The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Congress poised to allow DHS to take the lead on federal cybersecurity

with Bastien Inzaurralde


After years of debate, Congress is poised to vote on legislation that would cement the Department of Homeland Security’s role as the government’s main civilian cybersecurity authority. 

The Cybersecurity and Infrastructure Security Agency Act, which has been in the works since the Obama administration, would give the department a stand-alone cybersecurity agency with the same stature as other DHS units, such as the Federal Emergency Management Agency. The Senate could vote on the bill, which passed in the House last year, as early as this week as it takes up a slew of cybersecurity-related legislation. 

Approving the legislation would mark a major shift in Congress’s views on whether DHS should lead the government’s efforts to protect federal computer networks, power plants and other critical infrastructure from digital attacks. Attempts to make DHS the government’s civilian cybersecurity hub have stalled amid resistance from some lawmakers who say the relatively young agency isn’t as well equipped to deal with cyberthreats as the National Security Agency or the FBI.

“It would be a sea change,” said Chris Cummiskey, a former undersecretary at DHS. “This is a capstone saying, ‘The debate is over — at least in who Congress says should take the lead here.’ ”

Congress has taken some steps in recent years to expand DHS’s cybersecurity authorities, passing legislation such as the 2015 Cybersecurity Information Sharing Act, which tasked the agency with exchanging threat information with the private sector. But lawmakers have stopped short of handing over the reins entirely, allowing other agencies with cyber components to keep asserting control over civilian cybersecurity. In the meantime, the dozens of congressional committees that claim jurisdiction over DHS have tussled over who should be in charge. Passing this legislation would quell those disputes, Cummiskey told me.

“Up until now there’s been a series of bills that have chipped away at this notion that multiple agencies should have primary roles. This is a much more definitive statement,” he said. “It won’t eradicate these arguments and turf wars completely, but they will fall by the wayside.”

There’s nothing particularly radical about the bill, which was introduced by House Homeland Security Committee Chairman Michael McCaul (R-Tex.). It would rebrand the National Protection and Programs Directorate, DHS’s main cybersecurity unit, as the Cybersecurity and Infrastructure Protection Agency and turn it from a component of DHS headquarters into a fully operational agency. The NPPD undersecretary, Chris Krebs, would be elevated to director.

The White House has urged Congress to pass the bill, which proponents say will allow the  government to respond more quickly to threats against the 16 critical infrastructure sectors it’s charged with defending. “We need it,” said Frank Cilluffo, a former  homeland security adviser to President George W. Bush. “In a perfect world we wouldn’t, but now more than ever you have a threat that’s blinking pretty red, and it’s happening every day.” 

Even if Congress passes the legislation, however, it’s unlikely to ease some skeptics' concerns about whether DHS is the right agency for the job. Just this month,  retired Army general and former CIA director David H. Petraeus wrote in Politico that DHS “has such a vast portfolio of responsibilities that it can’t possibly give cybersecurity the attention and resources it requires.” He called instead for an independent National Cybersecurity Agency to coordinate federal cybersecurity efforts.

Indeed, the legislation is no silver bullet. DHS has struggled to get private sector companies to share information about cyberthreats — and the bill would turn up the pressure on the agency to change that if it becomes law, Cummiskey said. 

“The challenge will be convincing the private sector that it’s in their best interests to work with this new entity in order to enhance cybersecurity,” he said. “At the end of the day, changing the name and shuffling the org chart doesn’t do it.”


PINGED: In a new book exploring the effects of Russian interference in the 2016 election, Kathleen Hall Jamieson, director of the Annenberg Public Policy Center at the University of Pennsylvania, “offers a forensic analysis of the available evidence and concludes that Russia very likely delivered Trump’s victory,” the New Yorker's Jane Mayer reported. In her book, titled “Cyberwar: How Russian Hackers and Trolls Helped Elect a President — What We Don’t, Can’t, and Do Know,” Jamieson does not say that Russian operatives tampered with voting equipment but claims instead that they influenced voters' behavior, according to the New Yorker.

“In two hundred and twenty-four pages of extremely dry prose, with four appendixes of charts and graphs and fifty-four pages of footnotes, Jamieson makes a strong case that, in 2016, ‘Russian masterminds’ pulled off a technological and political coup,” Mayer wrote. “Moreover, she concludes, the American media ‘inadvertently helped them achieve their goals.’ ”

Jamieson also makes the case that Trump's rhetoric during the campaign and Russia's interests converged. “Jamieson argues that the impact of the Russian cyberwar was likely enhanced by its consistency with messaging from Trump’s campaign, and by its strategic alignment with the campaign’s geographic and demographic objectives,” Mayer wrote. “Had the Kremlin tried to push voters in a new direction, its effort might have failed. But, Jamieson concluded, the Russian saboteurs nimbly amplified Trump’s divisive rhetoric on immigrants, minorities, and Muslims, among other signature topics, and targeted constituencies that he needed to reach.”

PATCHED: Connecticut plans to spend federal funds from the U.S. Election Assistance Commission on additional voting equipment, security upgrades and other improvements to the state's election infrastructure, according to a press release from Connecticut's office of the secretary of the state issued Monday. “Although the threat of foreign interference in our elections is very real, Connecticut’s cyberdefenses have already repelled a targeting by the Russian government in 2016, and our election cybersecurity infrastructure is strong and getting stronger,” Connecticut Secretary of the State Denise W. Merrill said in a statement. Connecticut, which received about $5 million in federal funding, also plans to use the money to train local election officials and hire a full-time cybersecurity consultant.

Merrill detailed Connecticut's plan on Monday alongside the state's two Democratic U.S. senators, Chris Murphy and Richard Blumenthal, the Connecticut Mirror's Mark Pazniokas reported. “The three elected officials, all Democrats, focused on cyber security at a press conference publicizing the receipt of a $5.1 million grant to upgrade the state’s elections infrastructure, with $1.8 million going to bolster security,” Pazniokas wrote. “But the grant program was created for a more mundane reason: Newer voting systems, which rely on electronic technology, need to be updated more frequently than mechanical voting machines.”

PWNED: China is “clearly, or likely to be” violating agreements it reached with the United States, Australia and Germany not to engage in cybertheft of intellectual property for commercial purposes, according to a report released Monday by the nonpartisan think tank Australian Strategic Policy Institute. “Despite initial hopes that China had accepted a distinction between (legitimate) traditional political–military espionage and (illegal) espionage to advantage commercial companies, assessments from the three countries suggest that this might be wishful thinking,” the report said. “China appears to have come to the conclusion that the combination of improved techniques and more focused efforts have reduced Western frustration to levels that will be tolerated.”

In the case of the United States, Chinese cyberattacks for commercial gain declined in 2016 after the two countries struck a deal in September 2015. “There is, however, increasing evidence that Chinese hackers re-emerged in 2017 and are now violating both the letter and the spirit of the agreement,” according to Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, who wrote the chapter of the report about the United States.

Moreover, Segal explains, a decision by the Chinese People's Liberation Army to reorganize its cyber forces appears to have weighed more heavily than the deal between the two countries in reducing the number of attacks in 2016. “Without significant pushback, China is likely to believe that it has reached a new equilibrium with Washington defined by an absolute smaller number of higher impact cyber operations,” Segal wrote.

At the University of Louisville Sept. 24, CIA Director Gina Haspel said the agency was adopting a focus on nations that challenge or threaten the United States. (Video: McConnell Center at the University of Louisville)

— “The Central Intelligence Agency is rededicating itself to the kinds of missions that defined the agency for most of its seven-decade existence, focusing on foreign nations that challenge or threaten the United States, its director said here Monday,” The Washington Post's Shane Harris reported. “In her first public remarks since being confirmed in May, Gina Haspel laid out her plan to return the agency to the work that was at the heart of its espionage mission before the attacks on Sept. 11, 2001, which transformed the CIA into a paramilitary organization that conducted lethal operations against terrorists around the word.”

— “In a move that underscored the centrality of cyberwarfare to the Defense Department’s national security mission, the Pentagon’s Defense Innovation Unit has named former Symantec chief executive Michael A. Brown managing director,” The Post's Aaron Gregg reported Monday. The organization, which was created in 2015, aims to establish closer links between tech companies and the military, according to my colleague. “Brown’s appointment puts an end to speculation about whether the fledgling agency would survive its first presidential transition,” Aaron wrote. “The agency was championed by Obama administration Secretary of Defense Ashton B. Carter as part of a broader set of technology initiatives termed ‘the Third Offset.’ It has been without a permanent managing director after Raj Shah left in February.” 

— More cybersecurity news from the public sector:

Google plans to send a top executive to Congress after facing criticism (Tony Romm)

In this election security drill, Massachusetts cops battle hackers to protect the vote (CyberScoop)

White House Outlines Move from ‘Cloud First’ to ‘Cloud Smart’ (Nextgov)

Watchdog dings contractors for IRS tax day outage (FCW)

Court ruling could change how SC votes. Will it stop elections from being hacked? (The State)


A thief stole my phone. Strong encryption saved me. (Robyn Greene)

Reddit's Largest Pro-Trump Subreddit Appears To Have Been Targeted By Russian Propaganda For Years (BuzzFeed News)

Microsoft does away with more passwords (TechCrunch)

A Seemingly Small Change to Chrome Stirs Big Controversy (Wired)

When Reporting on Defcon, Avoid Stereotypes and A.T.M.s (The New York Times)


— “The United Nations accidentally published passwords, internal documents, and technical details about websites when it misconfigured popular project management service Trello, issue tracking app Jira, and office suite Google Docs,” the Intercept's Micah Lee reported on Monday. “The mistakes made sensitive material available online to anyone with the proper link, rather than only to specific users who should have access. Affected data included credentials for a U.N. file server, the video conferencing system at the U.N.’s language school, and a web development environment for the U.N.’s Office for the Coordination of Humanitarian Affairs.”

Kushagra Pathak, a security researcher, reported the leak to the United Nations on Aug. 20 but the organization did not begin removing the exposed data until Sept. 13 after it was contacted by the Intercept, Lee reported. ​​​​“Pathak has become something of a specialist in finding private information on public Trello boards,” according to the Intercept. “Earlier this year, he discovered a range of private data, including passwords and security plans, belonging to the governments of the United Kingdom and Canada on 50 unprotected boards. Before that, he uncovered a large swath of sensitive data on Trello belonging to dozens of other organizations, including a ‘well-known ride-sharing company.’”

— More cybersecurity news from abroad:

All over Europe, suspected Russian spies are getting busted (Rick Noack)


Beware of Hurricane Florence Relief Scams (

The New YubiKey Will Help Kill the Password (Wired)


Coming soon


“I've never sexually assaulted anyone”: Key takeaways from Kavanaugh's Fox News interview

Supreme Court nominee Brett M. Kavanaugh sat down for his first TV interview since facing allegations of sexual misconduct. Here are some highlights. (Video: Melissa Macaya/The Washington Post)

Indian sailor rescued from yacht stranded off Australian coast:

Solo yachtsman Abhilash Tomy was rescued Sept. 24, three days after being stranded almost 2,000 miles off Australia's coast during the Golden Globe race. (Video: Reuters)

Rare two-headed copperhead snake discovered in Va.:

JD Kleopfer reported a snake with two heads on Sept. 17 in Woodbridge, Va. (Video: JD Kleopfer/Virginia Dept of Game and Inland Fisheries via Storyful)