House Passes HR 4038 – DHS Reorganization

This afternoon the House passed HR 4038, the DHS Accountability Enhancement Act, by a voice vote. There was only six minutes of debate on the bill.

I suspect that the bill will be taken up in the not too distant future in the Senate. It will most likely be considered in that body under their unanimous consent process; less debate and not even the easy formality of the voice vote.

HR 4038 Introduced – DHS Oversight

Last week Rep. McCaul introduced HR 4038, the DHS Accountability Enhancement Act. The bill would remove the limited authority that the DHS Secretary has to reorganize the Department.

The bill would repeal 6 USC 452. That section allows the Secretary to “allocate or reallocate functions among the officers of the Department, and may establish, consolidate, alter, or discontinue organizational units within the Department” within some very specific limitations.

Most of the authority granted by this section was related to the initial organization of the Department when it was formed. The remaining authority requires DHS to provide prior “notice of such action to the appropriate congressional committees, which shall include an explanation of the rationale for the action” {6 USC 452(a)(2)}.

Moving Forward

McCaul is the Chair of the House Homeland Security Committee so this bill will be considered favorably in Committee. The fact that the Ranking Member {Rep. Thompson (D,MS)} would indicate that there will be broad bipartisan support for the bill in Committee and likely on the floor. The Committee hearings are likely to occur next week when the House returns from working in their districts.

Commentary

This bill is almost certainly a response to on-going Department efforts to re-arrange the cybersecurity efforts currently found scattered through the Office of Infrastructure Protection. McCaul has his own cybersecurity re-organization plan (HR 3359) for DHS that was ordered reported favorably by the Homeland Security Committee (report has not yet been published) shortly after it was introduced in July.

A positive slant on this bill would be that McCaul is attempting to avoid having DHS undergo multiple reorganizations when (if) his bill passes. A more negative take on this bill is that McCaul is attempting to stop DHS from undermining his authority as the Chair of the Committee. As with most things in the real world, the real intent probably lies somewhere in between.

Bills Introduced -10-12-17

Yesterday, with only the House in session and preparing to leave for a week working in their districts (fund raising, campaigning and constituent support), there were 49 bills introduced. Remembering that most bills introduced in these situations are proposed to provide talking-points back home (not serious attempts at legislating), there were six bills that may be of interest to readers of this blog:

HR 4036 To amend title 18, United States Code, to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes. Rep. Graves, Tom [R-GA-14]

HR 4038 To amend the Homeland Security Act of 2002 to reassert article I authorities over the Department of Homeland Security, and for other purposes. Rep. McCaul, Michael T. [R-TX-10]

HR 4050 To support research, development, and other activities to develop innovative vehicle technologies, and for other purposes. Rep. Dingell, Debbie [D-MI-12]

HR 4051 To direct the Secretary of Transportation to establish a bollard installation grant program, and for other purposes. Rep. Espaillat, Adriano [D-NY-13]

HR 4053 To amend the Fair Credit Reporting Act to require an independent audit of the cybersecurity practices of certain consumer reporting agencies, and for other purposes. Rep. Fortenberry, Jeff [R-NE-1]

HR 4064 To impose restrictions on the sale of binary explosives, and for other purposes. Rep. Soto, Darren [D-FL-9]

Any changes made to 18 USC 1030 are going to be of potential interest to the cybersecurity research community. This may be an attempt to carve out an exemption for ‘hacking back’. Definitions would be very important here.

It is unusual for a Republican (and a Committee Chair) to introduce a bill reasserting congressional oversight during a Republican administration. I suspect that this may be related to pending changes in the organization of National Protection and Programs Directorate (NPPD), including the move of ICS-CERT to NCCIC.

HR 4050 sounds like a research grant program for automated vehicles. It will be interesting to see if it specifically includes cybersecurity provisions.

Bollards are a common security measure to prevent vehicles from going where they are not wanted. I suspect that HR 4051 is a response to recent vehicle attacks on pedestrians, but definitions matter and this could be used by chemical facilities to fund bollards used to prevent access by vehicle borne explosives. Again, definitions will be critical.

I am certainly not going to expand this blog to include coverage of credit reporting agencies (Brian Krebs has that space covered really well), but the idea of ‘independent cybersecurity audits’, may prove to be an interesting way of regulating cybersecurity.

Congress has mixed success with establishing regulatory schemes for explosives. The ATF has a pretty robust program going, but attempts to get DHS involved in the control of the sale of ammonium nitrate are still stalled since the regulations were authorized in 2007. It will be interesting to see how HR 4064 addresses the situation for binary explosives.