Rybolov Note: this is part 4 in a series about S.773. Go read the bill here. Go read part one here. Go read part two here. Go read part three here. Go read part 5 here. =)
SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY. This section needs to be reviewed line-by-line because it’s dense:
(1) within 1 year after the date of enactment of this Act, shall develop and implement a comprehensive national cybersecurity strategy, which shall include–
(A) a long-term vision of the Nation’s cybersecurity future; and
(B) a plan that encompasses all aspects of national security, including the participation of the private sector, including critical infrastructure operators and managers;”
OK, fair enough, this calls for a cybersecurity strategy that includes the agencies and critical infrastructure. Most of that is in-play already and has overlap with some other sections.
(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;
Declaring an emergency is already a President function for natural disasters, this makes sense, except where you militarized cybersecurity and indirectly give the President the authority here to declare a cyberwar, depending on how you interpret this paragraph.
The cutoff authority has been given much talk. This part pertains only to Government systems and critical infrastructure. Note that the criteria here is that the part being cutoff has to have been compromised, which makes more sense. The part that I’m worried about is when we preemptively cut off the network in anticipation of pwnage.
(3) shall designate an agency to be responsible for coordinating the response and restoration of any Federal Government or United States critical infrastructure information system or network affected by a cybersecurity emergency declaration under paragraph (2);
This is interesting to me because it leaves the designation up to the President. Remember, we have all this debate as to who should “own” cybersecurity: DHS, DoD, NSA, FBI, and even Commerce have been proposed here. I don’t think Congress should leave this designation to the President–it needs to be decided before an incident so that we don’t fight over jurisdiction issues during the incident. Ref: Cyber-Katrina.
(4) shall, through the appropriate department or agency, review equipment that would be needed after a cybersecurity attack and develop a strategy for the acquisition, storage, and periodic replacement of such equipment;
This is good. What it means is stockpiling or contracting for equipment in advance of an attack… think DDoS response teams and you have a pretty good idea. And hey, this also works in disaster recovery, which I’ve never understood why we don’t manage some DR at the national level. GSA, are you paying attention here?
(5) shall direct the periodic mapping of Federal Government and United States critical infrastructure information systems or networks, and shall develop metrics to measure the effectiveness of the mapping process;
Enumeration is good, depending on what we’re using the information for. If you use it to beat up on the agency CISOs and the critical infrastructure owners/operators, then we have better things to spend our time doing. If you do this and then use the information to help people Ref: security metrics, architecture support, Federal Enterprise Architecture. I also have a problem with this because you can map vulnerabilities but how do you get the information to the right people who can fix them?
(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;
OK, this gives the President authority over private networks. And fo-shizzle, I thought the President already had disconnect authority over Government networks. If I was an owner of critical infrastructure I would be sh*tting bricks here because this means that the President has disconnect authority for my gear and doesn’t have to give me an answer on why or a remediation plan to get it turned back on–Ref: National Security Letter. I think we need the disconnect authority, but there has to be some way for people to get turned back on.
(7) shall, through the Office of Science and Technology Policy, direct an annual review of all Federal cyber technology research and development investments;
Good stuff, I would be surprised if this isn’t happening already, what with Congress providing the budget for cyber technology research.
(8) may delegate original classification authority to the appropriate Federal official for the purposes of improving the Nation’s cybersecurity posture;
This paragraph is interesting, mostly because it could go anyway. If we get a Cybersecurity Advisor, this will most likely be dedicated to them, meaning that they get the authority to determine what’s national security information. This also works in conjunction with quite a few sections of the bill, including all the information-sharing initiatives and paragraph 6 above.
(9) shall, through the appropriate department or agency, promulgate rules for Federal professional responsibilities regarding cybersecurity, and shall provide to the Congress an annual report on Federal agency compliance with those rules;
I had to read this paragraph a couple of times. Really what I think we’re doing is establishing a case for agency executives to be found negligent in their duty if they do not ensure security inside their agency–think CEO liability for negligence.
(10) shall withhold additional compensation, direct corrective action for Federal personnel, or terminate a Federal contract in violation of Federal rules, and shall report any such action to the Congress in an unclassified format within 48 hours after taking any such action; and
There are 2 parts of this paragraph: Federal personnel and contractors. This is a sanctions part of the legislation. Note that there is not a penalty and/or authority for anybody outside of Government. The problem with this is that proving negligence is very hard in the security world. Combined with Paragraph 9, this is a good combination provided that the professional responsibilities are written correctly. I still think this has room for abuse because of scoping problems–we already have rules for sanctions of people (personnel law) and contracts (cure notices, Federal Acquisition Regulations), only they don’t have much teeth up to this point because it’s hard to prove negligence.
(11) shall notify the Congress within 48 hours after providing a cyber-related certification of legality to a United States person.
I had to search around for a description here. I found some people who said this paragraph pertained to the certification of professionals as in section 7. This is wrong. Basically, what happens is that the Department of Justice issues a “certification of legality” when somebody (usually inside the Government) asks them if a certain act is legal to perform. Think legal review for building a wiretap program: the President has to go to DoJ and ask them if the program is legal under existing laws.
What this paragraph really does is it institutes Congressional oversight on a “FYI-basis” over Executive Branch decisions on policy to keep them from overstepping their legal bounds.
Verdict: This section is all over the map. Like most things in S.773, it has some scope issues but overall this section establishes tasks that you can expect the Cybersecurity Advisor or DHS under the Cybersecurity Advisor’s auspices to perform.
Capitol Rotunda photo by OakleyOriginals.
SEC. 19. QUADRENNIAL CYBER REVIEW. This section mandates a review of the cyberstrategy every 4 years.
Verdict: We’ve been doing this so far on an ad-hoc basis, might as well make it official.
SEC. 20. JOINT INTELLIGENCE THREAT ASSESSMENT. This section mandates an annual report on the bad guys and what they’re doing. This is similar to the Congressional testimony we’ve seen so far on the subject. If we’re going to expect Congress to make good public policy decisions, they need the information.
Verdict: OK, I don’t see much wrong with this as long as it’s done right and not abused by politics.
SEC. 21. INTERNATIONAL NORMS AND CYBERSECURITY DETERRANCE MEASURES. This section authorizes/mandates the President to cooperate with other countries about “cybersecurity stuff”.
Verdict: Not specific enough to mean anything. If we keep this section, we need to enumerate specifically what we want the Executive Branch to do.
SEC. 22. FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS BOARD. This section creates a board to review large IT purchases. Yes, that slows down the purchasing process horribly, as if it isn’t bad enough by itself. Um, I thought we were supposed to do this with the Federal Enterprise Architecture.
Verdict: This is a macro-scale solution for a micro-scale problem. Sorry, it doesn’t work for me. Make FEA responsible for the macro-scale and push good, solid guidance down to the agencies for the micro-scale. Replace this section with the NIST checklists program and a true security architecture model.