Thursday, September 21, 2017

S 1800 Introduced – DOD Electric Grid Security

Last week Sen. Warren (D,MA) introduced S 1800, the Securing the Electric Grid to Protect Military Readiness Act of 2017. The bill is nearly identical to SA 867, Warren’s proposed amendment to HR 2810 on the same topic. It addresses efforts to protect the electrical distribution systems on military installations.

Moving Forward


Warren is a member of the Senate Armed Services Committee to which this bill was referred for consideration. This means that she may have enough influence to have the Committee consider the bill.

I do not see anything in this bill that would engender any significant opposition. If the bill were to be considered it would be likely to pass with at least some bipartisan support.

Commentary


There is nothing in this bill that directly addresses cybersecurity concerns for the industrial control system associated with military power distribution systems. A lot of the language seems to be IT-centric (for example: “to deny access to or degrade, disrupt, or destroy an information and communications technology system or network” {§2(c)(4)(A)} in the definition of ‘significant malicious cyber-enabled activities’).


I doubt that DOD would fail to address ICS security issues in the required studies and reports, but it would certainly be helpful if the bill specifically addressed requirements for ICS security considerations. I suspect that the failure to do so reflects a continued failure on the part of Congress to recognize the different issues involved with ICS security.

Wednesday, September 20, 2017

Senate Passes HR 2810 – FY 2018 NDA

On Monday the Senate passed HR 2810, the FY 2018 National Defense Authorization Act (NDAA) by a strongly bipartisan vote of 89 to 8; even the opposition was bipartisan with three Republicans, four Democrats and one Independent voting Nay.

Of all of the amendments that I discussed in my series of blog posts over the last two weeks, only three were adopted:

• Reed (for Kaine) Amendment No. 1089, to establish opportunities for scholarships related to cybersecurity.
• McCain (for Portman) Amendment No. 712, to require a plan to meet the demand for cyberspace career fields in the reserve components of the Armed Forces.
• McCain (for Portman) Amendment No. 1055, to require a report on cyber applications of blockchain technology.

They were all considered as part of an en bloc amendment [pgs S5787-8] offered by Sen. McCain (R,AZ) at the end of the final debate on HR 2810. The en bloc amendment was adopted by unanimous consent [pg S5796].


Since there are significant differences between the versions of this bill passed in the House and Senate, it is very likely that there will be a conference committee appointed. There is, however, a very slight chance that the House will agree to the Senate amendment to the bill when it returns from their week working in their districts.

Tuesday, September 19, 2017

ICS-CERT Publishes PHOENIX CONTACT Advisory

Today the DHS ICS-CERT published a control system security advisory for products from PHOENIX CONTACT. They also provided a link to a British publication: “Code of Practice CyberSecurity for Ships”.

PHOENIX CONTACT Advisory


This advisory describes ten improper access control vulnerabilities in the PHOENIX CONTACT mGuard Device Manager. The vulnerabilities are related to the Oracle Java SE implementation in the product. These vulnerabilities were self-reported by PHOENIX CONTACT. They have a new version that mitigates the vulnerabilities.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow unauthorized remote access, modification of data, and may allow remote and local users to gain elevated privileges.

Once again, we see a vulnerability caused by third party software and there is an open question about what other software systems have the same vulnerabilities. Interesting though that these 10 Oracle vulnerabilities are all dated in 2017. Makes it even more likely that other vendors using the same Oracle software will have not discovered/mitigated the vulnerabilities in their products.

Cyber Security for Ships



The code of practice document was produced for the British Government by the Institution of Engineering and Technology. It provides a high-level overview of the topic including an interesting overview of the threat environment for the shipping industry. Appendix D provides a non-technical description of how mitigation measures can be developed and Appendix H provides a lengthy bibliography of cybersecurity standards for both IT and operational systems.

HR 3712 Introduced – Reserve Cybersecurity Units

Earlier this month Rep. Kilmer (D,WA) introduced HR 3712, the Major General Tim Lowenberg National Guard Cyber Defenders Act. The bill would provide specific authorization for military reserve component cyber civil support teams. NOTE: For more on Gen. Lowenberg see here and here.

Emergency Preparedness Programs


Section 2 of the bill amends 10 USC 12310(c) which provides for military reservists to be used in an active duty role to support of emergency preparedness programs. It would add a new subparagraph (1)(E) to add “An attack or natural disaster impacting a computer, electronic, or cyber network” to the list of covered emergencies for which the emergency preparedness programs would be appropriate.

The bill then goes on to add a new subparagraph (3)(B) that would specifically allow an individual reservist or a “a reserve component cyber civil support team” to provide emergency preparedness support for the newly added cyber-attacks or disasters.

Cyber Civil Support Team Authorization


Section 3 of the bill requires that each state will have (within 5 years) “an operational reserve component cyber civil support team composed of reserve component members of the Armed Forces” {§3(a)}. To be considered operational each Cyber Civil Support Team would be required to be able to {§3(c)}:

• Perform duties relating to analysis and protection in support of responding to emergencies involving an attack or natural disaster impacting a computer, electronic, or cyber network;
• Advise and coordinate on any incident deemed critical for the protection of life, property, and maintenance of good order for the Governor;
• Cooperate with and assist private sector owners and operators of critical infrastructure and key resources;
• Collaborate and participate in information sharing with Federal, State, and local Fusion Centers, emergency management authorities, and emergency management divisions; and
• Coordinate with elements of the Department of Homeland Security.

Section 4 of the bill ensures that these Cyber Civil Support Teams are specifically covered by the provisions of the Freedom of Information Act under 5 USC 552.

Section 5 of the bill provides for a spending authorization of $50 million for support of the requirements of this bill.

Moving Forward


Neither Kilmer nor his two cosponsors {Rep. Palazzo (R,MS) and Rep. Heck (D,WA)} are members of the House Armed Services Committee to which this bill was assigned for consideration. This means that the bill is very unlikely to be considered in that Committee; pretty much ensuring that the bill will not get to the floor of the House for a vote.

There is nothing in this bill which would engender any serious opposition to its passage. The one major drawback to the bill is the spending authorization, but that is one area where Kilmer and Palazzo have some influence, since they are both on the House Appropriations Committee. If the bill were to be considered it is quite likely that it would receive substantial bipartisan support.

Commentary


While there is a great deal of talk in Congress about protecting critical infrastructure from cyber-attacks, there does not seem to be too much that the military can do to protect the vast majority of critical infrastructure cyber-systems that are owned by the private sector. In fact, there is a very real argument that the private sector is responsible for that and should pay for that protection via activities either in-house or through a wide variety of organizations in the ever-expanding cybersecurity market place.

However, where cyber breaches have a physical impact on the community beyond the boundaries of critical infrastructure, there is certainly a need for the kind of support outlined in this bill. What concerns me about the approach taken in the bill is the focus on post-incident response instead of emergency preparedness planning.

Planning for the potential consequences of broadly effective cybersecurity incidents is a pre-requisite for effective responses to such wide scale incidents. In fact, the §12310(c) program was founded on the idea that providing one or two professional planners (military folks are, after all, as much planners as they are fighters) to local government emergency-response planning agencies was a cost-effective way of helping to mitigate the consequences of terrorist attacks and natural disasters.


All but the largest local government agencies are ill prepared to plan for or respond to cyber-attacks on critical infrastructure. Most have problems enough providing for their own cybersecurity prevention efforts, much less have time or resources to plan for attacks on privately owned critical infrastructure effecting their area. Cyber Civil Support Teams under State control could provide another (though still limited) resource for local governments involved in the planning process.

Friday, September 15, 2017

Senate Amendments to HR 2810 (FY 2018 NDAA) – 9-14-17

On Thursday, after voting to close debate on the McCain substitute language amendment (SA 1003), the Senate agreed to a final vote on HR 2810, the FY 2018 National Defense Authorization Act (NDAA), at 5:30 pm EDT on Monday, September 18th, 2017. Meanwhile, more amendments continue to be proposed. In addition to the previously proposed amendments (see here, here, here, here and here) a large number of possible amendments to HR 2180 were proposed in the Senate on Thursday; only one of which may be of specific interest to readers of this blog:

SA 1089. Mr. KAINE -  SEC. 1661. Cyber Scholarship Opportunities Act of 2017 (pgs S5768-9);

Cyber Scholarships


Amendment SA 1089 is pretty nearly the same as SA 849 that Sen. Kaine (D,VA) proposed on September 7th, 2017. The only difference is that the latest version removes the section on ‘Findings’ that explains why Kaine thinks that cyber scholarships are necessary.

This amendment would require that the current Federal Cyber Scholarship-for Service program (15 USC 7442) be expanded to include a pilot program of scholarships at at least five community colleges for students who are pursuing associate degrees or specialized program certifications in the field of cybersecurity and either “have bachelor’s degrees; or are veterans of the armed forces” {§1662(a)(2)}. No additional funding is provided for the new scholarship requirements.

Commentary


Just a reminder, as of this writing, none of the amendments that I have addressed in this series of blog post (with the obvious exception of SA 1003) have even been considered on the floor of the House, much less adopted. There is a remote chance that some may be considered on Monday, but I do not really expect it.

This large number of amendments proposed for a ‘must pass’ bill like the NDAA is not unusual. With the political horse trading involved in getting enough votes to pass a bill like this, there is always the possibility that some pet bit of legislative language can be inserted via the Senate amendment process. It takes relatively little effort by a Senator’s staff to craft most of these amendments (frequently just cut and paste from a previously submitted bill), so it is kind of like buying a $1 lottery ticket when the pot is really high. A piece of legislation that might never see the light of day in the normal legislative process can become law because it was attached to an important bill.

A less well-known fact is that one of these little suspected gems may have already been added to the substitute language that was offered on this bill. I certainly did not do a full detailed analysis of every portion of the bill. Getting a new section added or a current section slightly revised can be the price of support for a bill like this. Depending on how much McCain trusts his committee staff and how significant the change was, he may not even know the details about those types of changes to the substitute language before it was proposed.

This is one of the reasons that I do not try to cover each of the potentially interesting amendments with the same level of detail as I use to cover interesting legislation. There is a very small chance of the amendments being considered or passed. The effort that I do make, reflects on bits of legislative language that I find illustrative of either poorly or well written legislative language, unique ideas, or really slick pieces of legislative legerdemain. 

Bills Introduced – 09-14-17

With both the House and Senate preparing to leave for their weekend recess, there were 64 bills introduced yesterday. Of those two may be of specific interest to readers of this blog:

HR 3776 To support United States international cyber diplomacy, and for other purposes. Rep. Royce, Edward R. [R-CA-39]

S 1821 A bill to establish the National Commission on the Cybersecurity of United States Election Systems, and for other purposes. Sen. Gillibrand, Kirsten E. [D-NY]

I am not sure what ‘cyber diplomacy’ is, but if it concerns control system security issues I will be covering HR 3776 here.


I do not really plan to expand the focus of this blog to include detailed coverage of election cybersecurity issues, but I will be watching S 1821 for the definitions it uses and the scope of coverage of the Commission.

Thursday, September 14, 2017

Senate Amendments to HR 2810 (FY 2018 NDAA) – 9-13-17

Yesterday the Senate actually began consideration of HR 2810, the FY 2018 National Defense Authorization Act (NDAA). Meanwhile, more amendments continue to be proposed. In addition to the previously proposed amendments (see here, here, here and here) a large number of possible amendments to HR 2180 were proposed in the Senate yesterday; including five that may be of specific interest to readers of this blog:

• SA 1003. Mr. MCCAIN - National Defense Authorization Act for Fiscal Year 2018 substitute language (pgs S5487-671);
• SA 1009. Mr. SASSE - cyberspace solarium commission (pgs S5674-6);
• SA 1019. Ms. HARRIS - pilot program on integrating into the department of defense workforce individuals with cybersecurity skills and technical expertise whose services are supported by private persons (pg S5678);
• SA 1025. Mr. WHITEHOUSE - botnet prevention (pgs S5680-1); and
• SA 1055. Mr. PORTMAN - report on cyber applications of blockchain technology (pg S5701-2)

Substitute Language


The substitute language (SA 1003) from Sen. McCain (R,AZ), and the staff of the Senate Armed Services Committee, is arguably the most important amendment to be offered to date, as it will form the working basis for the language that will be considered on the floor of the Senate. This language is based (as expected) on S 1519, the original Senate NDAA bill and it includes each of the cybersecurity related sections that I identified in S 1519.

Cyberspace Solarium Commission


SA 1009 would require DOD to establish the Cyberspace Solarium Commission with a mandate to “develop a consensus on a strategic approach to protecting the crucial advantages of the United States in cyberspace against the attempts of adversaries to erode such advantages” {SA 1009(a)}. The name harkens back to Eisenhower’s 1953 National Security Council’s Solarium Special Committee that was used to help formulate Eisenhower’s containment strategy vis-à-vis the Soviet Union.

The Commission would be tasked with {SA 1009(f)}:

• Weighing the costs and benefits of various strategic options to reach the goal of protecting the US cyberspace advantage;
• Reviewing adversarial strategies and intentions, current programs for the protection of the US cyberspace advantage, and the capabilities of the Federal Government to understand if and how adversaries are currently being deterred or thwarted in their aims and ambitions; and
• Evaluating the current allocation of resources for understanding adversarial strategies and intentions and protecting the US cyberspace advantage.

Botnet Prevention


This proposed amendment from Sen. Whitehouse (D,RI) and Sen. Graham (R,SC) is very similar to S 2931 that was introduced in the 114th Congress by Graham and Whitehouse. This amendment does not deal with DOD issues, but the Senate rules do allow for the consideration of extraneous amendments.

Moving Forward



The Senate held a cloture vote today on the McCain substitute language amendment and it passed with a bipartisan vote of 84 to 9. When the Congressional Record for today is published tomorrow I expect that we will see that some amendments were dealt with today, but at this point I have no idea which ones.
 
/* Use this with templates/template-twocol.html */