S 315 Reported in Senate – Cyber Hunt Teams

Last month the Senate Homeland Security and Governmental Affairs Committee published their report on S 315, the DHS Cyber Hunt and Incident Response Teams Act of 2019. The Committee marked up the bill on February 13^th, 2019; adopting substitute language for the bill.

Changes to the Bill

The first change was a rewrite of 6 USC 659(f)(2), expanding on the generic requirement to use ‘robust metrics’ to continually ‘assess and evaluate’ the newly authorized (but long existing ICS-CERT and US-CERT teams) ‘cyber hunt and incident response teams’. The new language uses slightly less generic language to require DHS to ‘define goals and desired outcomes’ and to develop metrics that are ‘quantifiable and actionable’.

The second change was to add a definition sub-paragraph to the congressional reporting requirements of §2(b) of the bill. The bill defines the following terms by reference to the existing definitions from 6 USC 659:

• Center (NCCIC);

• Cyber hunt and incident response team (as added by this bill); and

• Incident

Moving Forward

The bill as amended was approved by the Committee by a voice vote; indicating that there was substantial bipartisan support for the bill. While Sen. Johnson (R,WI) has been loath to act on any cybersecurity bills that call for regulation of industry, there was no objection to this bill as it merely codifies existing NCCIC operations and adds a congressional reporting requirement for those operations. But, allowing this bill to move forward out of Committee is not necessarily supporting the bill. Active support by Johnson will now be required to move the bill to the floor of the Senate.

If this bill is considered by the Senate, it will most likely be taken up under the Senate’s unanimous consent process. The problem with that process is that a single voice in the Senate can quash consideration of the bill; and that voice would not necessarily be against the language of the bill, but it could raised in opposition to something else that CISA or DHS is doing that is not under active consideration by the Senate.

The revised language in this bill could also be included in a DHS reauthorization bill that the House and Senate each periodically intend to pass. The Department has not been reauthorized since it was established; too many controversies to allow a reauthorization bill to make it through the legislative process.

Commentary

The newly added definitions, while not really important, rely on the IT restrictive definition of ‘information system’ from 6 USC 659(a). I am going to abbreviate my rant on the inadequacies of that definition when considering security of industrial control systems, transportation systems, medical devices, etc and simply refer the reader to my blog post on legislative cybersecurity definitions.