This is part of an ongoing in-depth review of the provisions
of S 3414, the Cybersecurity Act of 2012, that will be of interest to the
control systems community. The earlier posts in the series were:
NOTE: The GPO now has a copy
of this bill available.
As anyone that has been reading the various news stories
about S 3414 already probably knows, the heart of the difference between this
bill and S 2151, at least for critical infrastructure cybersecurity, is that
the program is voluntary. That, along with the incentives to encourage
voluntary participation, is addressed in §104.
The Voluntary Program
The National Cybersecurity Council, within one year of the
passage of this bill, is required {§104(a)(1)} to establish the Voluntary
Cybersecurity Program for Critical Infrastructure. While this is to be
specifically designed for designated critical cyber infrastructure, the bill
also requires {§104(a)(2)(B)} the establishment of criteria for owners of other
facilities to apply for certification under the Program.
Any owner operator applying for certification under the
Program will “select and implement cybersecurity measures of their choosing
that satisfy the outcome-based cybersecurity practices established under
section 103” {§104(a)(3)(A)}. At that point the owner will have one of two
options to establish the adequacy of their cybersecurity measures {§104(a)(3)(B)}:
• Certify in writing and under
penalty of perjury to the Council that the owner has developed and effectively
implemented cybersecurity measures; or
• Submit to the Council an
assessment verifying that the owner has developed and effectively implemented
cybersecurity measures.
While the first option should be cheaper in the short run,
paying someone to conduct the assessment may avoid the problem ‘under penalty
of perjury’ might pose if there is a subsequent successful attack on the
system.
To ensure that assessments are conducted by reputable and
properly skilled professionals, the Council will “enter into agreements with
qualified third party private entities, to conduct assessments that use
reliable, repeatable, performance-based evaluations and metrics to assess
whether an owner certified under subsection (a)(3)(B)(ii) is in compliance with
all applicable cybersecurity practices” {§104(b)(1)}.
In either case, when the Council is notified that the owner
has an adequate cybersecurity program implemented, it is required {§104(a)(4)}to
certify that owner.
Checking Security
While the Council is required to accept either the owner’s
self-certification or the third-party assessment, the bill does provide that in
the event that Council becomes aware (either through actual knowledge or a reasonable suspicion) “that
the certified owner is not in compliance with the cybersecurity practices or
any other risk-based factors as identified by the Council” {§104(b)(3)}, the
Council may conduct its own assessment of those security practices.
Once again, though, since there is no authorization for a
Council Staff or any specific funding for the Council, any such assessment will
have to be done for the Council by some other entity. It does not appear,
however, that the wording in this section doesn’t appear to authorize the use
of another entity.
Incentives for Participation
Since participation in the Voluntary Cybersecurity Program
for Critical Infrastructure is mainly voluntary, the crafters knew that they
had to offer some sort of incentives to encourage the participation of as many
of the identified critical cyber infrastructure entities as possible. The
incentives provided in this bill include {§104(c)}:
• Limitations on civil liability;
• Expedited security clearance
process;
• Prioritized technical assistance;
• Provision of cyber threat
information;
• Public recognition; and
• Procurement preference.
Much has been made in the press about the civil liability
protections provided in this bill. There are, as one would expect, a number of
different specifications, limitations and exceptions to that protection. A
number of common lawyer type phrases have been added to this paragraph {§104(c)(1)}
to limit the applicability of the ‘protections’; they include ‘punitive damages’,
‘substantial compliance’, ‘harm directly caused by’ and ‘additional or
intervening acts or omissions’. Still, in the event of a significant attack,
the limited protections could be significant.
The other benefits will provide some level of incentive, but
it is not clear that they would be enough to justify the costs of the
cybersecurity measures that will likely be required. The one possible exception
is the last incentive, a Federal procurement preference. Unfortunately, the
bill doesn’t actually provide this incentive; it just requires {§104(c)(6)} that
a study be conducted about the potential use of such a preference. There is no
time limit on conducting the study nor is there any provision for implementing the
incentive if the study results are encouraging.
Posts
No comments:
Post a Comment