Last week Sen. McCain (R,AZ) introduced S 2943, the
National Defense Authorization Act (NDAA) for Fiscal Year 2017. The House
version of this bill (HR 4909) passed
last week. It provides authorization for military activities for the next
fiscal year.
Like the House bill, there is an entire subtitle of this
bill (Subtitle C of Title XVI) related to cyber issues. The following sections
are listed in that subtitle:
Sec. 1631. Cyber protection support
for Department of Defense personnel in positions highly vulnerable to cyber
attack.
Sec. 1632. Cyber Mission Forces
matters.
Sec. 1633. Limitation on ending of
arrangement in which the Commander of the United States Cyber Command is also
Director of the National Security Agency.
Sec. 1634. Pilot program on
application of consequence-driven, cyber-informed engineering to mitigate
against cybersecurity threats to operating technologies of military
installations.
Sec. 1635. Evaluation of cyber
vulnerabilities of F–35 aircraft and support systems.
Sec. 1636. Review and assessment of
technology strategy and development at Defense Information Systems Agency.
Sec. 1637. Evaluation of cyber
vulnerabilities of Department of Defense critical infrastructure.
Sec. 1638. Plan for information
security continuous monitoring capability and comply-to-connect policy.
Sec. 1639. Report on authority
delegated to Secretary of Defense to conduct cyber operations.
Sec. 1640. Deterrence of adversaries
in cyberspace.
There are no overlaps between the items found in this
subtitle of the bill and the corresponding subtitle of the House version. Two
of the sections in this version of the bill may be of specific interest to
readers of this blog: §1634
and §1640
Cyber-Informed Engineering
Section 1634 requires the DOD to establish “a pilot program
to assess the feasibility and advisability of applying consequence-driven,
cyber-informed engineering methodologies to the operating technologies of
military installations, including industrial control systems, in order to
increase the resilience of military installations against cybersecurity threats
and prevent or mitigate the potential for high-consequence cyberattacks.”
While I am waiting for the Armed Forces Committee report on
S 2943 to see if there are any additional insights into what the Committee
expects to see included in the ‘cyber-informed engineering’ pilot, I did find
an interestingpaper [updated link, 23:21 1-28-17]on the topic from a couple of engineers at the Idaho National
Laboratory. They note that modern industrial processes are constructed with the
assumption that the control system is trusted, an assumption that is
increasingly proving to be incorrect. They call for a new engineering design
process that takes the potential insecurity of the control system into account
as part of the design basis for the entire industrial process.
Deterrence of Adversaries in Cyberspace
In many ways §1640
is similar to HR
5220 and S
2905 in that it requires the President to report to Congress on “determining
when an action carried out in cyberspace constitutes an act of war against the
United States” {§1640(b)(1)}.
The important difference here is that that report only comes after the Joint
Chiefs of Staff provide a detailed report to Congress “on the military and
nonmilitary options available to the United States to deter Russia, China,
Iran, North Korea, and terrorist organizations in cyberspace” {§1640(a)(1)}.
This makes the report more of a policy development requirement rather than just
a political gotcha game.
Moving Forward
The Senate Armed Services Committee has already completed
their action on this bill (and I am expecting their report to be published
today or tomorrow) so this bill is cleared to move to the Floor of the Senate.
It is being
reported on TheHill.com that this bill will come to the floor of the Senate
this week, though it is not the first bill slated for floor
action today.
There are a number of controversies that could arise in
connection with this bill (unrelated to cybersecurity issues) that could slow
consideration especially considering that the Senate is heading home for a week
of campaigning at the close of the week. It would not be surprising to see some
vocal posturing before the Memorial Day Recess and then more reasonable actions
following the return to Washington.
When this bill is eventually passed, it will have to go to a
conference committee to work out the significant differences with that House
over a number of matters. It is not entirely clear at this point that a
House-Senate compromise bill would be acceptable to the President as both sides
try to make points going into the election. I suspect that a final version of
this bill will only be achieved in the lame duck session.
Commentary
It is interesting to see a piece of legislation addressing a
new and innovative engineering concept like cyber-informed engineering. It is
less surprising that it was found in a defense authorization bill, particularly
in the Senate. McCain did after all receive a pretty good technical education
at the US Naval Academy. And as a military pilot he did come to have a pretty
good personal understanding of the importance of good engineering. I am not
saying that he came up with the concept, but he was better able to comprehend
its importance when briefed on it by DOD than a less technologically trained congress
critter would have.
In many ways the chemical engineering profession has
embraced the basic idea behind this new engineering concept in the way they that
have developed their stand-alone safety systems. Those systems were not
developed with cybersecurity in mind, but rather to deal with problems with
another less-than-trusted part of the chemical manufacturing process, the human
operator. The lessons that chemical engineers have learned over the last couple
of decades in dealing with human-engineering issues should be directly
applicable to cyber-informed engineering.
Posts
No comments:
Post a Comment