Simple ~ Secure ~ Blog

An analysis of the 2010 Cybersecurity Bills

CyberSecurity Bill
With the senate confirmation hearings dominating the news this week, there has not been much coverage about the Senate Committee on Homeland Security and Governmental Affairs passing the “Protecting Cyberspace as a National Asset Act of 2010”, S.3480 by voice vote this past Friday (video).

However, security companies and professionals as well as government agencies should be aware of the significant political debate that is underway.  The debate centers on the concern that a final Cybersecurity 2010 bill will expand government (presidential) authority over the internet in the event of a “cybersecurity emergency”.  Senator Lieberman an author of one proposed legislation attempts to alleviate this and other concerns by publishing a fact sheet indicating the bill actually limits the president’s authority as that authority currently exists under section 706 of the Communications Act of 1934.

This claim notwithstanding, the proposed comprehensive legislation must be reconciled with other cybersecurity measures introduced in the Senate before a final bill is presented to the President. For example, Senators Rockefeller and Snowe are proposing S.773 and still other committees (Judiciary, Arm Services, etc.) have non-comprehensive pieces of proposed legislation that may perhaps be included into a final bill.  But for now, S.3480 and S.773 seem to be the primary comprehensive pieces of legislation.

S.3480

According to the authors of S.3480 (Lieberman-Collins) the so-called ‘Kill Switch’ or government shutting down the internet and effectively taking over private networks is not written in the text of the bill or is it consistent with the intent or spirit of the bill.  However, this language/intent was written in the former Cybersecurity Act of 2009 unveiled last August - later amended March 2010.  The controversial passage that would have allowed the president to take emergency control of the entire Internet in the event of a serious threat, giving him effectively a “kill switch” – the power to shut down all online traffic by unilaterally seizing private networks was removed in the amended version.

When you read S.3480 in its current form, the language is still very broad.  Specifically, under section 3; Definitions, the term ‘critical infrastructure’ is defined as written in section 1016(e) of the USA Patriot Act (42 U.S.C. 5195c(e)): 

Excerpt:  (e) CRITICAL INFRASTRUCTURE DEFINED- In this section, the term `critical infrastructure' means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Critical Infrastructure

Determining what defines “critical infrastructure” seems to be a key aspect of how one will interpret the authority and reach of this bill.  It’s reasonable to say the above definition is vague at best.   However, the bill authorizes the Department of Homeland Security (DHS) to identify ‘covered critical infrastructure’.   Specifically, under Subtitle E – Cybersecurity “Sec. 241. Definitions, In this subtitle, ‘covered critical infrastructure’ is defined as:

‘‘(4) the term ‘covered critical infrastructure’ means a system or asset—

‘‘(A) that is on the prioritized critical infrastructure list established by the Secretary under section 210E(a)(2); and

‘‘(B)(i) that is a component of the national information infrastructure; or

‘‘(ii) for which the national information infrastructure is essential to the reliable operation of the system or asset;

Note: Section 210E(a)(2) refers to the Homeland Security Act of 2002 (6 U.S.C. 1241(a)(2)) which reference the National Asset Database.

National Asset Database

For brevity purposes, only a portion of the below CRS Report is presented in the next paragraphs to illustrate or describe National Asset Database.  

The Federation of American Scientist website posted a CRS Report for Congress July 16, 2007 which is an interesting reference re: the Critical Infrastructure and the National Asset Database.  The report indicates the database contained over 77,000 individual assets ranging from dams, hazardous materials sites, nuclear power plants to local festivals, petting zoos and sporting good stores.

Excerpts from report are used to illustrate the following point:  If S.3480 indicates the President’s power to shut down cyberspace is based only on ‘covered critical infrastructure’ which is the infrastructure identified in the National Asset Database, one may wonder which of the 77,000 or 600 assets depending on how these assets are interpreted today are relevant to the legislation.  It’s therefore reasonable to conclude the legislative arm of S.3480 in its current form extends into this database and subsequent interpretations of its data sets are key focus points of the legislation.  Given the distributed nature of networks today, these assets could potentially be very wide reaching throughout the United States.

Excerpts from the CRS Report for Congress:

“…The presence of a large number of entries of the latter type (i.e. assets generally perceived as having more local importance than national importance) has attracted much criticism from the press and from Members of Congress. Many critics of the Database have assumed that it is (or should be) DHS’s list of the nation’s most critical assets and are concerned that, in its current form, it is being used inappropriately as the basis upon which federal resources, including infrastructure protection grants, are allocated.”

According to DHS, both of those assumptions are wrong. DHS characterizes the National Asset Database not as a list of critical assets, but rather as a national asset inventory providing the ‘universe’ from which various lists of critical assets are produced. As such, the Department maintains that it represents just the first step in DHS’s risk management process outlined in the National Infrastructure Protection Plan. DHS has developed, apparently from the National Asset Database, a list of about 600 assets that it has determined are critical to the nation.”

S.773

As mentioned in the introduction, the authors of S.3480 provide a fact sheet which is their attempt to help clarify what they are calling “misconceptions” about the bill.  However, to obtain a deeper understanding of the original intent of the legislation or demonstrate how broad language can have significant impacts to outcomes, perhaps consider the language originally used and later amended in S.773.   For example, section 201 of S.773’s (amended version) states that after the President chooses to "declare a cybersecurity emergency," he can activate a "response and restoration plan" involving networks owned and operated by the private sector.

It’s worth noting this same language or the term ‘response and restoration plan’ is not found in S.3480.  Therefore, for convenience and to clarify this point further, the relevant excerpt from the amended and original versions of S.773 is provided below.  As you can see the original version of S.773 was very broad and its subsequent amendment provides a more narrow focus.  The purpose was to limit or narrow the power given to the executive branch of government over private industry as it relates to the ‘kill switch’ or ability to shut down the Internet.

The amended relevant language in S.773:

Sec 201.

(b)   Collaborative Emergency Response and Restoration. The President -

(1) shall, in collaboration with owners and operators of United States critical infrastructure information systems, sector coordinating councils and relevant governmental agencies, regulatory entities, and nongovernmental organizations, develop and rehearse detailed response and restoration plans that clarify specific roles, responsibilities, and authorities of government and private sector actors during cybersecurity emergencies;

(2) may, in the event of an immediate threat to strategic national interests involving compromised Federal Government or United States critical infrastructure information systems—

(A) declare a cybersecurity emergency; and

(B) implement the collaborative emergency response and restoration plans developed under paragraph (1);

(3) shall, in the event of a declaration of a cybersecurity emergency—

(A) within 48 hours submit to Congress a report in writing setting forth—

(i) the circumstances necessitating the emergency declaration; and

(ii) the estimated scope and duration of the emergency; and

(B) so long as the cybersecurity emergency declaration remains in effect, report to the Congress periodically, but in no event less frequently than once every 30 days, on the status of emergency as well as on the scope and duration of the emergency.

The original relevant language in S.773 before the above amendment:

Sec. 18. Cybersecurity Responsibilities and Authority.

(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;

            (3) shall designate an agency to be responsible for coordinating the response and restoration of any Federal Government or United States critical infrastructure information system or network affected by a cybersecurity emergency declaration under paragraph (2);

Summary

When listening to Senator Lieberman in the above video describe a scenario involving the President ordering a private company to put a particular patch on their system(s) in order to protect national cyberspace, one may wonder how would this happen and how long would it take.  After all, as the Senator describes this in effect would be an example of the President taking protective steps with regards to the private cyber infrastructure during a ‘National Cyber Emergency’ but only as it relates to ‘covered critical infrastructure’ as determined by the National Asset Database.

As an American citizen and security professional, the idea of the President of the United States of America ordering a private company to install a patch, seems unrealistic.  And, while I don’t mean to diminish Senator Lieberman’s point when using this example, I think it illustrates the difficulty in confidence a reasonable person may have regarding the governments execution of these acts.  The government’s track record of protecting its network/assets when compared to the private sector is provided as a basis for this opinion.

However, to be fair, the Senator seems to stress and make clear that the bill does not authorizes the government to take over any cyber networks.   And, there are other aspects of this legislation for example DHS new role, legal implications etc. to consider.  But at the end of the day, the broad language in the bill, especially as it relates to the National Asset Database, combined with the speed of which an attack could come and the government’s reactive time (BP disaster in the gulf might provide insight), should give security professionals pause and warrants vigilance of government and its takes subsequent steps with this legislation.