As Rep. Mike McCaul (R-Texas), chairman of the Homeland Security Committee, gets closer to introducing a bill to begin a major organization at the Homeland Security Department, the agency is undertaking an internal review.
McCaul said at the CTIA Cybersecurity Summit on April 27 in Washington, D.C. that he received comments on the draft bill from the White House and is about ready to introduce the legislation to create a new cyber agency within DHS.
“It was a technical response. Generally, they were very supportive,” McCaul said after his speech. “It was more of the tweaks, which was a good sign that they are generally supportive of developing that mission within DHS.”
In the meantime, DHS has just begun an effort to look at its current set of capabilities and what it will need in the future.
Jeanette Manfra, the acting deputy undersecretary of cybersecurity at DHS, told the CTIA audience the agency has built a lot of tools and services, such as the EINSTEIN and continuous diagnostics and mitigation (CDM) programs, over the last decade and they want to understand if they are making the right investments to deal with the ever-changing cyber environment.
“No decisions are being made, But at this point, we are doing an assessment. We want to partner with industry and, in a lot of ways, we want to push the boundaries in how we partner with industry,” she said. “The majority of our nearly $1 billion budget goes toward developing [dot-gov protection] capabilities. A lot of it is developed in a legacy, perimeter mindset of routing traffic through Trusted Internet Connections (TIC) and putting sensors there, and figuring out how we get the right signatures within that traffic by putting intrusion detection and intrusion protection services as if there is a perimeter. Those are very important capabilities and they are very valuable, but we want to look toward how are we able to at least keep pace with industry in both our security capabilities and to ensure we are able to match our emerging IT modernization effort.”
Phil Reitinger, president and CEO of the Global Cyber Alliance, which is a non-profit focused on operational implementation of reduction of systemic cyber risk, and a former DHS deputy undersecretary of NPPD, said the two efforts are complementary.
Reitinger said McCaul’s effort, the White House’s upcoming executive order around cyber and the DHS internal review are a perfect storm of sorts.
“I think for NPPD to become an operational agency, a couple of things need to happen. The new agency needs to have a strong preference to drive improved risk management in the critical infrastructure sector,” he said. “All EOs I’ve seen talked about driving more risk management and better risk management approaches in government. That is one of the things an effective agency like this could do. If it is given the right resources and authorities, a DHS cyber agency could drive threat agnostic risk management strategies for critical infrastructure so a power plant doesn’t have to worry as much about whether there is a cyber attack or not but rather focus on keeping the grid up and on service delivery because they know where their biggest risks are.”
The type of approach Reitinger is referring to is what McCaul seems to be aiming for.
McCaul said during his speech at the summit that the goal is creating the cyber agency outside of the headquarter’s function, which is where the National Protection and Programs Directorate (NPPD) sits.
“It’s not a priority [today]. It’s not a focused mission that can be streamlined and effective. I think in this evolving threat that we are facing, it’s vitally important that the agency has a separate agency devotedly solely toward cybersecurity,” he said. “We would like to move it quickly as a stand-alone bill. I’m going to re-authorize the entire department. But this is too important and we want to move it as a stand-alone bill. I think it could greatly enhance our efforts.”
In March, McCaul received strong support from former federal cyber executives and private sector experts to create a separate DHS agency focused on cyber.
Christian Beckner, deputy director of the George Washington University’s Center for Cyber and Homeland Security in Washington, D.C., said it’s important for the committee as they finalize the bill to lay out what authorities the new cyber agency will have with respect to the civilian agencies.
“It’s less important to positively spell out everything they should or could do, but make it clear that there is some strong authority over the federal cyber mission,” he said. “At the same time, the committee shouldn’t lock them into the period of time we live in today, based on capabilities, threats and other factors. I don’t think we need a long detailed bill as long as you have clear authorities over these issues and a clear purpose of mission.”
Beckner said DHS can figure out what the reorg finally looks like based on their mission area needs.
Beckner and Reitinger both agreed that the one area Congress must address is the hiring and retaining of the cyber workforce.
Beckner said DHS still is at a competitive disadvantage to the National Security Agency and others when it comes to hiring the most talented cyber workers.
Reitinger said lawmakers should give the new cyber agency the broadest possible hiring and compensation authorities.
“They will need to compete with the private sector, the NSA, other intelligence agencies so they need to make sure those authorities are effective,” he said. “There is no way DHS can do this on a normal competitive service approach. My instinct would be for the entire agency to have exempted service hiring and compensation authorities.”
Beckner added that just like hiring authorities, the cyber agency also would need expanded acquisition authorities to have access to new and emerging cyber technologies.
The need to find and use new and emerging technologies is part of the reason DHS currently is undertaking the internal review.
Manfred said the assessment is looking at whether the current cyber capabilities are meeting their current needs, what more is possible based on policy changes and industry improvements and what have they learned from programs such as CDM and EINSTEIN.
“I think there are a lot of opportunities for us to evolve, particularly as the government begins to take advantage of cloud, mobile and other technologies,” she said.
The capabilities review is also part of the congressionally-mandated cyber strategy. In the 2017 Defense authorization bill, Congress wanted something from DHS by March 23.
“I wanted to do an assessment first to understand where our gaps are and then look at how that flows into both the strategic and budget side of it,” she said. “We need to make sure we work with the new administration and they have a chance to review that. I also wanted to make sure the strategy, our budget and capabilities are all tied together and doing this assessment will feed into that.”