Earlier this week, both chambers on Capitol Hill took steps that would increase the Department of Homeland Security’s (DHS) role in the area of cybersecurity. On the Senate side, the Senate Homeland Security and Governmental Affairs Committee approved a DHS reauthorization bill that included amendments to rename and reorganize the DHS National Protection and Programs Directorate (NPPD), to increase protections for certain personally identifiable information (PII), and to emphasize the need for cybersecurity research. On the House side, the House Homeland Security Committee approved the Cyber Incident Response Teams Act, which would establish teams within DHS devoted to cyber incident response.
Department of Homeland Security Reauthorization Bill
On March 7, the Senate Homeland Security and Governmental Affairs Committee approved H.R. 2825, which, if enacted into law, would be the first reauthorization of DHS since it was created in response to the September 11 attacks. The Senate version of the bill added a number of cybersecurity related amendments. Under one amendment, the NPPD would be renamed and reorganized as the Cybersecurity and Infrastructure Security Agency. Among its enumerated responsibilities, this Agency would “lead cybersecurity and critical infrastructure security programs, operations, and associated policy for the Agency, including national cybersecurity asset response activities” and carry out its “cybersecurity and critical infrastructure activities” in coordination with Federal and private entities. On the Senate Committee’s website, Senator Ron Johnson (R-WI), Chairman of the Committee, is quoted as stating, “Establishing an agency within DHS to focus on cyber and infrastructure security will help DHS achieve its missions.” A second amendment would require U.S. Customs and Border Protection (CBP) to remove personally identifiable information, including social security numbers, passport numbers, and residential addresses, from any manifest signed and transmitted to the CBP before it is disclosed to the public. Finally, a third amendment, requires the Under Secretary for Science and Technology to support “research, development, testing, evaluation, and transition of new cybersecurity technologies” and to coordinate those activities with other Federal agencies, industry, and academia. To help spur this development, the bill also extends DHS’ authority to award other transaction authority agreements consistent with the Department of Defense’s recent push for quicker and more flexible agreements with non-traditional contractors.
Two proposed amendments were not included in the bill but it is possible that these amendments could still find their way into the final bill. The first amendment would have increased DHS’ role in assisting states with monitoring and addressing cybersecurity threats and vulnerabilities during their elections. The second amendment would have clarified liability protections for cybersecurity technology developers under the SAFETY Act. Currently, the SAFETY Act offers liability protection to sellers and users of approved anti-terrorism technologies in the event of litigation stemming from acts of terrorism. This amendment would have extended the SAFETY Act program to cybersecurity technologies and services by granting liability protections to industry for a terrorist act or a “declared cyber incident” that is caused by malicious cyber actors. A date has yet to be set for the full Senate to vote on the DHS reauthorization bill. The House passed its version of the bill last July.
Cyber Incident Response Teams Act
Also on March 7, the House Homeland Security Committee unanimously approved H.R. 5074, the Cyber Incident Response Teams Act. This Act would authorize the National Cybersecurity and Communications Integration Center within DHS to establish “cyber hunt and incident response teams.” Such teams would be responsible for assisting “asset owners and operators in restoring services following a cyber incident,” identifying any “cybersecurity risk and unauthorized cyber activity,” and offering both “mitigation strategies to prevent, deter, and protect against cybersecurity risks” and “recommendations to asset owners and operators for improving overall network and control systems security to lower cybersecurity risks.” Some members of the House Committee on Homeland Security have suggested that the Cyber Incident Response Teams’ scope of assistance would also include recommendations regarding the cybersecurity of election infrastructure.
The composition of these Cyber Incident Response Teams would not be limited to just governmental employees. Rather, the Act expressly authorizes the inclusion of “cybersecurity specialists from the private sector,” enabling DHS to rely on specialist expertise outside of the government when addressing threats and attacks. Although the assistance is “upon request,” private companies may be reluctant to permit private sector specialists access to very sensitive information about their networks and/or a potential breach. The Act also would require the National Cybersecurity and Communications Integration Center report every four years to the House Committee on Homeland Security and the Senate Homeland Security and Governmental Affairs Committee. Their report will include the “total number of incident response requests received,” the “number of incident response tickets opened,” and “all interagency staffing of incident response teams,” as well as provide information regarding “interagency collaborations established to support incident response teams.” A date has yet to be set for the full House to vote on the Cyber Incident Response Teams Act.