HR 5077 Reported in House – FY 2017 Intel Authorization

Last week the House Intelligence Committee issued their report on HR 5077, the Intelligence Authorization Act for Fiscal Year 2017. While there is little in the bill that directly concerns cybersecurity, the topic receives a significant amount of attention in the Committee Report.

Cybersecurity Concerns

As with the cybersecurity mention in the actual bill, the Committee Report coverage of the topic is mainly limited to requirements for reports to Congress. The cybersecurity related reports include:

• Unclassified cybersecurity incident information sharing with the National Cybersecurity

and Communications Integration Center (NCCIC);

• Increasing the DHS I&A’s utilization of cybersecurity expertise of the National Labs; and

• Improving the cybersecurity training within national intelligence program (NIP) funded undergraduate and graduate computer science programs;

The one actual cybersecurity action requirement found in the Committee Report deals with supply chain security issues for the intelligence community (IC). The Committee is concerned that current IC acquisition guidelines do not adequately address cybersecurity issues in the supply chain. The Committee is requiring the Director of National Intelligence (DNI) to review and consider revising those guidelines to:

• Expand risk management criteria in the acquisition process to include cyber and supply chain threats;

• Require counterintelligence and security assessments as part of the acquisition and procurement process;

• Propose and adopt new education requirements for acquisition professionals on cyber and supply chain threats; and

• Factor in the cost of cyber and supply chain security.

Moving Forward

The floor debate on HR 5077 took place yesterday evening and a recorded vote was requested. That vote should take place today. As I mentioned earlier, I expect that the bill will pass with substantial bipartisan support.

Commentary

It is heartening to see the Intelligence Committee endorse unclassified information sharing about cybersecurity incidents. The intelligence community by its very nature is secretive in their operations and is reluctant to share the information they gain from their activities for fear of compromising their intelligence collection assets and techniques. Extracting information of any sort from that classified data that can be shared with a wider audience is a difficult undertaking for the intelligence community and they need to be continuously prodded by their overseers to ensure that they make a reasonable effort to do so.

In my very brief time working in tactical level intelligence in the Army I learned first-hand how difficult it is to sort through classified intelligence data to extract out useful information for those at the point of the spear that could be shared without compromising the data collection process. The absolutely necessary vetting and approval process for the unclassified intelligence products produced almost made the effort counterproductive and did made it very difficult to produce useable time-sensitive information. The effort really was worthwhile and should be actively pursued at all levels in the intelligence community.