more ICS inclusive definition of ‘information system’. That could be remedied
by adding a definition of ‘information system’ in §2331 with a reference to the
definition in 6 USC 1501(9).
I think that this would be a good vessel for making definitional
changes to 6 USC 659 that could be made applicable to this proposed
legislation. I have written about these proposed changes on a number of
occasions (see here
for example). I would suggest adding a new §3 to the bill, entitled ‘Cybersecurity
Definitions:
Sec. 3. Cybersecurity
Definitions.
(a) The following term and definition
will be added to 6 USC 659(a):
“(1) the term ‘control system’
means a discrete set of information resources, sensors, communications
interfaces and physical devices organized to monitor, control and/or report on
physical processes, including manufacturing, transportation, access control,
and facility environmental controls;”
(b) The definition of the term “incident”
will be revised to read:
“(4) the term
"incident" means an occurrence that actually or imminently
jeopardizes, without lawful authority:
“(A) the integrity,
confidentiality, or availability of information on an information system,
“(B) the timely availability of
accurate process information, the predictable control of the designed process
or the confidentiality of process information, or
“(C) an information system or a
control system;”
This would then allow the definition in §2231 for the term ‘incident’
to be changed to refer to the revised definition in 6 USC 659(a).
Finally, for clarity’s sake, I would change the term ‘significant
incident’ to ‘significant cyber incident’.
Posts
