S 3511 Introduced - Satellite Cybersecurity
Earlier this month, Sen Peters (D,MI) introduced S 3511, the Satellite Cybersecurity Act. The bill would require CISA to establish a commercial satellite system cybersecurity clearinghouse and to develop voluntary cybersecurity recommendations designed to assist in the development, maintenance, and operation of commercial satellite systems. No funding is authorized by this bill.
Definitions
Section 2 of the bill provides four key definitions used in the bill:
Commercial satellite system,
Critical infrastructure (42 USC 5195c(e)),
Cybersecurity risk (6 USC 659), and
Cybersecurity threat (6 USC 1501).
Additionally, §4(a) provides three key definitions used in §4 of the bill:
Director, and
Small business concern (15 USC 632)
GAO Satellite Cybersecurity Study
Section 3 of the bill requires the Government Accountability Office (GAO) to provide a report to Congress within one year of the bill being passed on the actions the Federal Government has taken to support the cybersecurity of commercial satellite systems. The report will include information on:
The effectiveness of efforts of the Federal Government in improving the cybersecurity of commercial satellite systems,
The resources made available to the public by Federal agencies to address cybersecurity threats to commercial satellite systems,
The extent to which commercial satellite systems are reliant on or are relied on by critical infrastructure and an analysis of how commercial satellite systems, and the threats to such systems, are integrated into Federal and non-Federal critical infrastructure risk analyses and protection plans,
The extent to which Federal agencies are reliant on commercial satellite systems and how Federal agencies mitigate cybersecurity risks associated with those systems, and
The extent to which Federal agencies coordinate or duplicate authorities and take other actions focused on the cybersecurity of commercial satellite systems.
CISA Responsibilities
Section 4(b) requires CISA to establish the Commercial Satellite System Cybersecurity Clearinghouse. The Clearinghouse will:
Be publicly available online,
Contain publicly available commercial satellite system cybersecurity resources, and
Include materials specifically aimed at assisting small business concerns with the secure development, operation, and maintenance of commercial satellite systems.
Section 4(c) goes on to require CISA to develop voluntary cybersecurity recommendations designed to assist in the development, maintenance, and operation of commercial satellite systems. Those recommendations will include:
Risk-based, cybersecurity-informed engineering, including continuous monitoring and resiliency,
Planning for retention or recovery of positive control of commercial satellite systems in the event of a cybersecurity incident,
Protection against unauthorized access to vital commercial satellite system functions,
Physical protection measures designed to reduce the vulnerabilities of a commercial satellite system’s command, control, and telemetry receiver systems,
Protection against communications jamming and spoofing,
Security against threats throughout a commercial satellite system’s mission lifetime,
Management of supply chain risks that affect cybersecurity of commercial satellite systems,
As appropriate, the findings and recommendations from the study conducted by the Comptroller General of the United States under section 3(a), and
Any other recommendations to ensure the confidentiality, availability, and integrity of data residing on or in transit through commercial satellite systems.
Moving Forward
Peters is the Chair of the Senate Homeland Security and Governmental Affairs Committee the committee to which this bill was assigned for consideration. This should ensure that there is adequate influence to see this bill considered in Committee. Since the bill only requires the development of ‘voluntary’ security measures, I do not see any significant organized objections interfering with the consideration of this bill. I suspect that the bill will pass out of Committee with at least some level of bipartisan support.
Commentary
We continue to see problems with the definition used by congressional staff in the crafting of cybersecurity legislation that affects operational technology or control systems that directly affect physical systems. In this case, the two cybersecurity terms defined in §2 are IT restrictive definitions. The term ‘cybersecurity risk’ for 6 USC 659 is based upon the IT restricted definition of ‘information system’. Even the term ‘cybersecurity threat’, while based upon the control system inclusive definition of ‘information systems from 6 USC 1501, refers to actions that “adversely impact the security, availability, confidentiality, or integrity of an information system”.
These definitions would suffice if the legislation were only concerned with the information transiting commercial satellites, but the required cybersecurity recommendations from CISA are specifically required to address protecting ‘vital commercial satellite system functions’ and the ‘satellite system’s command, control, and telemetry receiver systems’. Again, the definitions just do not match the requirements.
For more information on what changes to cybersecurity definitions need to be made to adequately reflect control system and operational technology cybersecurity needs, please see my post from February 2019.