A Cybersecurity Committee?

There is an interesting article over on TheHill.com about establishing standalone cybersecurity committees in both the House and Senate. The people arguing for idea are concerned that the oversight and legislative authority for cybersecurity is too spread-out through too many committees to be effective. This is certainly an interesting proposal and worthy of discussion, but the arguments discussed in the article are a bit simplistic.

Select Committee

Most of the discussion in the article dealt with the possibility of establishing a ‘Select Committee’ on cybersecurity. Technically, a ‘select committee’ is a temporary committee established to look at a particular problem or issue, come up with a comprehensive report or legislative proposal, and then dissolve. A good current example is the House Select Committee to Investigate the January 6th Attack on the United States Capitol.

There are two prominent examples of select committees that have become de facto permanent or standing committees; the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence. These are two of the busiest committees in Congress because of their very active oversight of the intelligence community.

I suspect that Sen King (I,ME) and Rep Katko (R,NY) have the intelligence committee model in mind when they talk about forming a Select Committee on Cybersecurity. Both Committees have a high degree of autonomy, but they do have shared oversight responsibility over intelligence matters and spending authority with the respective armed services, homeland security and energy committees.

A big reason for the strength of the two Intelligence Committees is that much of what they do is classified and not subject to public scrutiny or debate. Additionally, most of the impact of what they oversee is not directly felt within the boundaries of the United States, their focus is extraterritorial which further limits the public interest in what those committees do.

Standing Up New Committee

Starting a new committee in either house of congress is a major political undertaking. Every facet of the operation of the Federal government is overseen by one or more committees. This provides each committee member and more emphatically the chair of the committee with a large measure of influence and power over the agencies which they oversee. Very few politicians, of either party, will willingly give up that power.

We saw this when the House stood up the Homeland Security Committee. While the Committee was given oversight responsibility for the Department of Homeland Security, the Committees that previously had oversight responsibility for agencies that were moved into DHS, effectively retained oversight for those agencies. Even when new programs were stood up after DHS was established, other committees fought for and were given some limited oversight responsibility for those new programs. In the case of the CFATS program, for example, the House Energy and Commerce Committee has shared responsibility for that program. Historically the biggest impediment to passing CFATS legislation has been the conflict between these two House committees.

Shared Responsibilities

The problems standing up a cyber security committee will be as complicated as starting the Homeland Security Committee. Nearly every committee in Congress has some sort of interest in cybersecurity, either in the agencies they oversee or in the parts of the economy that they regulate, and, in most cases, both. The committees with major cybersecurity interests include:

• Homeland Security,

• Armed Services,

• Energy and Commerce,

• Financial Services,

• Judiciary,

• Science, Space, and Technology

• Small Business,

• Transportation and Infrastructure, and

• Intelligence

Wresting the oversight and legislative power from those committees to stand up a new Cybersecurity Committee will be a Sisyphean task. Even if the new Committee gets primary oversight responsibility, bits and pieces of that oversight will be retained by the original committees. To get anything significant accomplished the two committee chairs will have to work out compromise arrangements on every piece of legislation considered.

In short, while this may be a solution worth trying, expecting it to solve the complex power-sharing problems in Congress and easing the problems of moving legislation forward is not reasonable.

HR 2825 Introduced – FY 2018 DHS Authorization

Last week Rep. McCaul (R,TX) introduced HR 2825, the Department of Homeland Security (DHS) Authorization Act of 2017. While the original title of the bill seemed to imply that it was a technical corrections act, this would actually be (if it is passed) the first authorization bill for DHS since it was introduced 2002.

As introduced this bill would have minimal effect on the chemical security, transportation security or cybersecurity functions of the department. There are only three provisions of the bill that may be of specific interest to readers of this blog:

Sec 3 – Definition of congressional homeland security committees;

Sec 117 – Research and development and CBRNE organizational review; and

Sec 108 – Office of Strategy, Policy, And Plans.

Congressional Oversight

It looks like §3 is an attempt to consolidate the congressional oversight of DHS to four committees by specifically identifying only those committees in the definition of the term “congressional homeland security committees”. Those four committees are:

• House Homeland Security Committee;

• House Appropriations Committee;

• Senate Homeland Security and Governmental Affairs Committee; and

• Senate Appropriations Committee.

This will almost certainly not directly affect the rules of the House that provide for congressional oversight activities, but it does serve to restrict reporting requirements outlined in this bill.

Interestingly, this bill was only assigned to the House Homeland Security Committee for review instead of the nine committees (for instance) to which HR 6381 (last sessions late entry attempt at a DHS authorization bill) was assigned. It will be interesting to see if this bill gets to the floor without being considered by any other House Committee.

Chemical Security

Section 117 provides for a formal review of research activities of the Department, mainly those being conducted by the Science and Technology (S&T) Directorate. The Department would be required to report the four committees on that review.

Additionally paragraph (b) of that section would require DHS to undertake a review of the Departments “chemical, biological, radiological, nuclear, and explosives activities” {§117(b)(1)} with the intent to develop “organizational structure to ensure enhanced coordination and provide strengthened chemical, biological, radiological, nuclear, and explosives capabilities in support of homeland security” {§117(b)(1)}.

This could potentially effect to whom the Departments Infrastructure Security Compliance Division (ISCD) (the CFATS people) reports. It would not probably have much actual effect on the operation of that organization.

DHS Organization

Section 108 addresses some of the high-level organization changes of the Department that McCaul has been calling for four a couple of years. However, instead of specifically calling for a separate cybersecurity element it outlines the apportionment of the political appointees within the Department. The positions of particular interest to readers of this blog would include:

• Administrator, Transportation Security Administration;

• Assistant Secretary, Infrastructure Protection;

• Assistant Secretary, Office of Cybersecurity and Communications;

• Assistant Secretary for Threat Protection and Security Policy;

• Assistant Secretary for Cyber, Infrastructure, and Resilience Policy;

The TSA Administrator would be appointed by the President with the ‘advice and consent’ of the Senate. The IP Assistant Secretary would not require Senate approval and the remainder would be appointed by the DHS Secretary.

No details are given in the bill for their duties or the organizations which they would oversee.

Moving Forward

McCaul is Chair of the House Homeland Security Committee so this bill will obviously move forward there. In fact, it is slated to be considered in a full committee markup on Wednesday. Interestingly, the Ranking Member is not a cosponsor of this bill, an unusual move on McCaul’s part. It will be interesting to see how much bipartisan support this bill receives in Committee.

The only problem that I see with this bill moving forward is that it would seem to trample on the political prerogatives of a number of Committee Chairs. That would normally doom this bill to languish after the Homeland Security Committee favorably reported it. This problem will become even worse when the House Homeland Security takes up the bill on Wednesday. The Committee will consider substitute language that will specifically address a number of areas dealing with both TSA and the Coast Guard which would normally have to be considered by the Transportation and Infrastructure Committee.

McCaul has either worked out this change in Congressional Oversight with the House Leadership (a major undertaking that he and his predecessor have been trying to achieve for well over ten years now), or he is trying to pull a fast one. Hopefully it is the former. If it is the latter, this bill will never make it to the floor and he will have poisoned the well of cooperation for any future projects.

Another Look at ISCD Problems – Who Misled Who?

There is an interesting piece over at CEN.ACS.org about the recent news that there are problems at ISCD. Since the author, Glenn Hess, has not seen the actual DHS report that started this discussion (nor apparently has anyone outside of Fox News and NPPD) the news focuses on the response of Sen. Collins (R,ME) and Bill Almond, a VP at SOCMA; both of whom have been vocal supporters of the current CFATS structure.

Congressional Oversight

Not surprisingly Sen. Collins is upset that DHS “mislead Congress about the effectiveness” of the CFATS program. Now I don’t know what information DHS provided to Congress in private, but I have watched most of the public testimony before the three respective committees looking at CFATS and any member of Congress that was misled by Under Secretary Beers’ testimony just wasn’t paying much attention.

For almost the last two years now Beers has dutifully reported the painfully slow progress in proceeding with the completion of the site security plan review and approval process. Rather than questioning him in detail about the problems at ISCD almost all of the Congresscritters involved in multiple hearings have focused their questions on the IST debate. Political critters from both sides of the aisle have patiently and persistently tried to get him to make one statement or another in support of their pet stance on that issue. IST, pro and con, has been the focus of Congressional oversight, not the performance of ISCD and progress of CFATS implementation.

For instance, the article quotes Collins as saying that the report “contradict the official testimony of department officials”. She was referring to the March 2010 hearing where Beers told the Committee that ISCD had started the pre-approval inspection process. What no one on the Committee considered asking was why DHS found it necessary to add a ‘pre-approval’ inspection process that was never explicated in the original regulations. The answer to that question (that had been provided to industry in multiple forums) would have nearly completely explained the continued slow pace of site security plan approvals today.

If one were to look back at the first couple of rounds of CFATS hearings that Beers testified at he always had Director Sue Armstrong at his side. As one would expect from one in Beer’s position as Under Secretary for National Protection & Programs Directorate he would answer the questions dealing with overall policy and the grand sweep of the program. When questions were asked about the details of the operation of the program he would let Armstrong provide the answers.

Lately however, he has been a solo act. His role as explicator of the grand strategy has not changed. But the usefulness of his testimony without the active support of a knowledgeable ISCD Director at his side has been limited. Fortunately for him (in the short run), Congress did not notice because they were more interested in political theater instead of overseeing the chemical security program that they handicapped in the first place.

Lack of Leadership

The Chemical Engineering News article notes a couple of interesting points by Bill Almond. He noted that the arrival of the Obama Administration initiated a lot of management turnover in NPPD in general and ISCD in particular. While this type problem affected large portions of the Executive Branch it was particularly devastating at a small, underfunded and understaffed agency like ISCD that was trying to put together a completely new and innovative regulatory program.

I am surprised that Bill did not take his argument one-step further. One of the reasons that DHS had problems finding qualified people to take the slots that kept coming open was that Congress could not find a way to reach a consensus on how to make this critical security program a permanent part of DHS. Imagine how hard it must have been to attract up and coming managers to a program that could die at the end of the fiscal year just because of Congressional inaction. This is yet another reason SOCMA and other industry organizations could use to support their demand for a long-term authorization of the current CFAT program.

Added to that, there was the continued in-fighting within the Administration about how important sub-programs (like the CFATS personnel surety program, the ammonium nitrate security program, and the MTSA harmonization program) would be implemented. Drafts of the ammonium nitrate security program rule were circulated within the Administration for almost three years before the NPRM was introduced this fall.

It was little wonder that there was a lack of effective leadership at ISCD to handle the inevitable problems that would arise with implementing an new regulatory program.

Moving Forward

As a true-believer I am saddened to see the problems that ISCD has been having with the completion of the implementation of the CFATS program. It is somewhat encouraging to hear that they have looked at the problems and come up with an extensive program to correct their shortcomings. I would be more encourage, perhaps, if there were a more public discussion of the details in the report.

I suspect that the appropriate place for that discussion will be before the three congressional committees that have been ‘exercising’ such poor oversight of the program in the first place. That doesn’t provide me with much hope however. This coming year (just a couple of days away now) is an election year and that will encourage more political theater, not less.