Building off the momentum of launching its National Risk Management Center last month, the Homeland Security Department has renewed its pitch to Congress to approve an agency reorganization that would streamline DHS’ cybersecurity functions.
Matthew Travis, the deputy undersecretary of DHS’ National Programs and Protection Directorate (NPPD), urged lawmakers to approve a long-awaited name change for the organization, which he said would better advertise its role in protecting agencies from cyber threats.
Insight by LookingGlass: Federal technology experts provide insight into how agencies are approaching cybersecurity in the new virtual climate in this exclusive executive briefing.
“I’m not a grammar snob, but when you look at that construction, it’s problematic on a number of fronts,” Travis said Tuesday at the Digital Government Institute’s 930gov Conference in Washington. “One, cyber’s not in the name. Two, if they just called us the National Protection Directorate, that would be fine. That covers what we do. And if they called it the National Protection Programs Directorate, that’s fine. It’s a little wordy, but we do run programs. But it’s the National Protection and Programs Directorate. It sounds like we do national protection over here and we’re doing some interesting stuff over here that’s not related.”
A bill sponsored by Rep. Michael McCaul (R-Texas), the chairman of the House Homeland Security Committee, would rebrand NPPD as the Cybersecurity and Infrastructure Security Agency, to better reflect its mission.
The bill would move two agencies out of NPPD — the Federal Protective Service, which employs about 1,200 sworn officers and 15,000 security officer contractors, and the Office of Biometric and Identity Management, which supports agencies like TSA, CBP, the Coast Guard and U.S. embassies around the world.
“That’s an important mission. That’s certainly protecting critical infrastructure in terms of federal facilities or critical infrastructure, but it’s not necessarily in the cyber fight,” Travis said.
That restructuring would leave NPPD with core cyber programs like the National Cybersecurity and Communications Integration Center (NCCIC) and the National Risk Management Center, which Travis said would create “more unified model” for the agency.”
“It’s that type of streamlining of our own internal organization, as well as a name change, that will help us recruit better. It’s tough to go out to Silicon Valley, recruit the best and the brightest when you have kind of a clunky name,” Travis said. “We hope the Senate gives us that legislation to allow us to call ourselves what we are, which is the nation’s cyber defense and risk management agency, as well to be able to communicate what we do more clearly to our stakeholders and to the general public.”
At an agency cybersecurity summit last month, Vice President Mike Pence signaled his support for renaming NPPD. DHS Secretary Kirstjen Nielsen said she supported the name change shortly after her confirmation last year.
The House passed the bill last December, but senators haven’t moved on the legislation since April, when the Homeland Security and Governmental Affairs Committee passed McCaul’s bill as part of a broader reauthorization of DHS.
The bill has yet to receive a full Senate vote. Earlier this month, McCaul urged the chamber to act the NPPD legislation, as well as a slew of other cybersecurity bills.
“I encourage the Senate to take up these key measures quickly so we can provide the direction and support needed to best combat an ever-evolving cyber threat landscape to keep the American people and our democracy safe and secure,” McCaul said in an Aug. 8 statement.
DHS plans to use the National Risk Management Center as a one-stop shop for sharing cyber threat information with major industries, starting with banks, electric companies and telecommunications companies.
But in order to get a better sense of threat landscape, the agency will release a full inventory of national critical functions, and the industries that keep them running.
“When you think about are those drivers that enable our economy to function — that provide for our security, that really propel our way of life — maybe there’s 10, maybe there’s 20. We’re actually going to publish later this fall what we think they are,” Travis said.
Last week, Mark Kneidinger, the director of federal network resilience at DHS’ Office of Cybersecurity and Communications, said the agency is working on a “short sprint” to get the National Risk Management Center ready to engage with its industry partners,
But in actuality, Travis says the new agency is essentially a rebranding of an existing entity, the Office of Cyber and Infrastructure Analysis.
“We’ve not created anything new, but we’re taking an entity within our organization that was geared to doing analysis on cyber and physical infrastructure and refocusing it to be more inclusive of private-sector input to help us reduce risk and confront this threat,” he said.
Going forward, Travis said the National Risk Management Center will serve a complementary role to NCCIC.
“The NCCIC is our watch floor, and that’s where we operate our cyber operations, that’s where we share that information. That’s almost long-game, short-game. When we’re responding to the here-and-now, day-to-day, that’s the NCCIC,” he said.
By comparison, the National Risk Management Center will look take a broader look at merging cyber threats, and will work to develop joint strategies with the private sector.
“The National Risk Management Center is the long game. That’s where we need to start spending more time, investing more energy, into understanding that threat, and how we can buy down risk over the long-term,” Travis said.