House Panel Passes Bills to Reorganize DHS Cyber Team and Collect Zero-Day Info

House Homeland Security Committee Chairman Rep. Michael McCaul, R-Texas

House Homeland Security Committee Chairman Rep. Michael McCaul, R-Texas Susan Walsh/AP

The bill still faces a gauntlet of jurisdictional disputes before reaching the House floor.

The House Homeland Security Committee forwarded legislation Wednesday to reorganize and clarify the Homeland Security Department’s cybersecurity operations.

The committee also forwarded a bill requiring a DHS report on when and how the government discloses newfound hackable computer vulnerabilities.

Similar legislation to the DHS reorganization was scuttled last year by jurisdictional disputes between various congressional committees that control portions of the department's cyber mission.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The recent House passage of a bill reauthorizing DHS for the first time since its inception might give this bill a better chance at passage, Chairman Michael McCaul, R-Texas, said. There’s no word yet, though, on if and when competing committees, including House Energy and Commerce and Transportation and Infrastructure, will consider the measure.

McCaul said he “look[s] forward to working with the other committees on the way to get this vital legislation … to the floor.”

McCaul sponsored the bill, titled the Cybersecurity and Infrastructure Security Agency Act, along with the committee’s ranking member Bennie Thompson, D-Miss. The bill passed on a voice vote.

Under the bill, DHS’s cyber operations division within the National Protection and Programs Directorate would retain most of its cybersecurity responsibilities, including protecting federal networks and sharing cyber threat information with critical industry sectors such as energy and aviation.

The directorate would be renamed the Cybersecurity and Infrastructure Protection Agency, though, and have a more direct reporting line to the Homeland Security secretary.

The renamed division would have a director who reports to the secretary and a deputy director of cybersecurity and infrastructure security. The agency would also have assistant directors for cybersecurity, infrastructure protection and emergency communications.

“Our cyber rivals are desperately trying to break through our online protections,” McCaul said during the markup. “Similar to how the House came together last week to pass the first ever comprehensive reauthorization of DHS, we must be united, in a bipartisan fashion, and make sure the department has an operational component to protect our federal and civilian networks and strengthen digital America.”

The bill also would require reports on how DHS is maintaining its cybersecurity workforce and how the department might consolidate facilities, personnel and programs to better carry out its cybersecurity responsibilities.

Cyber Vulnerability Report

The committee also forwarded the Cyber Vulnerability Disclosure Reporting Act, sponsored by Rep. Sheila Jackson Lee, D-Texas, which requires a report from the Homeland Security secretary on the government process for disclosing cybersecurity vulnerabilities to industry and the public.

The report, which would be due eight months after the bill’s passage, would also include a description of disclosures made during the prior year and, possibly, a classified annex.

That bill also passed without a recorded vote.

During the Obama administration, the government had a formal, though somewhat opaque, process for coordinating when to disclose and when to hoard newfound digital vulnerabilities. It’s not clear whether the Trump administration is following a similar process, though former officials say it would be counterproductive to hoard significantly more newfound, or “zero day,” vulnerabilities than the Obama administration did.

Former White House Cybersecurity Coordinator Michael Daniel and other officials consistently said the government disclosed more than 90 percent of the vulnerabilities it discovered and prioritized disclosure in cases where consumers were likely to be victimized if someone else discovered the vulnerability.

The vulnerability review process generally pits cyber defenders in DHS and portions of the intelligence agencies that want to make networks as secure as possible with other portions of the intelligence community that use those vulnerabilities to spy on U.S. adversaries.