Eager to remake the Department of Homeland Security’s cybersecurity arm into an “operational” agency, DHS secretary Kirstjen Nielsen called on Congress Wednesday to pass legislation authorizing and rebranding the National Protection and Programs Directorate by the end of the year.
“We have to get it done,” Nielsen said in remarks at George Washington University. “Everyone agrees that DHS is on point for the civilian dot-gov domains, we’re on point for helping critical infrastructure and now we’re on point for helping state and locals protect their elections. We have the mission space, but we are not able to organize to meet that operational space, and we need to be an operational component.”
Nielsen said the name change is important. Listing cybersecurity and infrastructure explicitly is both an indication to stakeholders of where the agency is going, and puts it on par with other agencies that are also cyber-minded.
“It helps us work with international partners, and it really helps the private sector understand where to go and how they can interact with us,” she said.
That “operational” agency’s mission would include a more assertive federal response to foreign cyber attacks.
“We will respond, and we will respond decisively,” Nielsen said. “Our adversaries have been warned: the days of cyber surrender are over.”
She characterized Russian interference in the 2016 presidential election as “a direct attack on our democracy,” and repeated the intelligence community’s assessment that the influence campaign was personally directed by President Vladimir Putin.
Quickening the pace of cyber attack response
Nielsen said the first priority was to increase the speed at which the government is able to confidently arrive at assessments like those. But once it does, going forward, the response will be severe.
“Some of that will be seen, some of that will be unseen to make sure that adversary knows that there are consequences,” she said. “And I think the response needs to be more than commensurate [with the original attack]. By the time a country is attacking civilian networks, civilian assets, it’s not a fair fight. That’s not how the international world has created norms and standards, and I don’t think it should be commensurate. I think it should be more.”
DHS officials have previously said that they believe they already have all of the statutory authorities they need to defend public and private networks, notwithstanding the need to change NPPD’s name and enshrine its missions in federal law.
That’s not the case in some other DHS mission spaces, she said. In particular, the secretary highlighted what she said was a growing threat from the widespread availability and use of remotely-piloted aircraft.
Under current law, Nielsen said, the department and its agencies are required to seek a warrant before they can even begin to track a drone they suspect is being used by terrorist or criminal groups.
“People can’t believe we don’t have the authorities we need to identify, monitor, track and interdict this threat in the homeland, but we just don’t,” she said. “The drones fly 140 miles per hour. I would have to figure out how to get a warrant just to be able to track it, and that still doesn’t give me the authority to mitigate it. There are — limited authorities the Department of Defense has to protect DoD facilities here, and we have some very limited authority within the Secret Service. But Congress just has to do it. It’s bipartisan, it’s time, it’s a clear threat, and it’s here now. I hope they choose to take it up this fall.”