Monday, November 13, 2017

HR 2810 Conference Report – 2018 NDAA

This week the conference committee considering the differences in the House and Senate versions of HR 2018, the FY 2018 National Defense Authorization Act (NDAA) published their report on a final version of the bill. Additionally, the bill contains an explanation of how the conferees came to compromise language.

Cybersecurity Provisions


As is to be expected there are a number of cyber related provisions found in the bill. The list below shows the title of the appropriate sections and the pages within the report for both the actual language adopted by the conference and the discussion of how that language was arrived at.

§1090. Providing assistance to House of Representatives in response to cybersecurity events. (pgs 326-7; discussion pg 933)
§1110. Pilot program on enhanced personnel management system for cybersecurity and legal professionals in the Department of Defense. (pgs 352-6; discussion pg 950)

Subtitle C—Cyberspace-Related Matters
PART I—GENERAL CYBER MATTERS
§1631. Notification requirements for sensitive military cyber operations and cyber weapons. (pgs 457-8; discussion pgs 1016-7)
§1632. Modification to quarterly cyber operations briefings. (pg 459; discussion pg 1017)
§1633. Policy of the United States on cyberspace, cybersecurity, and cyber warfare. (pgs 459-60; discussion 1017-8)
§1634. Prohibition on use of products and services developed or provided by Kaspersky Lab. (pgs 460-2; discussion pg 1018)
§1635. Modification of authorities relating to establishment of unified combatant command for cyber operations. (pg 462; discussion pgs 1018-9)
§1636. Modification of definition of acquisition workforce to include personnel contributing to cybersecurity systems. (pg 462; discussion pg 1019)
§1637. Integration of strategic information operations and cyber-enabled information operations. (pg 462-5; discussion 1019-20)
§1638. Exercise on assessing cybersecurity support to election systems of States. (pg 465; discussion pg 1020)
§1639. Measurement of compliance with cybersecurity requirements for industrial control systems. (pg 465; discussion pg 1020)
§1640. Strategic Cybersecurity Program. (pgs 465-7; discussion pgs 1020-1)
§1641. Plan to increase cyber and information operations, deterrence, and defense. (pg 467; discussion pg 1021)
§1642. Evaluation of agile or iterative development of cyber tools and applications. (pgs 467-9; discussion pg 1021)
§1643. Assessment of defense critical electric infrastructure. (pg 469; discussion pg 1021)
§1644. Cyber posture review. (pgs 469-70; discussion pgs 1021-2)
§1645. Briefing on cyber capability and readiness shortfalls. (pgs 470-1; discussion pg 1022)
§1646. Briefing on cyber applications of blockchain technology. (pg 471; discussion pg 1022)
§1647. Briefing on training infrastructure for cyber mission forces. (pgs 471-2; discussion pg 1022)
§1648. Report on termination of dual-hat arrangement for Commander of the United States Cyber Command. (pg 472; discussion pgs 1022-3)

PART II—CYBERSECURITY EDUCATION
§1649. Cyber Scholarship Program. (pgs 473-4; discussion pg 1023)
§1649A. Community college cyber pilot program and assessment. (pgs 474-5; discussion pg 1023)
§1649B. Federal Cyber Scholarship-for-Service program updates. (pgs 475-6; discussion pg 1023)
§1649C. Cybersecurity teaching. (pg 477; discussion 1023)

The one provision listed above that may be of specific interest to readers of this blog is §1639. It requires the Secretary of Defense to measure “the progress of each element of the Department of Defense in securing the industrial control systems of the Department against cyber threats, including such industrial control systems as supervisory control and data acquisition systems, distributed control systems, programmable logic controllers, and platform information technology” {§1639(a)}. This measurement is to be included in the scorecard used in the implementation of the DOD Cybersecurity Discipline Implementation Plan.

An interesting term is used here; ‘platform information technology’. It is a military term that can be defined as computer hardware and/or software used to support operations technology. In an industrial control system environment this would certainly include human machine interfaces and data historians as well as the communications systems involved in the control system.

Unmanned Aircraft Systems


There are a number of provisions in the revised language for HR 2810 that refer to unmanned aircraft systems (UAS). One is of potential interest to readers of this blog because it addresses DOD authority to deal with intrusive UAS at or near DOD facilities or operations.

§1692. Protection of certain facilities and assets from unmanned aircraft. (pgs 509-12; discussion pgs 1038-40)

This provision will provide an exemption for DOD from the air piracy provisions of 49 USC 46502 and from “any provision of title 18 (USC)” {§1692(a)} for actions taken to protect DOD covered facilities from the threat posed by UAS. This would include actions taken to {§1692(b)}:

• Detect, identify, monitor, and track the unmanned aircraft system or unmanned aircraft, without prior consent, including by means of intercept or other access of a wire communication, an oral communication, or an electronic communication used to control the unmanned aircraft system or unmanned aircraft;
• Warn the operator of the unmanned aircraft system or unmanned aircraft, including by passive or active, and direct or indirect physical, electronic, radio, and electromagnetic means;
• Disrupt control of the unmanned aircraft system or unmanned aircraft, without prior consent, including by disabling the unmanned aircraft system or unmanned aircraft by intercepting, interfering, or causing interference with wire, oral, electronic, or radio communications used to control the unmanned aircraft system or unmanned aircraft;
• Seize or exercise control of the unmanned aircraft system or unmanned aircraft;
• Seize or otherwise confiscate the unmanned aircraft system or unmanned aircraft; or
• Use reasonable force to disable, damage, or destroy the unmanned aircraft system or unmanned aircraft.

Moving Forward


The House Rules Committee is currently scheduled to hold a hearing this evening to construct the rule for the floor consideration of the conference report. This will almost certainly be a structured rule with limited debate and no floor amendments. The House is then scheduled to take up the conference report under that rule on Tuesday. It will almost certainly pass with some measure of bipartisan support; as it will later in the week in the Senate.

Commentary


It would have been helpful if §1639 had included some sort of requirement for DOD to publicly publish the measurement guidelines that would be used to evaluate the cybersecurity of industrial control systems. Those guidelines could be very useful for other large organizations to conduct a similar high-level review of the cybersecurity of ICS.

In the section on UAS protections for DOD facilities I find it extremely interesting that the language ‘any provision of’ 18 USC was used instead of just references to the specific aircraft protection provisions of 18 USC 32. Other provisions that could have been specifically included:

§39A - Aiming a laser pointer at an aircraft;
§1030 - Fraud and related activity in connection with computers; or
§2511 - Interception and disclosure of wire, oral, or electronic communications prohibited.


Of course, lawyers are well known for their ability to attempt to stretch legal requirements to cover unusual circumstances, so perhaps the crafters of §1692 were justified in their use of ‘any provisions’. We will just have to wait and see how much the lawyers at DOD stretch that language to include not so reasonable actions taken against UAS and their pilots.

No comments:

 
/* Use this with templates/template-twocol.html */