New Legislation Would Create Cybersecurity and Infrastructure Security Agency to Address Cyber Threats
Less than a week after the U.S. Department of Homeland Security (DHS) reauthorization act passed the House of Representatives, the House Homeland Security Committee on Wednesday passed two bills to reorganize the cybersecurity operations of the DHS and demand it to report on procedures used to disclose vulnerabilities.
The first of the bills that moved forward this week is the Cybersecurity and Infrastructure Security Agency Act (PDF), which creates a new agency within DHS to improve the Department’s cyber and infrastructure stance.
Sponsored by Homeland Security Committee Chairman Michael McCaul (R-Texas) and the committee’s ranking member Bennie Thompson (D-Miss), the bill states that DHS’s cyber operations division would retain most cybersecurity responsibilities, including the protection of federal networks. It would also be responsible with the sharing of cyber threat information with critical industry sectors–something the DHS has already been doing in various capacities.
Called the Cybersecurity and Infrastructure Security Agency, the new operational entity will be split in three divisions: cybersecurity, infrastructure security, and emergency communications. The bill also states that it will be led by a director who will report to the Homeland Security secretary, along with a deputy director who will assist in managing the Agency and will report to the director.
The second bill the Committee passed on Wednesday is the Cyber Vulnerability Disclosure Reporting Act (PDF). Sponsored by Rep. Sheila Jackson Lee (D-Texas), the legislation requires the Homeland Security secretary to report on how the Department is using vulnerability disclosure programs, with the first report set to be due eight months after the bill’s passage.
“To the extent possible, such report shall include an annex with information on instances in which such policies and procedures were used to disclose cyber vulnerabilities in the year prior to the date such report is required and, where available, information on the degree to which such information was acted upon by industry and other stakeholders,” the bill reads.
In the light of numerous software exploits associated with the National Security Agency made public over the past year by the Shadow Brokers hacking group, Microsoft has warned of the risks that zero-day exploits stockpiled by governments pose, and pushed for the adoption of a PATCH Act that would prevent occurrences such as WannaCry.
The numerous documents WikiLeaks has released over the past several months on CIA hacking tools also spurred debate on governments stockpiling software vulnerabilities instead of reporting them so they could be patched.
Both bills passed unanimously less than a week after the Department of Homeland Security Authorization Act of 2017 passed the House of Representatives on July 20. Not only did the bill reauthorizes the Department, but is represents the first actual authorization for some of its parts.
A bill outline (PDF) reveals the legislation meant to update DHS’ counterterrorism, emergency preparedness, and maritime security programs, bringing changes to the Federal Emergency Management Agency, Coast Guard, Transportation Security Administration, Secret Service, U.S. Citizenship and Immigration Services, and Immigration and Customs Enforcement.
Improved Airport Security
Also directing the streamlining and restructuring of TSA, the bill requires it to “develop and implement a preventative maintenance validation process for security-related technology deployed to airports.” The administration also has to “conduct a comprehensive, agency-wide efficiency review” to streamline and restructure operations to reduce spending.
TSA is also requested to conduct a broad assessment of cyber risks to aviation security, to vet airports and airlines if requested, and enhance cyber threat information sharing across the aviation sector.
The administration is required “to implement a secure, automated system at all airports, for verifying travel and identity documents of passengers who are not members of a Department of Homeland Security (DHS) trusted traveler programs,” and to improve the efficiency of traveler vetting programs such as TSA PreCheck and CBP Global Entry. Additionally, the agency would be required to test automated and biometric-based systems at airports to verify the identity memebers of the TSA PreCheck and other DHS trusted traveler programs.
“The committee believes that the minimum security standards for airport security set forth by the Chicago Convention established by the International Civil Aviation Organization are not robust enough in the current threat environment where we have repeatedly seen terrorist organizations planning attacks targeting aviation. Therefore, the committee believes the United States should take a leadership role at the ICAO in building consensus among member states to raise these standards,” section 1522 reads.
Cybersecurity at U.S. ports
Section 1403 of the bill amends the Maritime Transportation Security Act (MTSA) and formally gives the U.S. Coast Guard (USCG) responsibility for cybersecurity at ports.
“While USCG does not currently have operational authority of cybersecurity at ports, it is responsible for ensuring that cybersecurity is part of the USCG approved facility security plan for ports,” the bill reads.
The U.S. Coast Guard will also be tasked with stepping up cyber protections at U.S. ports and helping port operators share cyber threat information.
“The Committee believes that our ports and the automated systems that control them are vulnerable to cyber-attacks, which could be devastating to the transit of international commerce, says the bill. “While USCG inspects and approves what are known as “facility security plans” at ports twice a year, these plans are not currently required to have a cybersecurity strategy. The Committee believes that requiring facility operators to have a cybersecurity plan, and providing them with a mechanism to share best practices and receive current intelligence, is critical to maintaining the uninterrupted flow of maritime commerce and the security of our ports.”
Emergency Preparedness, Response, and Communications
The bill also sets aside $800 million for each of the fiscal years from 2018 through 2022 for the Urban Area Security Initiative, designed to help urban areas better prepare to prevent and respond to acts of terrorism. The funds would be used “to (1) enhance medical preparedness, and (2) enhance cybersecurity,” section 1606 of the bill reads.
“The Committee has heard that, while improving, the flow of federal cyber threat and risk information to State and local emergency response providers is slow and overclassified. Additionally, for several years now, FEMA has released an annual National Preparedness Report, which highlights the States’ 32 core capabilities, as defined by the National Preparedness Goal. Since the first National Preparedness Report was released in 2012, States have ranked their cybersecurity capabilities as one of their lowest,” the bill reads, noting that the current process of information sharings has “caused emergency response providers to be reactive rather than proactive” in addressing cyber threats.
The bill also requires the Director of the Office of Emergency Communications to submit an annual report that “must include specific information on the Office’s efforts to: promote communication among emergency response providers during disasters; conduct nationwide outreach to foster the development of interoperable emergency communications capabilities; and provide interoperable emergency communications technical assistance to State, regional, local, and tribal government officials.”
The DHS reauthorization act demands that the Secret Service increase the annual number of training hours for officers and agents. Additionally, it states that the Secret Service director has to be confirmed by the Senate, instead of being appointed directly by the president, and authorizes the construction of facilities to improve training.
According to Homeland Security secretary John Kelly, the bill should help DHS better carry tasks, suggesting that the reauthorization act would improve morale throughout the Department.
“[The bill] allows us to study disaster preparedness and response, so we can find ways to help communities recover faster, in a cost-effective way. It gives first responders the training and equipment they need to counter today’s terrorist threats. And it improves the Department’s information sharing capabilities, so our state, local, tribal and territorial partners can stay up to date on the threats facing our communities, in both the cyber and the physical world,” Kelly stated.
Now that it has passed the House of Representatives, the reauthorization bill heads to the Senate. However, there is no schedule yet for considering it.
In an official statement, President Donald J. Trump commended the House’s vote: “Since its formation nearly fifteen years ago in response to the terrorist attacks of September 11, 2001, DHS has been on the front lines of the Federal Government’s efforts to keep the American public safe. I look forward to signing this important legislation and I encourage the United States Senate to take it up without delay,” President Trump said.
The libertarian-leaning House Liberty Caucus, on the other hand, opposes the bill, suggesting it was rushed: “Such a vast, significant piece of legislation demands debate and input from the full membership of the House of Representatives. Instead, this bill overhauling the department and authorizing billions of dollars is being rushed to the floor, ensuring representatives have no time to vet its countless provisions,” the Liberty Caucus reportedly stated.