Patrick Coyle covers US ICS security legislation for Digital Bond. He writes on all things to do with Chemical Security and broader issues on ICS Security on his Chemical Facility Security Blog.
With the first session of the 112th Congress essentially over it seems like a good time to review what Congress has been able to accomplish on the cybersecurity legislative front. Unfortunately the short answer is ‘not much’. A total of 13 cybersecurity bills have been introduced to date and only two of those have even been reported by the Committee to which it was referred.
Here is a list of those 13 cybersecurity bill and their current status:
• HR 76 – the Cybersecurity Education Enhancement Act of 2011 – No Action;
• HR 174 – the Homeland Security Cyber and Physical Infrastructure Protection Act of 2011 – No Action;
• HR 1136 – the Executive Cyberspace Coordination Act of 2011 – No Action;
• HR 1261 – Chief Technology Officer Act – No Action;
• HR 2096 – the Cybersecurity Enhancement Act of 2011 – Reported in House (112-264);
• HR 3523 – the Cyber Intelligence Sharing and Protection Act of 2011 – Pre-introduction hearing;
• S 21 – Cyber Security and American Cyber Competitiveness Act of 2011 – No Action;
• S 372 – Cybersecurity and Internet Safety Standards Act – No Action;
• S 413 – the Cybersecurity and Internet Freedom Act of 2011 – Hearing Held 5-23-11;
• S 813 – the Cyber Security Public Awareness Act of 2011 – No Action;
• S 1152 – the Cybersecurity Enhancement Act of 2011 – No Action;
• S 1159 – the Cyberspace Warriors Act of 2011 – No Action; and
• S 1342 – the Grid Cyber Security Act – Reported in Senate (112-34)
Congress remains focused on IT and personal information security. None of these bills specifically address control systems issues, though a number of them do call for a variety of studies and reports to Congress on issues that touch on control systems.
Apparent Inactivity to Change
While there has been little public activity on these bills, there have been reports in various media about the behind the scenes work being done at the committee staff level and in coordination between the various committees in both Houses and various offices in the White House and executive branch agencies, trying to come up with a comprehensive cybersecurity bill that would be able to make it through the legislative process in both Houses.
One of the major stumbling blocks to preparing passable cybersecurity legislation has been working out the appropriate level of privacy protection for both individuals and businesses while ensuring the maximum amount of information flow and freedom of expression. Further confusing the issue is the lack of widespread understanding of the actual operation of corporate and government networks and the Internet.
In the last couple of weeks or so the leadership in both the Senate and the House has indicated that they intend to move forward on cybersecurity legislation early next year. It is apparent that none of the current bills will what actually comes to the floor in either body. There will need to be extensive language changes to reflect the behind the scenes work that has been on-going since last summer.
For this reason I think that it is most likely that HR 3523 in the House and S 413 in the Senate will be the bills that will form the basis for the final cybersecurity legislation that will probably pass in the first quarter of the new year. Both bills come from the respective Homeland Security Committees which gives them a strong oversight claim. And neither bill has made it through the amendment process yet so their language can be easily modified.
Cyber Security Amendments
One area where the cybersecurity legislative effort has been a bit more effective in this session of the 112th Congress has been in the area of attaching various cybersecurity provisions to spending and authorization bills. A good example of this was the inclusion of §931 in the National Defense Authorization Act for FY 2012 which dealt with developing a strategy to acquire capabilities to detect previously unknown cyber-attacks.
Most of the provisions added to legislation like this have dealt with information systems rather than control systems. Again where control systems were mentioned in these additions and amendments they were only mentioned in very broad terms or in requiring studies and reports to Congress.
Potential ICS Game Changers
As I mentioned earlier Congress has shown little inclination to address control system security issues beyond possible expansion of regulations in the electrical sector. Likewise the business community has not indicated that they feel a need for government regulation or protection of their control systems. Given that it is unlikely that any bill that makes it to the President’s desk this coming year will include much in the way of ICS cybersecurity measures.
There is, of course, one thing that could change that game very quickly. If there were a successful attack on a control system that caused a significant physical impact on a community (like prolonged loss of critical services, shutting down a major employer for a couple of weeks, or causing death and destruction) I think that the whole focus of cybersecurity legislation and regulation would radically change. And, that new focus would probably do little if anything to actually help the control system community.
Image by michaelnpatterson