Senate approves Krebs to lead NPPD

After running the operation for almost a year, the temporary head of the National Protection and Programs Directorate is set to be sworn in as the group's official director.

Chris Krebs NPPD undersecretary

Christopher Krebs testifies before a Senate committee in February 2018

He's not sworn in yet, but Christopher Krebs was confirmed by the Senate on June 12 to lead the cybersecurity threat assessment agency at the Department of Homeland Security.

Krebs has effectively been in the top job for a while as the "senior official performing the duties of" the head of the National Protection and Programs Directorate.

At a public event hosted by Cyberscoop and in an interview with FCW, the soon-to-be undersecretary of NPPD outlined his plans for the agency.

Krebs has said his top legislative priority is getting NPPD rebranded as the Cybersecurity and Infrastructure Security Agency. The renaming is still up to Congress, and a plan to redefine the scope and authority of the DHS cybersecurity shop is part of a still pending authorization bill.

He said the agency's immediate steps would be to work with Congress on identifying a transition plan for one of NPPD's components, the Office of Biometric Identity Management, to DHS' management directorate, as well as a recommendation on where the Federal Protective Service would be transferred to from NPPD.

The newly named entity would also embark on a significant rebranding campaign and outreach to industry, Krebs said.

"We're going to kick off a number of initiatives to reassess how we engage stakeholders, how we work with our strategic peers across government agencies," he said.

The NPPD name is dated, he said, having its origins in a 2006-2007 effort to combine a disparate set of agencies with affinities for cyber and physical security under a single entity.

NPPD is currently made up of the Office of Cybersecurity and Communications, the Office of Infrastructure Protection, the Federal Protective Service, the Office of Biometric Identity Management and the Office of Cyber and Infrastructure Analysis.

The newly named organization would also take a more "top-down" approach with its risk management work, emphasizing it from top management rather than through various subcomponents, he said.

In his presentation at the Cyberscoop event, Krebs described watching the confirmation vote on C-SPAN the night before. He joked that his reaction to being confirmed was much like that of the Washington Capitals' hockey team after winning the National Hockey League championship.

The reaction isn't unexpected, as it has been a long time in the making. Krebs has been holding down the fort on a temporary basis for almost a year and was nominated for the permanent position by the Trump administration in November.

While Krebs received high praise from congressional Republicans and Democrats alike, his confirmation was briefly thrown into uncertainty after Sen. Ron Wyden (D-Ore.) placed a hold on his nomination on May 9.

Wyden did so after complaining that DHS was withholding "important information" from the public regarding a February 2018 presentation to executive branch agencies on the results of its pilot program that looked at cellphone tower surveillance activities in the Washington, D.C., region. In April, the Associated Press reported on the discovery of an unknown number of cellphone tracking devices located throughout the district.

Wyden wanted the DHS presentation made public. While that did not happen, subsequent meetings and correspondence between Wyden and Krebs satisfied the Oregon Democrat enough so that he released his hold on the nomination.

In a letter to Wyden, Krebs stated that DHS ran a "limited pilot project" from January 2017 to November 2017 that deployed sensors across the national capital region in order to better identity and understand Stingray surveillance in the area. That program detected "anomalous activity" consistent with Stingray surveillance near sensitive government areas, including the White House. However, he relayed that some of the signals picked up by DHS may not have been coming from Stingrays.

"It is my understanding that relevant law enforcement and counterintelligence agencies conducted further investigation and determined some detected signals were emanating from legitimate cell towers," Krebs wrote.

The number of actual unauthorized Stingray devices currently in use and who they belong to remains a mystery.