S 3309 Introduced – Cyber Incident Response Teams

Last month Sen. Hassan (D,NH) introduced S 3309, the DHS Cyber Incident Response Teams Act of 2018. This bill is nearly identical to HR 5074 which was passed in the House in March on a voice vote. The bill essentially authorizes the existing response teams of the US-CERT and ICS-CERT in the National Cybersecurity and Communications Integration Center's (NCCIC).

The differences between the two bills are editorial in nature and are only of interest to legislative grammarians. This new version does still include the same ‘control system security’ language found in the House bill. Similarly, it does not include a definition of ‘control system’.

Moving Forward

Both Hassan and her cosponsor, Sen. Portman (R,OH), are members of the Senate Homeland Security and Governmental Affairs Committee to which this bill (and HR 5074) was assigned for consideration. Normally, this would mean that there would be a possibility that the bill could be considered in Committee. This late in the session, however, I suspect that the only consideration that this bill will receive is as a potential amendment to the DHS authorization bill when that bill comes up for consideration after the election.

Nothing in this bill should draw any sort of opposition other than the fact that it would require the House to subsequently reconsider their vote on HR 5074, a cumbersome process going into election season. I suspect that if the Senate were to take up this bill as a stand-alone measure it would consider the House language under the unanimous consent process.

Commentary

Since the existing response teams from NCCIC are already included in the DHS funding, there is no real need in either of these bills for authorization of new funding. It would have been helpful for Congress to increase the funding so that the activities (and number) of these teams could be expanded, but that is unlikely in the current spending climate.

Of specific interest is the language specifically authorizing the use of “cybersecurity specialists from the private sector” {new §148(f)(2)}. This establishes the Congressional intent that these teams are not an inherently governmental service. This may have some interesting legal implications further down the road.

There are two other interesting things missing from this authorization language (in both bills). First, there is no mention of protections for the information gathered by the response teams. This means that there is no specific reason why a Freedom of Information Act request for results of the investigations of these teams should be denied. This could be a cause for organizations to not request support from these teams.

The second is the lack of any requirement for these teams to coordinate their activities with the FBI or some other law enforcement activity. Nor is there any requirement to preserve forensics evidence during the investigations conducted by these teams. At some point the government is going to have to go after the folks conducting these attacks and the preservation of chain of custody and other legal requirements of preserving evidence is going to raise its ugly head.