5 Things You May Have Missed in the Homeland Security Reauthorization Bill

Gil C/Shutterstock.com

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Joseph Marks By Joseph Marks,
Senior Correspondent

By Joseph Marks

|

For one, the department will be setting up a bug bounty program.

The Homeland Security Department must launch a program offering cash rewards for hackable computer vulnerabilities discovered by non-government researchers under a reauthorization bill a Senate committee advanced last week.

The program, known as a bug bounty, would be limited to the department’s public-facing apps, websites and web tools, according to an amendment to the reauthorization bill the Senate Homeland Security Committee forwarded March 7.

The amendment, which was adopted on a voice vote, was sponsored by Sen. Maggie Hassan, D-N.H., who also sponsored a standalone version of the bug bounty bill that the committee passed in October.

Bug bounties are increasingly prevalent among major tech firms, such as Google and Microsoft, but are less common in government. The Pentagon, Army and Air Force have all run pilot bug bounties in recent years, but the civilian government has been more wary of the programs.

The amendment provides $250,000 to carry out the bug bounty program and requires a report to Congress six months later about who participated in the program, what they found and how much Homeland Security paid out for vulnerabilities

The bug bounty provision was not included in a House version of the reauthorization bill, which passed that chamber in December, though a standalone version of the plan was introduced by Rep. Ted Lieu, D-Calif.

Cyber R&D Back to S&T

A separate amendment to the Senate reauthorization bill would return authority for Homeland Security’s cybersecurity research and development programs to the department’s science and technology division.

The Trump administration shifted that responsibility in its most recent budget proposal to the department’s cyber operations agency.

The move followed complaints that the Science and Technology Directorate’s cyber research was not closely aligned enough with the department’s immediate cybersecurity concerns.

The amendment, offered by Sen. Steve Daines, R-Mont., specifies major focus areas for the department’s cyber research, including cyber defense technologies, advanced encryption tools and ways to monitor systems for insider threats.

CISA’s on a Roll

In general, the Senate version of the reauthorization bill, sponsored by Homeland Security Chairman Ron Johnson, R-Wisc., and ranking member Claire McCaskill, D-Mo., wraps in more priorities, while the House version is more pared back.

A proposal to elevate and rename the department’s main cyber division, for example, was included in the Senate legislation but not in the House where it passed as a standalone bill.

Both the House and Senate versions of that provision would rename the division that’s currently called the National Protection and Programs Directorate, or NPPD, as the Cyber and Infrastructure Security Agency, or CISA.

That agency would have a director who reports directly to the Secretary of Homeland Security and assistant directors for cybersecurity and infrastructure security.

The Senate bill mandates a report from CISA within six months about the most efficient and effective way for the new agency to consolidate its facilities, personnel and programs.

A separate report, due within three months, would focus on how the agency is filling its cyber workforce needs.

The bill also mandates a privacy officer at CISA who’s responsible, among other things, for “ensuring that the use of technologies by the agency sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information.”

If a compromise version of the reauthorization bills becomes law it will mark the first time Homeland Security’s work has been codified in statute since the department was formed in the wake of the Sept. 11 attacks.

Let’s Form a Commission

The Senate version of the reauthorization bill also breaks with its House counterpart by appointing a congressional commission to explore ways to pare back the morass of overlapping congressional committees that Homeland Security agencies must report to.

That complicated oversight structure is largely a result of Homeland Security’s ad hoc composition out of existing divisions and offices moved from other federal agencies.  

Johnson championed the idea of a congressional commission early in the reauthorizing process and the idea was largely supported by Republicans and Democrats on the committee.

As described in the Senate bill, the commission would include six members—three Republicans and three Democrats—who would provide recommendations for reforming the department’s congressional reporting lines within nine months.

The commission would be able to hire staff and consultants and hold hearings with funding provided by Homeland Security. That funding could not exceed $1 million, according to the bill.

Commission members would be appointed two each by the Senate majority and minority leaders and one each by the House majority and minority leaders. All recommendations would require a majority vote of commissioners before being included in the final report.

Cloud Security as a Service

The Senate bill also mandates a report within four months on how Homeland Security is helping other civilian agencies ensure the cybersecurity of their computer cloud-based systems.

That report must include a briefing on the department’s efforts to provide “security operations center as a service” to agencies that lack the resources or expertise to manage their own security operations centers, or SOCs. SOCs are essentially central command centers where an organization evaluates and responds to cyber threats.

A group of technology advisers to the White House urged Homeland Security to consider developing such services in a December report.

The report must also focus on how Homeland Security is helping agencies buy commercial SOC services and how it’s adapting its Continuous Diagnostics and Mitigation program—essentially a suite of cybersecurity services the department provides to other agencies—for the cloud era.

Other provisions in the Senate reauthorization bill would:

  • Order a report within three months on U.S. cooperative efforts with China to combat illegal opioids shipments, including through dark web drug markets.
  • Order a report within four months on results, obstacles and future plans for cybersecurity grant funds provided by the department.
  • Establish a cyber workforce exchange between Homeland Security and the private sector.
  • Require better communication between department divisions about contractors that have been barred or suspended from receiving federal contracts.
  • Urge the department to share as much unclassified cyber threat information as possible with state, local and tribal governments.
  • Require a report within six months on possible dangers of blockchain technology, including the possibility of individuals and nations using Bitcoin and other cryptocurrencies to fund terrorist groups.  
  • Offer cash rewards to Homeland Security employees who report waste, fraud and abuse to government watchdogs.
  • Order a report from the department’s chief human capital officer on possible improvements to a Homeland Security career rotation program that’s meant to help employees broaden their experience and expertise.

NEXT STORY: This Tricky Malware Has Been Lying in Wait

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.