Murky Waters Begin to Clear: House Moves Cybersecurity Issues Forward

In a previous post (recommended reading for background to this post), we outlined House Homeland Security Chairman Cox’s (R-CA) efforts to add cybersecurity provisions to the Department of Homeland Security Authorization Act. The leading idea was to give cybersecurity more political clout within the department by moving it higher up on the bureaucratic food chain. Another idea was to add research provisions to the act. What was unclear was how this effort would proceed given four different committee’s claiming responsibility over cybersecurity — normally a recipe for gridlock. In what appears to be a win for the fledging Homeland Security Committee, The House of Representatives is poised to pass the Department of Homeland Security Authorization with a new “Cybersecurity Czar” and research and development provisions.

This is apparently homeland security week in the House of Representatives as it considers both the Homeland Security Appropriations Act and the Department of Homeland Security Authorization Act. This post covers only the cybersecurity provisions in the authorization bill. Peter at CRA has a great (and distressing) analysis of what happened in the appropriations bill. (For those of you new to authorizing versus appropriation, it is a complex topic, but the really rough summary is an authorization bill authorizes activities, while the appropriation bill actually funds them.)

There are three key cybersecurity provisions in the Department of Homeland Security Authorization Act (.pdf, 2.6 MB). First, as already discussed, it creates an Assistant Secretary for Cybersecurity (pages 12-13 and 51). However, it gives this position much stronger authority than the Homeland Security Committee originally proposed. Instead of vague duties, the Assistant Secretary’s responsibilities are clearly integrated into the existing framework of the Department’s work, including responsibility over the cybersecurity aspects of the following:

  • Critical Infrastructure Risk Assessments, Security Planning, and Needs Analysis
  • Information Underpinning Threat Assessments
  • The Homeland Security Department’s Databases

Second, it creates a new one-year $3.7 million grant program for cybersecurity equipment and training (page 51). This is largely the same provision we described before. The one-year window seems very odd, but you have to start small in this budget environment.

Third, it authorizes $19 million for cybersecurity research and development, including an unspecified amount for “fundamental, long-term research” (page 54). It specifically calls for R&D on the following:

  • Technologies for Detecting Attacks or Intrusions
  • Mitigation and Recovery Methodologies
  • Techniques for Containment and Network Resiliency
  • Tools to Support Cybersecurity Research

Actually funding this program and putting more toward long-term R&D is more important than authorizing it, but again, this a good start.

This bill will likely pass the House today or tomorrow depending on amendments. After that, its prospects are unclear, as the Senate has said its preference is for a piecemeal approach to reauthorizing the Department. Further, it isn’t entirely clear whether or not the Senate will accomplish much in the foreseeable future.