House Homeland Security Chairman Michael McCaul, R-Texas, is tantalizingly close to achieving one of his top remaining cybersecurity goals — a year before he gives up the gavel after six years of running the committee — in creating a prominent, stand-alone cybersecurity agency within the Department of Homeland Security.
The Cybersecurity and Infrastructure Security Agency Act was unanimously approved by the House on Dec. 11, and the fate of McCaul's bill is now in the hands of Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis., and other senators, who apparently want to make some last-minute tweaks to the measure.
“I’d kind of like to see a couple tweaks to it,” Johnson said. “[But] we’re going to do anything we can to facilitate that passage.”
Johnson previously said such legislation wouldn't move in the Senate until next year, but the House's unanimous passage of the bill seems to have convinced the Wisconsin Republican to revisit that timeline.
“We're hopeful that there's room for additional action” this year, said a source close to the House Homeland Security Committee. “We've been in constant contact with our Senate contacts.”
With Congress approaching its holiday adjournment, the measure most likely would have to be cleared for approval by unanimous consent on the Senate floor, and the House would have to sign off on any changes.
The bill would consolidate cyber functions at the department and dispense with the awkwardly named National Protection and Programs Directorate, or NPPD, in favor of a cybersecurity agency with a clear title and responsibilities.
The legislation was strongly backed by DHS leadership under both Presidents Trump and Obama.
“I want to personally thank Chairman McCaul for his tireless work to reach this important milestone in furtherance of the Department of Homeland Security’s mission,” new DHS Secretary Kirstjen Nielsen said in a statement on Dec. 11. “This legislation, which has bipartisan support, has been a priority of this Administration from day one. I look forward to continuing to work with Congress to move this important legislation forward.”
Getting this bill to the president's desk would culminate a years-long effort by McCaul to better define how the government approaches the cybersecurity of its own systems as well as how it will protect the critical private-sector networks that power the economy.
The final House version of the Cybersecurity and Infrastructure Security Agency Act sprang from a “long series of talks” and “strong communications” among the Homeland Security, Oversight and Government Reform, Energy and Commerce, and Transportation committees, according to homeland panel sources.
The bill passed the House Homeland Security Committee in late July, but was the subject of inter-committee discussions for months both before and after that markup.
The Oversight and Government Reform, Energy and Commerce, and Transportation and Infrastructure panels all were granted referrals of the bill when it was introduced, and the committees have at times butted heads over DHS issues including cyber over the years.
A January memorandum of understanding, signed by those four committees and four other House panels, addressed jurisdictional issues related to an overall reauthorization of DHS, but also set the stage for action on McCaul's cyber agency bill.
The House Homeland Security source said, “There were a lot of long conversations among the committees but it never got sticky. Everyone wanted to come to an agreement.”
As staff focused on the goals for the legislation and NPPD's current functions, the source said, they gradually crafted language that “strengthened and built upon” cybersecurity roles played by other departments and agencies, and ensured that DHS recognizes those roles.
The prospect of DHS gobbing up cybersecurity jurisdiction at the expense of other departments has long been a source of concern on Capitol Hill — more so, perhaps, than among the departments themselves. But the 2015 FAST Act, which codifies the Department of Energy's role on electric grid cybersecurity, helped provide a model for the agreement, the Homeland Security Committee source said.
The McCaul legislation is not intended to bring dramatic operational changes to DHS or drastically revamp its relationships with industry, the source explained.
“Our goal wasn't to do a big overhaul or change,” the source said. “We hear the work at the NCCIC [National Cybersecurity and Communications Integration Center] is going well, for example.”
The goal, the source said, was to make it “known that this is an organization responsible for cybersecurity. We wanted to make clear its mission,” both to government and nongovernment audiences.
“Now, when they knock on the door, they can say, 'I'm with the cybersecurity agency.'”
In addition to elevating the cyber mission, the source said, “it creates a structure for us to conduct oversight by clearly defining cybersecurity and other infrastructure protection activities. It will be easier to ask these questions in oversight.”
The House's action this week makes it likely that the new cybersecurity agency will become a reality sometime soon. It's up to the Senate to determine whether that means before the end of 2017.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America's Struggle to Secure Cyberspace,” published by Rowman and Littlefield.