The Senate Homeland Security and Governmental Affairs Committee on Wednesday marked up a number of bipartisan bills, including a measure that would authorize a five-year term for the head of the Department of Homeland Security’s agency that is quarterbacking the federal government’s cybersecurity efforts with civilian agencies and the private sector, and create a bureau in the department to collect and analyze cyber incident data.
The Defense of United States Critical Infrastructure Act of 2021 (S. 2491) directs the establishment of a Bureau of Cyber Statistics within DHS that would be headed by a presidentially-appointed director to collect and analyze data on cyber incidents and crimes to “serve as a continuous and comparable national indication of the prevalence, incidents, rates, extent, distribution, and attributes of all relevant cyber incidents, as determined by the Director, in support of national policy and decision making.”
Similar legislation is being considered in the House. During a House Homeland Security Committee hearing on Wednesday to review U.S. cybersecurity, Jen Easterly, director of the DHS Cybersecurity and Infrastructure Security Agency, told the committee she thinks the bureau, if ultimately authorized by Congress, should become part of her agency.
The bill currently calls for the director to report to the Secretary of DHS.
The bill also calls for the CISA director to have a five-year term, which would provide the agency with leadership continuity within or across administrations. The administrator of the DHS Transportation Security Administration also has a five-year term of service.
The infrastructure bill includes a number of legislative recommendations put forth in March 2020 by the Cyberspace Solarium Commission, which included Sen. Angus King (I-Maine) as a co-chair. King introduced the bill in the Senate.
“The Defense of U.S. Infrastructure Act represents a number of national priorities that will help us strengthen our cyber resilience, defend our critical infrastructure, and give our cyber leaders the tools they need to protect our nation before disaster strikes,” King said in a statement.
The bill also would also provide hiring authorities for the nation’s first National Cyber Director, Chris Inglis, who testified alongside Easterly and said that he still needs resources from Congress to staff up but expects to have 25 personnel on board by the end of 2021. Inglis also said that he has tapped into a White House fund to obtain a suite within the White House complex for the Office of the National Cyber Director.
“I would emphasize, however, that without appropriations, we remain limited in our ability to hire key staff members, make necessary procurement and acquisitions, and find permanent office space for our future, full complement of staff,” he said in his written statement. “More fundamentally, the lack of appropriations inhibits our ability to plan and delays our ability to quickly and fully realize the role of the NCD.”
Inglis sees his role in part as unifying cybersecurity efforts across DHS. If CISA is the quarterback, Easterly described Inglis as the “coach.”
Other provisions of the bill would require DHS to develops a strategy for National Critical Infrastructure Resilience, establish a cloud-based Joint Collaborative Environment for the sharing and analysis of cyber threat information, establish a National Cybersecurity Certification and Labeling Authority, and require DHS to create criteria to prioritize the most important critical infrastructure for enhanced cybersecurity focus.
Easterly told the House panel that her agency is already examining systemically important critical infrastructure, which she refers to as primary systemically important entities. She said these are entities that have “economic centrality, network centrality and have logical dominance in those national critical functions.”
About 150 to 200 entities will likely will be considered systemically important for greater focus, she said.
The committee also approved by voice vote a bill that establish a National Cyber Exercise Program within CISA. The CISA Cyber Exercise Act (S. 2993) would require CISA to exercise the National Cyber Incident Response Plan and other relevant plans and strategies.