After years of debate, Congress is poised to vote on legislation that would cement the Department of Homeland Security’s role as the government’s main civilian cybersecurity authority.
The Cybersecurity and Infrastructure Security Agency Act, which has been in the works since the Obama administration, would give the department a stand-alone cybersecurity agency with the same stature as other DHS units, such as the Federal Emergency Management Agency. The Senate could vote on the bill, which passed in the House last year, as early as this week as it takes up a slew of cybersecurity-related legislation.
Approving the legislation would mark a major shift in Congress’s views on whether DHS should lead the government’s efforts to protect federal computer networks, power plants and other critical infrastructure from digital attacks. Attempts to make DHS the government’s civilian cybersecurity hub have stalled amid resistance from some lawmakers who say the relatively young agency isn’t as well equipped to deal with cyberthreats as the National Security Agency or the FBI.
“It would be a sea change,” said Chris Cummiskey, a former undersecretary at DHS. “This is a capstone saying, ‘The debate is over — at least in who Congress says should take the lead here.’ ”
Congress has taken some steps in recent years to expand DHS’s cybersecurity authorities, passing legislation such as the 2015 Cybersecurity Information Sharing Act, which tasked the agency with exchanging threat information with the private sector. But lawmakers have stopped short of handing over the reins entirely, allowing other agencies with cyber components to keep asserting control over civilian cybersecurity. In the meantime, the dozens of congressional committees that claim jurisdiction over DHS have tussled over who should be in charge. Passing this legislation would quell those disputes, Cummiskey told me.
“Up until now there’s been a series of bills that have chipped away at this notion that multiple agencies should have primary roles. This is a much more definitive statement,” he said. “It won’t eradicate these arguments and turf wars completely, but they will fall by the wayside.”
There’s nothing particularly radical about the bill, which was introduced by House Homeland Security Committee Chairman Michael McCaul (R-Tex.). It would rebrand the National Protection and Programs Directorate, DHS’s main cybersecurity unit, as the Cybersecurity and Infrastructure Protection Agency and turn it from a component of DHS headquarters into a fully operational agency. The NPPD undersecretary, Chris Krebs, would be elevated to director.
The White House has urged Congress to pass the bill, which proponents say will allow the government to respond more quickly to threats against the 16 critical infrastructure sectors it’s charged with defending. “We need it,” said Frank Cilluffo, a former homeland security adviser to President George W. Bush. “In a perfect world we wouldn’t, but now more than ever you have a threat that’s blinking pretty red, and it’s happening every day.”
Even if Congress passes the legislation, however, it’s unlikely to ease some skeptics' concerns about whether DHS is the right agency for the job. Just this month, retired Army general and former CIA director David H. Petraeus wrote in Politico that DHS “has such a vast portfolio of responsibilities that it can’t possibly give cybersecurity the attention and resources it requires.” He called instead for an independent National Cybersecurity Agency to coordinate federal cybersecurity efforts.
Indeed, the legislation is no silver bullet. DHS has struggled to get private sector companies to share information about cyberthreats — and the bill would turn up the pressure on the agency to change that if it becomes law, Cummiskey said.
“The challenge will be convincing the private sector that it’s in their best interests to work with this new entity in order to enhance cybersecurity,” he said. “At the end of the day, changing the name and shuffling the org chart doesn’t do it.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: In a new book exploring the effects of Russian interference in the 2016 election, Kathleen Hall Jamieson, director of the Annenberg Public Policy Center at the University of Pennsylvania, “offers a forensic analysis of the available evidence and concludes that Russia very likely delivered Trump’s victory,” the New Yorker's Jane Mayer reported. In her book, titled “Cyberwar: How Russian Hackers and Trolls Helped Elect a President — What We Don’t, Can’t, and Do Know,” Jamieson does not say that Russian operatives tampered with voting equipment but claims instead that they influenced voters' behavior, according to the New Yorker.
“In two hundred and twenty-four pages of extremely dry prose, with four appendixes of charts and graphs and fifty-four pages of footnotes, Jamieson makes a strong case that, in 2016, ‘Russian masterminds’ pulled off a technological and political coup,” Mayer wrote. “Moreover, she concludes, the American media ‘inadvertently helped them achieve their goals.’ ”
Jamieson also makes the case that Trump's rhetoric during the campaign and Russia's interests converged. “Jamieson argues that the impact of the Russian cyberwar was likely enhanced by its consistency with messaging from Trump’s campaign, and by its strategic alignment with the campaign’s geographic and demographic objectives,” Mayer wrote. “Had the Kremlin tried to push voters in a new direction, its effort might have failed. But, Jamieson concluded, the Russian saboteurs nimbly amplified Trump’s divisive rhetoric on immigrants, minorities, and Muslims, among other signature topics, and targeted constituencies that he needed to reach.”
PATCHED: Connecticut plans to spend federal funds from the U.S. Election Assistance Commission on additional voting equipment, security upgrades and other improvements to the state's election infrastructure, according to a press release from Connecticut's office of the secretary of the state issued Monday. “Although the threat of foreign interference in our elections is very real, Connecticut’s cyberdefenses have already repelled a targeting by the Russian government in 2016, and our election cybersecurity infrastructure is strong and getting stronger,” Connecticut Secretary of the State Denise W. Merrill said in a statement. Connecticut, which received about $5 million in federal funding, also plans to use the money to train local election officials and hire a full-time cybersecurity consultant.
Merrill detailed Connecticut's plan on Monday alongside the state's two Democratic U.S. senators, Chris Murphy and Richard Blumenthal, the Connecticut Mirror's Mark Pazniokas reported. “The three elected officials, all Democrats, focused on cyber security at a press conference publicizing the receipt of a $5.1 million grant to upgrade the state’s elections infrastructure, with $1.8 million going to bolster security,” Pazniokas wrote. “But the grant program was created for a more mundane reason: Newer voting systems, which rely on electronic technology, need to be updated more frequently than mechanical voting machines.”
PWNED: China is “clearly, or likely to be” violating agreements it reached with the United States, Australia and Germany not to engage in cybertheft of intellectual property for commercial purposes, according to a report released Monday by the nonpartisan think tank Australian Strategic Policy Institute. “Despite initial hopes that China had accepted a distinction between (legitimate) traditional political–military espionage and (illegal) espionage to advantage commercial companies, assessments from the three countries suggest that this might be wishful thinking,” the report said. “China appears to have come to the conclusion that the combination of improved techniques and more focused efforts have reduced Western frustration to levels that will be tolerated.”
In the case of the United States, Chinese cyberattacks for commercial gain declined in 2016 after the two countries struck a deal in September 2015. “There is, however, increasing evidence that Chinese hackers re-emerged in 2017 and are now violating both the letter and the spirit of the agreement,” according to Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, who wrote the chapter of the report about the United States.
Moreover, Segal explains, a decision by the Chinese People's Liberation Army to reorganize its cyber forces appears to have weighed more heavily than the deal between the two countries in reducing the number of attacks in 2016. “Without significant pushback, China is likely to believe that it has reached a new equilibrium with Washington defined by an absolute smaller number of higher impact cyber operations,” Segal wrote.
— “The Central Intelligence Agency is rededicating itself to the kinds of missions that defined the agency for most of its seven-decade existence, focusing on foreign nations that challenge or threaten the United States, its director said here Monday,” The Washington Post's Shane Harris reported. “In her first public remarks since being confirmed in May, Gina Haspel laid out her plan to return the agency to the work that was at the heart of its espionage mission before the attacks on Sept. 11, 2001, which transformed the CIA into a paramilitary organization that conducted lethal operations against terrorists around the word.”
— “In a move that underscored the centrality of cyberwarfare to the Defense Department’s national security mission, the Pentagon’s Defense Innovation Unit has named former Symantec chief executive Michael A. Brown managing director,” The Post's Aaron Gregg reported Monday. The organization, which was created in 2015, aims to establish closer links between tech companies and the military, according to my colleague. “Brown’s appointment puts an end to speculation about whether the fledgling agency would survive its first presidential transition,” Aaron wrote. “The agency was championed by Obama administration Secretary of Defense Ashton B. Carter as part of a broader set of technology initiatives termed ‘the Third Offset.’ It has been without a permanent managing director after Raj Shah left in February.”
— More cybersecurity news from the public sector:
— “The United Nations accidentally published passwords, internal documents, and technical details about websites when it misconfigured popular project management service Trello, issue tracking app Jira, and office suite Google Docs,” the Intercept's Micah Lee reported on Monday. “The mistakes made sensitive material available online to anyone with the proper link, rather than only to specific users who should have access. Affected data included credentials for a U.N. file server, the video conferencing system at the U.N.’s language school, and a web development environment for the U.N.’s Office for the Coordination of Humanitarian Affairs.”
Kushagra Pathak, a security researcher, reported the leak to the United Nations on Aug. 20 but the organization did not begin removing the exposed data until Sept. 13 after it was contacted by the Intercept, Lee reported. “Pathak has become something of a specialist in finding private information on public Trello boards,” according to the Intercept. “Earlier this year, he discovered a range of private data, including passwords and security plans, belonging to the governments of the United Kingdom and Canada on 50 unprotected boards. Before that, he uncovered a large swath of sensitive data on Trello belonging to dozens of other organizations, including a ‘well-known ride-sharing company.’”
— More cybersecurity news from abroad:
- Senate Commerce Committee hearing on data privacy tomorrow.
- Two Senate Armed Services subcommittees hold a hearing on the Defense Department's “cyber operational readiness” tomorrow.
- House Energy subcommittee hearing on the Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response on Thursday.
“I've never sexually assaulted anyone”: Key takeaways from Kavanaugh's Fox News interview
Indian sailor rescued from yacht stranded off Australian coast:
Rare two-headed copperhead snake discovered in Va.: