Last month Rep. McCaul (R,TX) introduced HR 5074, the DHS
Cyber Incident Response Teams Act of 2018. The bill would amend the authorizing
language (6
USC 148) for the National Cybersecurity and Communications Integration
Center (NCCIC) to establish cyber hunt and incident response teams within that
organization.
Cyber Response Teams
Section 2 of the bill would require the NCCIC to maintain ‘cyber
hunt and incident response teams’. These teams would be used ‘upon request’ to
provide {new §148(f)(1)}:
• Assistance to asset owners and
operators in restoring services following a cyber incident;
• The identification of
cybersecurity risk and unauthorized cyber activity;
• Mitigation strategies to prevent,
deter, and protect against cybersecurity risks;
• Recommendations to asset owners and operators for
improving overall network and control systems security to lower cybersecurity
risks, and other recommendations, as appropriate;
The NCCIC would be authorized to use cybersecurity specialists
from the private sector on these teams.
Moving Forward
McCaul is the Chair of the House Homeland Security Committee
to which this bill was assigned for consideration. That would make it a near
certainty that this bill would be considered in committee in the not too
distant future. Its movement to the House floor is not so clear.
I see nothing in this bill that would draw significant
opposition, particularly since not new funds are authorized to financially
support these teams. I suspect that this bill would receive bipartisan support,
both within the Committee and on the floor of the House. I am concerned,
however, about the lack of a Democrat cosponsor.
Commentary
The biggest problem with this bill is that the authorizing
language is, of necessity, included in §148.
That section continues to rely on IT limited definitions of ‘information
systems’ {§148(a)(5)}
that does not include industrial control systems. The specific use of the terms
‘cyber risk’ and ‘incident’ and the definitions of both being specifically tied
to that system definition, only aggravates the issue.
Having said that, the bill does specifically include ‘control
system security’ in the description of support that the teams would provide.
Unfortunately, the term ‘control system security’, as well as the problematic ‘cyber
hunt’ are left undefined. This bill would have been a good spot to make the
changes in definitions that I have suggested in earlier posts (here
for example).
The oddest part of the bill is found in the new §148(f)(4) where the obligatory
reports to Congress are mentioned. This bill would only require reports from
the NCCIC to congressional committees once every four years on the activities
of these new teams and there is no requirement for any GAO or DHS IG follow-up
reporting. It is almost as if McCaul is saying: “We do not want to know what
these teams are doing. Don’t bother us and we won’t bother you.” [OOPS, it says "
Finally, there is the funding issue. Section 2(b) of the
bill specifically states that no additional funds are authorized and that the
activities are to “be carried out using amounts otherwise authorized to be
appropriated”. This means that the money and personnel headcount to support
these teams are going to have to come at the expense of some other NCCIC processes.
This is almost certainly the reason that the bill specifically authorizes the
use of private sector cybersecurity specialists on the teams. Contractors are
cheaper (no federal benefits, specifically retirement costs) and there are no
practical headcount limitations.
Posts
No comments:
Post a Comment