Inside Cybersecurity

October 25, 2020

Daily News
The Weekly Analysis

DHS cyber-agency bill may finally come to pass; will it make a difference?

September 24, 2018

The frenetic recent efforts by Senate Homeland Security and Governmental Affairs Chairman Ron Johnson (R-WI) to secure final passage of a long-stalled DHS reorganization measure may finally pay off -- prompting the next question: whether creation of a cyber agency at the Department of Homeland Security actually improves cybersecurity.

The bill was originally crafted by House Homeland Security Chairman Michael McCaul (R-TX) and passed that chamber last December. The Cybersecurity and Infrastructure Security Agency Act is intended to consolidate cyber functions at DHS within an agency that would replace the current National Protection and Programs Directorate headed up by Under Secretary Christopher Krebs.

Krebs, along with DHS Secretary Kirstjen Nielsen and her predecessor Jeh Johnson, have all been ardent champions of the legislation.

But it's been stuck in Senate limbo, pushed behind other issues on the priority list, tied and then untied to broader DHS reauthorization legislation -- which is, itself, bogged down -- and finally, subjected to the objections of any single senator, over any issue, relevant or not to a new DHS cyber agency.

Sen. Johnson in recent weeks has been trying to secure unanimous approval from his Senate colleagues through a “hotlining” procedure, and while it's unclear whether any and all possible objections have been cleared away, it appears the legislation could be waved through the Senate as soon as this week.

Johnson told Inside Cybersecurity last week that he was “not sure if there are any objections or not” to hotlining the bill, but that “we are trying to get it done.”

Lawmakers are expected to be in session until about Oct. 12 before decamping for the campaign trail and an extended legislative break scheduled to run until the week of Nov. 12.

But if cleared, the cyber-agency bill could be on the president's desk within days. President Trump and Vice President Pence have called for its passage, so a final signature isn't in doubt.

Krebs -- whose own nomination was hung up for awhile in the Senate over an unrelated objection -- said the CISA measure would give his directorate a clearer identity and focus, which supporters have long argued is essential both in dealing with other agencies and with the broader cyber ecosystem.

“The National Protection and Programs Directorate has been a leader in U.S. cybersecurity efforts for over a decade, but as the threat continues to grow and evolve, so should we,” Krebs said in a statement provided to Inside Cybersecurity. “This legislation allows us to focus on our core risk management mission and gives us a name -- the Cybersecurity and Infrastructure Security Agency -- that clearly describes who we are and what we do. I am encouraged by Chairman Johnson’s efforts in the Senate and look forward to working with Congress on full passage of this critical legislation."

Michael Daniel, president and CEO of the Cyber Threat Alliance and former White House cybersecurity coordinator, noted an important structural benefit from the legislation.

"What's more important than a name change is transforming that organization from a DHS Headquarters element to a DHS operational component,” Daniel said in an email to Inside Cybersecurity. “This will in effect, elevate DHS's cyber organization to the same standing as DHS’s other operational elements, such the Coast Guard, FEMA, and the Secret Service. That change alone will better help them carry out their mission. As a result, I strongly support the legislation."

McCaul explained the benefits on the House floor last year, saying, “The legislation before us streamlines the infrastructure of the National Protection and Programs Directorate and re-designates it as the Cybersecurity and Infrastructure Security Agency. This realignment will achieve DHS’s goal of creating a stand-alone, operational organization focusing on and elevating the vital cybersecurity mission of the Department.”

Further, McCaul said, “This bill requires the appointment of a Director who is responsible for leading cybersecurity and infrastructure programs, and operations for the agency; developing and utilizing mechanisms for active and frequent collaboration with sector specific agencies; and coordinating and implementing comprehensive strategic plans and risk assessments for the agency.”

Clarifying DHS' cyber identity and responsibilities seems to make sense, regardless of other questions, because NPPD is a bureaucratic creation from another era, when DHS was being hammered together out of multiple components from various agencies in the aftermath of 9/11.

Lawmakers have raised questions about whether the proposed changes would cause problems such as silos separating subject-matter experts or unwisely diminishing aspects of the directorate's mission. But those questions seem to have been largely addressed on Capitol Hill.

Perhaps the more significant questions relate to what's not in the bill.

“The questions that should be asked,” said former White House cyber advisor Melissa Hathaway, who served both Presidents Obama and George W. Bush, include “Why now? [For the] appearance of progress?”

And, she asked, “What does it change? … What will be done differently?”

Based on what this legislation contains, Hathaway concluded: “Nothing.”

The bill includes no new authorities for DHS, she observed, or streamlining of operational capacities, or new reporting standards.

“What has DHS done in cyber over the last X years -- what progress/outcomes in the infrastructure mission has been achieved?” she asked. “Are we better for DHS? What will this improve?”

Hathaway said, “DHS’ ambitious goals should not be compromised by bureaucratic structures and processes that masquerade the appearance of progress.”

Of course, when it comes to legislation, progress in the cyber domain is an inch-by-inch endeavor that sometimes falls years behind whatever issue lawmakers are intending to address. Such has been the criticism of the Cybersecurity Act of 2015, which focused on cyber info-sharing -- and has had tangible benefits -- but took years to get through Congress while the cyber threat environment went through multiple evolutions.

But one of McCaul's hallmarks as chairman of the Homeland Security panel -- a post he'll be leaving due to term limits on chairs -- has been getting the institutional structures right so DHS can respond to an evolving threat like cyber. His committee has passed numerous bills along these lines, as recently as this month.

And sometimes, simply getting the name right is an important step toward effectively engaging in the battle. -- Charlie Mitchell (cmitchell@iwpnews.com, with Maggie Miller (mmiller@iwpnews.com)