Friday, March 2, 2018

HR 5074 Introduced – DHS Cyber Response Teams


Last month Rep. McCaul (R,TX) introduced HR 5074, the DHS Cyber Incident Response Teams Act of 2018. The bill would amend the authorizing language (6 USC 148) for the National Cybersecurity and Communications Integration Center (NCCIC) to establish cyber hunt and incident response teams within that organization.

Cyber Response Teams


Section 2 of the bill would require the NCCIC to maintain ‘cyber hunt and incident response teams’. These teams would be used ‘upon request’ to provide {new §148(f)(1)}:

• Assistance to asset owners and operators in restoring services following a cyber incident;
• The identification of cybersecurity risk and unauthorized cyber activity;
• Mitigation strategies to prevent, deter, and protect against cybersecurity risks;
Recommendations to asset owners and operators for improving overall network and control systems security to lower cybersecurity risks, and other recommendations, as appropriate;

The NCCIC would be authorized to use cybersecurity specialists from the private sector on these teams.

Moving Forward


McCaul is the Chair of the House Homeland Security Committee to which this bill was assigned for consideration. That would make it a near certainty that this bill would be considered in committee in the not too distant future. Its movement to the House floor is not so clear.

I see nothing in this bill that would draw significant opposition, particularly since not new funds are authorized to financially support these teams. I suspect that this bill would receive bipartisan support, both within the Committee and on the floor of the House. I am concerned, however, about the lack of a Democrat cosponsor.

Commentary


The biggest problem with this bill is that the authorizing language is, of necessity, included in §148. That section continues to rely on IT limited definitions of ‘information systems’ {§148(a)(5)} that does not include industrial control systems. The specific use of the terms ‘cyber risk’ and ‘incident’ and the definitions of both being specifically tied to that system definition, only aggravates the issue.

Having said that, the bill does specifically include ‘control system security’ in the description of support that the teams would provide. Unfortunately, the term ‘control system security’, as well as the problematic ‘cyber hunt’ are left undefined. This bill would have been a good spot to make the changes in definitions that I have suggested in earlier posts (here for example).

The oddest part of the bill is found in the new §148(f)(4) where the obligatory reports to Congress are mentioned. This bill would only require reports from the NCCIC to congressional committees once every four years on the activities of these new teams and there is no requirement for any GAO or DHS IG follow-up reporting. It is almost as if McCaul is saying: “We do not want to know what these teams are doing. Don’t bother us and we won’t bother you.” [OOPS, it says "each of the first four fiscal years"; so annual reporting is required. 03-20-18 08:30 EDT]

Finally, there is the funding issue. Section 2(b) of the bill specifically states that no additional funds are authorized and that the activities are to “be carried out using amounts otherwise authorized to be appropriated”. This means that the money and personnel headcount to support these teams are going to have to come at the expense of some other NCCIC processes. This is almost certainly the reason that the bill specifically authorizes the use of private sector cybersecurity specialists on the teams. Contractors are cheaper (no federal benefits, specifically retirement costs) and there are no practical headcount limitations.

No comments:

 
/* Use this with templates/template-twocol.html */