Officials from both agencies told Congress at a joint committee hearing on cyber incident cooperation that the partnership has been fruitful, but budget constraints could require legislation.
The Pentagon and the Department of Homeland Security are teaming up to protect critical infrastructure through information-sharing efforts with the private sector – an effort that is new, promising and underfunded.
Defense Secretary Jim Mattis and DHS Secretary Kirstjen Nielsen recently agreed to a framework for defending the U.S. from cyber threats. Kenneth Rapuano, assistant secretary of Defense for Homeland Defense and Global Security, told lawmakers at a joint hearing Nov. 14 that the joint memorandum "is a major step in fostering closer cooperation and marks a sea change in the level of collaboration between our departments."
In his written testimony, Rapuano said that "DOD and DHS each derive unique insights from our daily activities -- whether from DOD's intelligence collection and cyber operations, or from DHS's cyber operations to protect federal networks and critical infrastructure in partnership with the private sector -- that inform our respective missions."
Rapuano noted that just the day before the hearing, he and DHS officials signed a document chartering the Joint DOD-DHS Cyber Protection and Defense Steering Group. The group, Rapuano said, "will apply senior leadership energy to enhance U.S. Government readiness against cyber threats."
Officials from both agencies told lawmakers at the hearing on cyber incident cooperation that the partnership has been fruitful, but budget constraints could require legislation.
Rep. Cedric Richmond (D-La.), ranking member on the Homeland Security Cybersecurity and Infrastructure Protection Subcommittee, pointed out the budgetary disparity, suggesting that DHS might need more than $1 billion to defend infrastructure, the vast majority of which is privately owned. The Department of Defense cyber budget is north of $8 billion.
Lt. Gen. Bradford Shwedo, Joint Chiefs of Staff command, control, communications and computers (C4) director and CIO, said DOD was considering "the equivalent of a cyber Stafford Act" for emergency and disaster relief to address potential funding issues, but private companies will ultimately have to invest in their own cybersecurity.
"We're very cognizant of how funding in a bunch of different directions could get pretty bad," Shwedo said, but "there is going to be a responsibility for a lot of these companies and others to have their portion of cyber defense. But for them to put their hands up in the air and say they're not going to fund it anymore is also a bill that we could not afford."
"We can do more with more," said Jenette Manfra, the assistant secretary for the Office of Cybersecurity and Communications at DHS, in response to a question about budget constraints.
Manfra said that DHS along with DOD and the FBI have made more progress developing common operating procedures when it comes to defending U.S. interests in cyberspace.
"There are tools that are available to have a common operational picture in terms of incidents that we're going to share. We have to be very precise in terms of what information have the authorities to view," Manfra said.
When it comes to resources, DOD steps in to help DHS when requested and through that agency's authorities. The Defense Department loaned 11 dozen cyber operators to Homeland Security, readying for disruptions aimed at the 2018 midterm elections, Manfra said.
Additionally, DHS and DOD are working together on closing up supply chain vulnerabilities. Manfra said civilian agencies use many of the same companies in the defense industry base, and DHS is coordinating how to implement best practices and information sharing.