HR 2596 Introduced – FY 2016 Intel Authorization Bill

Last week Rep. Nunes (R,CA) introduced HR 2596, the Intelligence Authorization Act for Fiscal Year 2016. Normally I don’t pay much attention to these intel bills because the good stuff is kept in the classified annex and classified report, but a reader urged me to take a look and sure enough there is a cybersecurity provision in the bill.

Cyber Threat Intelligence Integration Center

Section 307 of the bill amends Title I of the National Security Act of 1947 (50 USC 3021 et seq) by adding a new section 119B to formally establish the Cyber Threat Intelligence Integration Center within the office of the Director of National Intelligence. The function of the CTIIC would be to {new §119B(c)}:

∙ Serve as the primary organization within the Federal Government for analyzing and integrating all intelligence possessed or acquired by the United States pertaining to cyber threats;

∙ Ensure that appropriate departments and agencies of the Federal Government have full access to and receive all-source intelligence support needed to execute the cyber threat intelligence activities of such agencies and to perform independent, alternative analyses;

∙ Disseminate cyber threat analysis to the President, the appropriate departments and agencies of the Federal Government, and the appropriate committees of Congress;

∙ Coordinate cyber threat intelligence activities of the departments and agencies of the Federal Government; and

∙ Conduct strategic cyber threat intelligence planning for the Federal Government.

The bill would limit the CTIIC staff to 50 people and it would have to be ‘housed’ in a facility already owned by the Intel Community.

Moving Forward

The House Rules Committee will meet tomorrow to formulate the rule for this bill. It will almost certainly allow for only limited amendments. Twenty-four proposed amendments are currently listed on the Committee web site. There are a number of cyber related amendments listed but none that would have any real effect on civilian cybersecurity activities.

Commentary

While it might seem odd that the CTIIC has no language about sharing threat intelligence with the private sector, this function would be undertaken by elements within DHS. Similarly, DOD would be responsible for sharing the cyber threat intelligence information with the Defense Industrial Base.