DHS May Get Elevated Cybersecurity Component

Will the Department of Homeland Security get its own component dedicated to cybersecurity? If Rep. Michael McCaul (R-Texas) keeps pushing, the answer is likely yes. 

McCaul, chairman of the House Homeland Security Committee, is currently working on a bill that would codify a new component of DHS — on par with the Transportation Security Administration or Immigration and Customs Enforcement — whose sole focus would be cybersecurity. The goal is to make the new component directly answerable to DHS Secretary John Kelly and elevate the mission of cybersecurity, giving it the priority it deserves, according to a Homeland Security Committee aide.

McCaul, peaking on May 24 said at Defense Daily's National Security Forum in Washington, D.C., said that he is about a week away from officially introducing legislation “to reorganize the Department of Homeland Security's efforts into a single cybersecurity agency that will have a mission and a priority that they’ve never really seen before,” according to FCW.

In January, McCaul called for the creation of such a component, and received support from Sen. Sheldon Whitehouse (D-R.I.), the ranking member of the Senate Judiciary Committee’s subcommittee on crime and terrorism, as well as former federal government and current industry technology experts, Federal News Radio reports.

The effort picked up steam in March when Michael Daniel, former cybersecurity coordinator for President Barack Obama and now president of the Cyber Threat Alliance, said that the National Protections and Programs Directorate (NPPD), established in 2007 by DHS, should be taken out of DHS headquarters and made its own agency component. Retired Gen. Keith Alexander, the former head of the National Security Agency and U.S. Cyber Command, said in March that while he agreed with the idea to create a new cyber agency at DHS, lawmakers should go further, Federal News Radio reports.

“I think you need to look at the civilian part of government, look at the IT and cyber. It’s not sufficient. They don’t have the resources. They will never get the people. Consolidate that into a Defense Information Systems Agency-like organization and put that under somebody,” said Alexander, now the president and CEO of IronNet Cybersecurity. “That organization would be responsible for protecting government. DHS would be responsible for protecting DHS and working with the rest of that.”

Creating a New Cybersecurity Agency

Last year, McCaul introduced a bill, H.R. 5390, the Cybersecurity and Infrastructure Protection Agency (CIPA) Act of 2016, which would have renamed the NPPD as the CIPA, an agency headed by a director of national cybersecurity. The bill called for CIPA to be composed of four divisions: the Cybersecurity Division, the Infrastructure Protection Division, the Emergency Communications Division, and the Federal Protective Service.

CIPA would have been required to develop a national risk assessment of cybersecurity and critical infrastructure risks at least every two years in coordination with other DHS components and federal entities. Another requirement would have been to establish an integrated assessment comparing risks and incidents to their relative risks and cascading effects. The Cybersecurity Division would have been mandated to carry out DHS’ federal information security activities; manage the functions of the national cybersecurity and communications integration center (NCCIC); coordinate with nonfederal entities to reduce cybersecurity risks through voluntary partnerships; and conduct network and malicious code analysis.

The committee aide said that the component now being contemplated would not be like DISA, which provides IT services to the Defense Department that are retooled for civilian agencies. Instead, it would be focused largely on what the role of the NPPD is now, which is to lead efforts to protect and enhance the resilience of the nation’s physical and cyber infrastructure.

The new agency would have an operationally focused cybersecurity mission, a large IT mission, manage the NCCIC and U.S. Computer Emergency Readiness Team, and work on a voluntary basis with the private sector to protect critical infrastructure.

“I think that enhancing the capability of DHS is one of my important missions through my oversight responsibilities,” McCaul said. “I think they have gotten a lot better in the 12 years I've been in office, but they could be better than they are.

“So we want to build up their capabilities, we want to build up their relationship with the private sector and really make this a team effort,” he said.

Overall, the committee aide said, the goal of the legislation is to make sure that, both internally at DHS and across the government and private sector, DHS’ cybersecurity mission and responsibilities are known and continue to be respected.

McCaul is still holding discussions with the Trump administration and DHS about the bill, according to the committee aide.  

Meanwhile, DHS has started an internal effort to explore its current cybersecurity set of capabilities and what it will need in the future, according to Federal News Radio. “No decisions are being made,” Jeanette Manfra, the acting deputy undersecretary of cybersecurity at DHS, said at the CTIA Cybersecurity Summit on April 27. “But at this point, we are doing an assessment. We want to partner with industry and, in a lot of ways, we want to push the boundaries in how we partner with industry.”

For more on federal cybersecurity efforts, visit fedtechmag.com/security. 

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.