Monday, June 20, 2011

HR 2219 Report – More Cybersecurity Reports

Today the GPO had the report of the House Appropriations Committee on HR 2219 available on-line. I was correct in the supposition in my earlier blog on this bill that the report would contain references to military cyber defense/security operations. The requirements include reports to Congress and changes in the way that the cybersecurity budget is included in the overall DOD Budget.

Report to Congress

As we have come to expect from these Committee reports, the Committee directs the Commander of the Cyber Command to prepare a detailed report on the planned scope of operations of that command. Some of the items that the Committee is requiring to be addressed in the report (pages 207-8) include:

● The goals of the cyber initiative, including cyberspace operations;

● Computer network operations;

● Information assurance;

● The full spectrum cyber operations for the Department of Defense and the Services;

● The organizational structure and responsibilities for each of the participants; and

● The various programs and initiatives in the Department of Defense and the Services that are supporting the cyber goals outlined.
There is nothing that specifies that this report should be unclassified with classified annexes as appropriate. I think we should assume that DOD will ensure that the report is classified. This will help to insure that the distribution is even more limited than most reports to Congress.

Interestingly, there is no mention of how DOD and DHS will work together in overseeing the general cybersecurity of the country. Nor is there any specific mention of control systems issues.

Accounting Change

The Report recommends a change to the way that cybersecurity operations are listed in the DOD budget. They recommend that DOD elevates cyber security operations to “a virtual Major Force Program (MFP) to better coordinate and track the budgets related to cyber activities” (page 208). This would make cyber security/defense spending a readily distinguishable part of the budget process.

Information Sharing

The Committee also expressed their concerns about the Department’s ability to share cyber threat information with the portion of the private sector supporting DOD activities, the Defense Industrial Base. The Committee is concerned that the Department’s reliance on classified threat information makes this information impossible to share with large segments of the supplier base due to the dearth of security clearances available to many of these commercial organizations.

To resolve this issue, the Committee directs the preparation of yet another report to Congress. This report would address “the collaboration and sharing of sensitive but unclassified [SBU] threat information across the entire Defense Industrial Base, including any plans to leverage commercially available services that meet federally mandated security requirements” (pg 208).

Unfortunately, the Committee failed to address the underlying issue that most threat information is still contained in classified documents that cannot be shared through this means. The report should have also addressed the question of requiring the production of SBU versions of all cyber threat intelligence reports.

House Rules Committee Hearing

On a slightly separate note, the House Rules Committee web site today announced that the hearing on HR 2219 will be held on Wednesday evening. That would allow for the House to begin considering this appropriations bill as early as Thursday. I’m sure that we will see another open rule with wide spread floor amendments. Lots of amendments means long hours this week if the House leadership intends for this to be completed this week.

No comments:

/* Use this with templates/template-twocol.html */