Senate Committee Amends and Adopts HR 2825 – DHS Authorization Bill

Last week the Senate Homeland Security and Governmental Affairs Committee took up HR 2825, the Department of Homeland Security (DHS) Authorization Act of 2017, that was passed in the House last July. The Committee Chair and Ranking Member introduced substitute language that was further amended and adopted in Committee by unanimous consent.

The substitute language was essentially a complete re-write of HR 2825. Much of the DHS Headquarters and acquisition language remains in the new bill. It is missing much of the agency specific (TSA, Coast Guard, etc.) language in the original bill, but it does include (with slight modifications) the provisions of HR 3359, the Cybersecurity and Infrastructure Security Agency Act of 2017.

The following sections in the new version of the bill may be of specific interest to readers of this blog:

§1320. Chemical, biological, radiological, and nuclear intelligence and information

sharing.

§1416. Cyber preparedness.

§1419. Study of the use of grant funds for cybersecurity.

§1601. Cybersecurity and Infrastructure Security Agency.

CBRN Information Sharing

Section 1320 of the bill contains most of the effective language of HR 677, the CBRN Intelligence and Information Sharing Act of 2017 which was passed in the House in February, 2017. One potentially significant change was made in the new 6 USC 2101. In the sub-paragraph {(a)(3)} requiring the DHS Office of Intelligence and Analysis to “support homeland security-focused risk analysis and risk assessments of the homeland security hazards”, the Senate language adds “including the transportation of chemical, biological, nuclear, and radiological materials”.

Cyber Preparedness

Section 1416 of the bill amends 6 USC 148 (to be changed to §2209 by this bill) by adding to the existing information sharing requirements of §148(c) the requirements to include sharing of ‘best practices’ and to share with ‘State, local, and regional fusion centers’. It also contains a non-binding ‘sense of Congress’ statement that DHS “should, to the greatest extent practicable, work to share actionable information in an unclassified form related to such threats” {§1417(b)}.

Grant Funds

Section 1419 of the bill requires DHS to conduct a study looking at how grants provided under the Urban Area Security Initiative and the State Homeland Security Grant Program during the period 2006 thru 2016 have been used to support cybersecurity initiatives. It would also look at the problems related to funding cybersecurity initiatives using these programs with recommendations as to how the process could be improved.

 

Additional Amendments

As must be expected when looking at large-scale authorization bills like this, there were 27 amendments offered during the two days that this bill was under consideration. The submitted and adopted amendments included the addition of the following sections of potential interest to readers of this blog:

• Cybersecurity Research and Development Projects;

• Hack DHS Bug Bounty Pilot Program;

• Briefing on Pharmaceutical-Based Agent Threats;

• Report on Applications and Threats of Blockchain Technology; and

• Cybersecurity Talent Exchange

The R&D projects section requires DHS S&T to conduct/support and transition to use a fairly comprehensive list of research and development activities supporting the Departments cybersecurity responsibilities. The new section relies on the existing IT-limited definitions of 6 USC 148. No additional funds are authorized to support these activities.

The bug bounty provision is essentially the language of S 1281, the Department of Homeland Security (Hack DHS) Act of 2017.

The pharmaceutical agent amendment requires the Department to prepare a briefing for Congress on the potential threat of pharmaceutical agents. That term is defined as “a chemical, including fentanyl, carfentanil, and related analogues, which affects the central nervous system and has the potential to be used as a chemical weapon” {new §1309(d)(2)}.

The blockchain technology amendment would require DHS to report to Congress on the “potential offensive and defensive cyber applications of blockchain technology and other distributed ledger technologies” {new §1306(c)(1)} as well as the potential terrorist use of “distributed ledger-enabled currency and other emerging financial technological capabilities” {new §1306(c)(2)} to fund terrorist operations.

The cybersecurity talent exchange amendment is actually an amendment to another (unpublished) amendment that would establish some sort of program that would allow private-sector cybersecurity experts to work in DHS and allow DHS cybersecurity experts to work with private-sector organizations to enhance the level of cybersecurity expertise in DHS.

Moving Forward

Since this bill was actually considered by the Committee, the chances of it making its way to the floor of the Senate for consideration have been greatly increased. The fact that there was no opposition to this version of the bill in committee indicates that bill could pass with substantial bipartisan support. This bill would almost certainly have to be considered in normal order with all of the attendant amendments and extended debate.

Any bill passed by this process would have to go back to the House for consideration. It would likely end up going to Conference to iron out the differences between the two bills.