HR 5074 Reported in House – Cyber Response Teams

Earlier this month the House Homeland Security Committee published their report on HR 5074, the DHS Cyber Incident Response Teams Act of 2018. The bill was passed in the House on March 19^th. The date on the report is also the 19^th, but the report was not actually published by the GPO until well after the debate and vote in the House.

Authorizing Existing Programs

The report makes it clear that the ‘cyber hunt and incident response teams’ authorized by the bill are, in fact, the activities currently being undertaken by the US-CERT and the National Cybersecurity and Communications Integration Center’s (NCCIC’s) Hunt and Incident Response Teams (HIRT). This is the reason that the bill specifies {§2(b)} that no additional funding is authorized; the funding for these activities is already included in the line items for NCCIC spending.

The provisions of the new 6 USC 148(f)(2) authorizing the use of “cybersecurity specialists from the private sector” on the existing US-CERT and HIRT teams is, however, a potential expansion of the capabilities of those teams. The Report states that allowing the participation of these outside experts would (pg 2) “allow industry professionals to bring innovative approaches and ideas into the federal government and makes progress in bringing the technical expertise and skills that help execute the DHS role in cybersecurity”.

Commentary

Neither the report nor the bill mentions any of the response activities of the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) which also operates as part of the NCCIC and was formerly part of the US-CERT (Actually, the current relationship between the ICS-CERT and the current US-CERT is not actually very clear.) Presumably, since the bill would add the term ‘control systems’ (even though undefined) to §148 {via (f)(1)(D)} the response activities of ICS-CERT, especially their away teams, would fall broadly under the authorization provided in this bill.

Unfortunately, the failure to define the term ‘control system’ or modify the definition of ‘information system’ in §148(a)(5) to specifically include control systems means that this bill would do nothing to actually codify the importance of control system security in NCCIC activities or oversight. This is unlikely to change if/when this bill is considered in the Senate.