The upcoming lame-duck session of Congress is poised to deliver the top item on the Department of Homeland Security’s wish list — a bill paving the way for the DHS to create the government’s first cyber-specific agency — but whether that translates into real security improvements remains an open question.
The department’s cyber responsibilities range from sharing “threat indicators” — the telltale signs of a possible coming hack — with businesses and other government agencies and helping the private sector secure critical infrastructure, like telecom networks.
The DHS has received mixed reviews over the years on these functions, which led to some congressional hesitancy to codify its cyber role.
For instance, “timeliness and relevance are still the top-tier complaints” about how the DHS handles its cyber info-sharing, said Melissa Hathaway, who served as a top cybersecurity adviser to Presidents George W. Bush and Barack Obama. The agency’s intervention isn’t always in time, and it struggles to recognize and prioritize the truly meaningful threats.
And, said the chief information security officer of a prominent developer of cybersecurity products, “People are generally not aware of the DHS tools.” That means companies that fear they’re a target of cyber-crime call the FBI instead.
Proponents of the bill say it’ll iron out a few such wrinkles.
Consolidating and clarifying the DHS’s cyber functions in a standalone Cybersecurity and Infrastructure Security Agency was the brainchild of House Homeland Security Chairman Michael McCaul, R-Texas, and his legislation passed that chamber almost a year ago.
McCaul, over three terms as chairman dating back to the beginning of 2013, has systematically bolstered the DHS’s cyber capabilities; by the end of the year, it’s likely that eleven significant cyber bills produced by his committee will have been signed into law, including the Cybersecurity Act of 2015, designed to facilitate info-sharing between the DHS and the private sector, as well as a passel of bills in 2014.
In the process, McCaul managed to navigate concerns from other committees that the DHS might be gaining cyber authority at the expense of departments under their jurisdictions, working out painstaking agreements with his congressional counterparts in negotiations that sometimes stretched over years.
McCaul — who is term-limited out of the chairmanship even if Republicans hold the House — was often a one-man band drumming up support for the DHS’s cyber work among rank-and-file lawmakers, many of whom were ill-disposed toward the department because of its controversial immigration and airport security policies.
The cyber-agency bill was a prime example — work on that began almost immediately after passage of the Cybersecurity Act in December 2015, and is only now coming to fruition.
McCaul says the bill answers the question of who to call for help in fending off cyber attacks. Under the current DHS structure, most but not all cyber functions are clumped into the National Protection and Programs Directorate, to be renamed the Cybersecurity and Infrastructure Security Agency under the bill.
“The National Protection and Programs Directorate has been a leader in U.S. cybersecurity efforts for over a decade, but as the threat continues to grow and evolve, so should we,” said its current leader, DHS under secretary Christopher Krebs.
The Senate in October passed a slightly tweaked version of the McCaul bill, sponsored by Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis., and ranking member Claire McCaskill, D-Mo.
Sources close to McCaul said differences in the House and Senate bills are slight and should be quickly resolved when lawmakers return in mid-November.
That means a final bill could be heading to President Trump before the year ends. The Trump administration, like the Obama administration, supports the legislation.
But will it help improve security — or is the name change just window dressing? Or, perhaps, a mix of substance and helpful PR?
Robert Mayer, senior vice president for cybersecurity at the United States Telecom Association, said: “The most significant impact from the legislation may be one of perception.”
He explained, “The new Cybersecurity and Critical Infrastructure Agency classification establishes the DHS as the central focal point for engagement with federal and non-federal entities on cybersecurity, arguably akin to the stature of FEMA or NASA. At the operational level, immediate changes will occur at the margins, while critical enhancements continue to evolve at a strong pace.”
Congress has already positioned the DHS at the heart of efforts to exchange threat information with the private sector, but critics say the department has yet to fully stand up in that role.
“The actual threat intelligence is coming from the private sector,” said Sean Hays, a cybersecurity analyst at American Express Global Business Travel. “It’s frustrating that one of the largest consumers and producers of intelligence — the U.S. government — doesn’t face the same obstacles [as private entities] but isn’t taking the lead.”
Pat Campbell, who performs “threat hunt and adversary simulation” in the financial sector, said bureaucracy, obstacles to declassifying sensitive info to actually share with companies, and an inability to retain talent amid competition from the private sector limit the DHS’s cyber info-sharing abilities.
The cyber-agency legislation does not include new authorities or mandates on these issues.
But some industry representatives say the criticism on info-sharing misses the mark.
Jim Linn of the American Gas Association asserted that the DHS has been “very aggressive in providing threat information” to private-sector partners through entities known as information sharing and analysis centers, or ISACs.
Scott Algeier, executive director of the information technology sector’s “ISAC,” said, “the DHS and government in general are working pretty hard to share more quickly what they are able to.”
That’s the kind of message the DHS wants to hear as Congress moves toward applying a stamp of approval to the department’s cyber role and efforts.
Moving forward, said a business-sector source closely involved in policy discussions with the DHS, “We need an ongoing dialogue to discuss [cybersecurity] scenarios, actions, and consequences in ways that lead to more certainty about roles and responsibilities” between government and industry.
Launching such a dialogue would align neatly with the long-sought creation of the DHS cyber agency, the source asserted.
