[Senate Report 113-240] [From the U.S. Government Publishing Office] 113th Congress 2d Session SENATE Report 113-240 _______________________________________________________________________ Calendar No. 526 NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER ACT OF 2014 __________ R E P O R T of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE to accompany S. 2519 TO CODIFY AN EXISTING OPERATIONS CENTER FOR CYBERSECURITYJuly 31, 2014.--Ordered to be printed COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS THOMAS R. CARPER, Delaware, Chairman CARL LEVIN, Michigan TOM COBURN, Oklahoma MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio JON TESTER, Montana RAND PAUL, Kentucky MARK BEGICH, Alaska MICHAEL B. ENZI, Wyoming TAMMY BALDWIN, Wisconsin KELLY AYOTTE, New Hampshire HEIDI HEITKAMP, North Dakota Gabrielle A. Batkin, Staff Director John P. Kilvington, Deputy Staff Director Mary Beth Schultz, Chief Counsel Stephen R. Vina, Chief Counsel for Homeland Security Matthew R. Grote, Senior Professional Staff Member Keith B. Ashdown, Minority Staff Director Christopher J. Barkley, Minority Deputy Staff Director Andrew C. Dockham, Minority Chief Counsel Daniel P. Lips, Minority Director of Homeland Security William H.W. McKenna, Minority Investigative Counsel Laura W. Kilbride, Chief Clerk Calendar No. 526 113th Congress SENATE Report 2d Session 113-240 ====================================================================== NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER ACT OF 2014 _______ July 31, 2014.--Ordered to be printed _______ Mr. Carper, from the Committee on Homeland Security and Governmental Affairs, submitted the following R E P O R T [To accompany S. 2519] The Committee on Homeland Security and Governmental Affairs, to which was referred the bill (S. 2519), to codify an existing operations center for cybersecurity, having considered the same, reports favorably thereon with an amendment and recommends that the bill, as amended, do pass. CONTENTS Page I. Purpose and Summary..............................................1 II. Background and Need for the Legislation..........................1 III. Legislative History..............................................5 IV. Section-by-Section Analysis......................................5 V. Evaluation of Regulatory Impact..................................6 VI. Congressional Budget Office Cost Estimate........................7 VII. Changes in Existing Law Made by the Bill, as Reported............7 I. Purpose and Summary S. 2519, the National Cybersecurity and Communications Integration Center Act of 2014, seeks to codify the Department of Homeland Security's existing cybersecurity and communications operations center, known as the National Cybersecurity and Communications Integration Center (NCCIC). Codification would enable DHS to execute its cyber mission more effectively and efficiently. II. Background and the Need for Legislation The United States faces a variety and growing set of sophisticated threats in cyberspace. Cyber criminals, for example, routinely steal personal identifiable information, as well as trade secrets and financial information from private sector and government networks, resulting in the loss of intellectual property and billions of dollars. For example, a recent indictment brought by the United States Department of Justice of six members of the People's Liberation Army (``PLA''), the military of the People's Republic of China, alleges several cyber attacks through which the defendants stole various trade secrets.\1\ One report credibly estimates the likely annual cost to the global economy from cybercrime at more than $400 billion a year.\2\ Retired General Keith Alexander, the former Director of the National Security Agency and Commander of U.S. Cyber Command, observed that cyber criminals ``are exploiting these targets on a scale amounting to the greatest unwilling transfer of wealth in history.''\3\ --------------------------------------------------------------------------- \1\United States of America v. Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, Gu Chunhui, http://www.justice.gov/iso/opa/resources/ 5122014519132358461949.pdf. \2\McAfee--Intel Security and Center for Strategic and International Studies, ``Net Losses: Estimating the Global Cost of Cybercrime'' at page 2. (June 2014) http://www.mcafee.com/us/ resources/reports/rp-economic-impact-cybercrime2.pdf (last viewed July 17, 2014). \3\Hearing to Receive Testimony on U.S. Strategic Command and U.S. Cyber Command in Review of the Defense Authorization Request for Fiscal Year 2014 and Future Years Defense Programs, Hearing before the U.S. Senate Committee on Armed Services, Written Statement of General Keith B. Alexander, Commander, U.S. Cyber Command (Mar. 12, 2013). --------------------------------------------------------------------------- Some actors in cyberspace seek to disrupt or destroy computer systems, including those that control some of our nation's critical infrastructure--the systems that deliver power and water to our homes, our energy pipelines, our nuclear plants and our telecommunications systems. Cyber attacks on critical infrastructure could potentially lead to massive disruptions, catastrophic economic damage, and, in worst case scenarios, the loss of human life. In Saudi Arabia, for example, a cyber attack against Saudi Aramco, one of the world's largest oil companies, damaged 30,000 computers on the company's network.\4\ To date, there has been no similarly damaging cyber attack with physical effects to critical infrastructure in the United States. However, in 2013, major financial institutions were targeted by repeated ``denial-of- service'' cyber attacks, which attempted to disrupt the performance of company websites by flooding them with internet traffic.\5\ Energy and utility companies in the United States have also reportedly been the targets of cyber attacks. For example, DHS has reported a widespread, organized intrusion campaign across the U.S. oil and natural gas sector.\6\ While no physical damage was reported, once a malicious actor gains access to a target network, it is not technically difficult to cause disruptions or damage. --------------------------------------------------------------------------- \4\See Worldwide Threat Assessment of the US Intelligence Community, Hearing before the House Permanent Select Committee on Intelligence, Written Statement of James R. Clapper, Director of National Intelligence (April 11, 2013). \5\Id. \6\See ICS-CERT, ICS-CERT Monthly Monitor, Department of Homeland Security (April 2012) (online at http://ics-cert.us-cert.gov/monitors). --------------------------------------------------------------------------- The United States has also seen widespread targeting of, theft, and disruption of information stored on the federal government's own networks, where sensitive information, including information related to the operations of critical infrastructure, is at risk of disclosure.\7\ For example, the Nuclear Regulatory Commission stored sensitive cybersecurity details for nuclear facilities on an unprotected shared drive, making them more vulnerable to malicious cyber actors.\8\ In 2011, the Thrift Savings Plan (TSP), the retirement savings and investment plan used by millions of federal employees and members of the uniformed services, suffered a data security breach, allowing unauthorized access to the personal information of approximately 123,000 TSP participants.\9\ And, in 2013, malicious actors broke into the computer network at the Department of Energy's Washington headquarters and compromised the personal information of hundreds of employees.\10\ --------------------------------------------------------------------------- \7\See ``The Federal Government's Track Record on Cybersecurity and Critical Infrastructure,'' Minority Staff Report, U.S. Senate Homeland Security and Governmental Affairs Committee, Sen. Tom Coburn, February 4, 2014. \8\See Nuclear Regulatory Commission, Office of the Inspector General, ``Audit of NRC's Shared ``S'' Drive,'' (July 27, 2011). \9\See Federal Retirement Thrift Investment Board, Press Release, ``Federal Retirement Thrift Investment Board Reports a Cyber Attack on a Contractor Potentially Affecting TSP Participants'' (May 25, 2012) https://www.tsp.gov/PDF/formspubs/Press.Release.2012-05-25.Cyber.pdf (last accessed July 20, 2014). \10\See Department of Energy, Office of the Inspector General, The Department of Energy's July 2013 Cyber Security Breach, DOE/IG-0900 (Washington, D.C.: Dec. 6, 2013). http:// energy.gov/sites/prod/files/2013/12/f5/IG-0900.pdf (last accessed July 20, 2014). --------------------------------------------------------------------------- One of the tactics to mitigate the threat of cyber attacks against government networks and the private sector is for the government and private sector partners to share information about cyber security threats, including information about threat signatures, system vulnerabilities, and actions that can be taken to defend networks from attacks. Other tactics include analyzing threat and vulnerability information, and providing technical assistance to industry and other partners. Within the federal government, the Department of Homeland Security (``DHS'' or ``the Department'') is responsible for working with the private sector to help protect the nation's critical infrastructure from physical and cyber threats and overseeing the protection of the .gov domain. At the center of DHS' cybersecurity and communications mission is the National Cybersecurity and Communications Integration Center (NCCIC). The NCICC is a round-the-clock information sharing, analysis, and incident response center where government, private sector, and international partners work together on cybersecurity matters. The NCCIC has four components: the United States Computer Emergency Readiness Team (US-CERT), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the National Coordinating Center for Telecommunications (NCC), and Operations Integration. Among its various functions, the NCCIC: analyzes cybersecurity and communications threats and vulnerabilities and coordinates findings with partners to manage risks to critical systems; creates shared situational awareness among public sector, private sector, and international partners by collaboratively developing and sharing timely and actionable cybersecurity and communications information; and responds to cybersecurity and communications incidents and events to mitigate harmful activity, manage crisis situations, and support recovery efforts. In fiscal year 2013 alone, the NCCIC responded to more than 228,000 incident reports from a variety of stakeholders, ranging from minor compromises of personal information to mass data thefts.\11\ The NCCIC also released over 11,000 cyber alerts to industry, federal agencies and other partners in fiscal year 2013, and more than 5,000 organizations have used the NCCIC's tools to perform self-assessments to identify their own vulnerabilities. \12\ In 2013, NCCIC's ICS-CERT, conducted 76 onsite assessments across critical infrastructure sectors.\13\ During the first nine months of Fiscal Year 2014, the NCCIC has received 508,000 reports of incidents, detected over 46,599 vulnerabilities, issued over 9,001 actionable cyber-alerts, and had over 256,003 partners subscribe to its cyber threat warning sharing initiative.\14\ --------------------------------------------------------------------------- \11\Department of Homeland Security, NCCIC Weekly Cyber Analytics Report, Week ending 14 June 2014 (on file with Committee staff). \12\Id. \13\Department of Homeland Security, ICS-CERT, Year in Review (2013), page 16, https://ics-cert.us-cert.gov/sites/default/files/ documents/Year_In_Review_FY2013_Final.pdf (last viewed July 17, 2014). \14\Department of Homeland Security, email correspondence to Homeland Security and Government Affairs Committee Staff (July 22, 2014) (on file with Committee). --------------------------------------------------------------------------- Indeed, the NCCIC has played a major role in addressing a variety of cyber attacks on government and industry networks. For example, less than 24 hours after the NCCIC learned about the ``Heartbleed'' vulnerability--a weakness in the widely-used OpenSSL encryption software that protects the electronic traffic across much of the internet--the Center released an alert and posted mitigation information on the US-CERT website.\15\ During the ``denial of service'' attacks on U.S. banks in 2012 and 2013 and periodically in 2014, NCCIC's US- CERT provided technical data and assistance to the banks, including identifying 600,000 distributed ``denial of service'' related internet protocol addresses.\16\ --------------------------------------------------------------------------- \15\Id. \16\Id. --------------------------------------------------------------------------- Industry representatives from several sectors of the economy sit on the NCCIC floor. In testimony before the Committee, a representative from the financial industry praised the NCCIC: ``[o]ur presence [there] has enhanced situational awareness and information sharing between the financial services sector and the government with numerous examples of success.'' The witness further stated that the Financial Services Sector Coordinating Council--the entity that coordinates critical infrastructure and homeland security activities in the financial services industry--``supports formalization of the NCCIC through legislation.''\17\ --------------------------------------------------------------------------- \17\Strengthening Public-Private Partnerships to Reduce Cyber Risks to Our Nation's Critical Infrastructure, Hearing before the U.S. Senate Committee on Homeland Security and Governmental Affairs, Testimony of Doug Johnson, On behalf of the Financial Services Sector Coordinating Council (Mar. 26, 2014). --------------------------------------------------------------------------- The NCCIC currently operates under the Homeland Security Act's general infrastructure protection authorities.\18\ S. 2519 seeks to clarify those general existing authorities and to explicitly authorize the existing cybersecurity center within the Department of Homeland Security, so that the Center can continue its important work in serving as a federal civilian information sharing center for cybersecurity. The bill would also codify several other existing Center responsibilities, including authorizing the Center to: (1) provide shared situational awareness to enable quick and coordinated operational actions across the Federal Government; (2) share cybersecurity information and analysis by and among Federal, state, and local government entities and private sector entities; (3) coordinate cybersecurity information sharing throughout the Federal Government; (4) conduct analysis of cybersecurity risks and incidents; (5) provide incident response and technical assistance to federal and non-federal entities; and (6) recommend security and resilience measures to enhance cybersecurity. The bill would continue to allow personnel from Federal agencies, state and local governments, and the private sector to serve at the Center at the discretion of the Under Secretary of the National Protection and Programs Directorate. --------------------------------------------------------------------------- \18\See generally, 6 U.S.C. Sec. 121; 6 U.S.C. Sec. 124a; 6 U.S.C. Sec. 143. See also 44 U.S.C. Sec. 3546. --------------------------------------------------------------------------- III. Legislative History Chairman Carper and Ranking Member Coburn introduced S. 2519 on June 24, 2014. The bill was referred to the Committee on Homeland Security and Governmental Affairs. The Committee considered S. 2519 at a business meeting on June 25, 2014. Senator Johnson offered one amendment, clarifying that S. 2519 does not grant the Secretary of Homeland Security any new authority to promulgate regulations or set standards relating to the cybersecurity of private sector critical infrastructure. The Committee adopted the amendment and then ordered the bill, as amended, reported favorably, both by voice vote. Senators present for both the vote on the amendment and the vote on the bill were Senators Carper, Levin, Pryor, Landrieu, McCaskill, Tester, Heitkamp, Coburn, McCain, Johnson, and Portman. Senators Levin and Tester asked to be recorded as voting no on the amendment. IV. Section-by-Section Analysis of the Bill, as Reported Section 1. Short title. The short title of the bill is the ``National Cybersecurity and Communications Integration Center Act of 2014''. Section 2. National Cybersecurity and Communications Integration Center Subsection 2(a) of S. 2519 would amend Subtitle A of title II of the Homeland Security Act of 2002 (P.L. 107-296) to add new section--``210G. Operations Center.'' Subsection 210G(a) of the Homeland Security Act would establish an operations center within the Department of Homeland Security, which may carry out the responsibilities of the Under Secretary appointed under section 103(a)(1)(H) of the Homeland Security Act of 2002 (P.L. 107-296) responsible for security and resilience (currently named the Under Secretary for the National Protection and Programs Directorate). The responsibilities of the operations center would include: serving as a Federal civilian information sharing hub for cybersecurity; providing shared situational awareness to enable real-time operations; sharing cybersecurity threat, vulnerability, impact and incident information and analysis by and among Federal, State, and local government entities and private sectors; coordinating cybersecurity information sharing throughout the Federal government; conducting analysis of cybersecurity risks and incidents; providing technical assistance to Federal and non-Federal entities, upon request, with respect to threats, attribution, vulnerability mitigation, and incident response and remediation; and providing recommendations on security and resilience. Subsection (b) of the new section of the Homeland Security Act would direct that the center is to be composed, at the discretion of the Under Secretary responsible for overseeing critical infrastructure protection and cybersecurity (see subsection (e)), of personnel from Federal agencies, including civilian and law enforcement agencies and the intelligence community, and representatives from state and local governments and other non-Federal entities, including representatives from information sharing and analysis organizations and private sector owners and operators of critical infrastructure. Subsection (c) of the new section of the Homeland Security Act would require the Secretary to submit an annual report one year after the date of enactment of the S. 2519 and for each of the next three years thereafter. The subsection requires the report to include an analysis of the performance of the operations center in carrying out the functions under subsection (a); information on the composition of the center; and information on the policies and procedures established by the center to safeguard privacy and civil liberties. Subsection (d) of the new section of the Homeland Security Act would require the Government Accountability Office to report to Congress one year after the date of enactment of S. 2519 on the effectiveness of the operations center. Subsection (e) of the new section of the Homeland Security Act would make clear that it is within the discretion of the Under Secretary whether to include in the center, or provide information and assistance to, governmental or private entities. It also emphasizes that the fact that one private or governmental entity was included in the center or received information or assistance from it does not entitle any other private or governmental entity to such inclusion, information or assistance. Subsection 2(b) of S. 2519 would amend the table of contents of the Homeland Security Act to reflect the inclusion in the Act of the new section related to the operations center. Section 3. Rule of construction Subsection (a) would provide the term ``critical infrastructure'' the meaning given under section 2 of the Homeland Security Act of 2002. Subsection (b) provides that S. 2519 does not grant the Secretary of Homeland Security any new authority to promulgate regulations or set standards relating to the cybersecurity of private sector critical infrastructure. Under this subsection, the Secretary retains pre-existing authority to issue regulations or standards relating to the cybersecurity of private sector critical infrastructure. V. Evaluation of Regulatory Impact Pursuant to the requirements of paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee has considered the regulatory impact of this bill and determined that the bill will have no regulatory impact within the meaning of the rules. The Committee agrees with the Congressional Budget Office's statement that the bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would impose no costs on state, local, or tribal governments. VI. Congressional Budget Office Cost Estimate July 25, 2014. Hon. Tom Carper, Chairman, Committee on Homeland Security and Governmental Affairs, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 2519, the National Cybersecurity and Communications Integration Center Act of 2014. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Jason Wheelock. Sincerely, Douglas W. Elmendorf. Enclosure. S. 2519--National Cybersecurity and Communications Integration Center Act of 2014 S. 2519 would codify in statute the existence of the National Cybersecurity and Communications Integration Center (NCCIC) of the Department of Homeland Security (DHS). The NCCIC, which was established in 2009, is located in the National Protection and Programs Directorate of DHS and is funded by appropriations provided to the Infrastructure Protection and Information Security appropriation account. So far in 2014 that account has received approximately $1.2 billion, of which almost $800 million is for cybersecurity programs. S. 2519 would codify NCCIC's current role in protecting federal civilian agencies in cyberspace, sharing information on cybersecurity threats with DHS partners, and analyzing cybersecurity risks and incidents. CBO estimates that implementing the legislation would not result in a significant cost. Enacting S. 2519 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. S. 2519 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would impose no costs on state, local, or tribal governments. The CBO staff contact for this estimate is Jason Wheelock. The estimate was approved by Theresa Gullo, Deputy Assistant Director for Budget Analysis. VII. Changes in Existing Law Made by the Bill, as Reported In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, changes in existing law made by S. 2519 as reported are shown as follows (existing law proposed to be omitted is enclosed in brackets, new matter is printed in italic, and existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) * * * (b) Table of Contents.--The table of contents for this Act is as follows: * * * * * * * TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION * * * * * * * Subtitle A--Information and Analysis and Infrastructure Protection; Access to Information Sec. 201. Information and Analysis and Infrastructure Protection * * * * * * * Sec. 210G. Operations Center * * * * * * * TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION * * * * * * * Subtitle A--Information and Analysis and Infrastructure Protection; Access to Information * * * * * * * SEC. 210G. OPERATIONS CENTER. (a) Functions.--There is in the Department an operations center, which may carry out the responsibilities of the Under Secretary appointed under section 103(a)(1)(H) with respect to security and resilience, including by-- (1) serving as a Federal civilian information sharing interface for cybersecurity; (2) providing shared situational awareness to enable real-time, integrated, and operational actions across the Federal Government; (3) sharing cybersecurity threat, vulnerability, impact, and incident information and analysis by and among Federal, State, and local government entities and private sector entities; (4) coordinating cybersecurity information sharing throughout the Federal Government; (5) conducting analysis of cybersecurity risks and incidents; (6) upon request, providing timely technical assistance to Federal and non-Federal entities with respect to cybersecurity threats and attribution, vulnerability mitigation, and incident response and remediation; and (7) providing recommendations on security and resilience measures to Federal and non-Federal entities. (b) Composition.--The operations center shall be composed of-- (1) personnel or other representatives of Federal agencies, including civilian and law enforcement agencies and elements of the intelligence community, as such term is defined under section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)); and (2) representatives from State and local governments and other non-Federal entities, including-- (A) representatives from information sharing and analysis organizations; and (B) private sector owners and operators of critical information systems. (c) Annual Report.--Not later than 1 year after the date of enactment of the National Cybersecurity and Communications Integration Center Act of 2014, and every year thereafter for 3 years, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the operations center, which shall include-- (1) an analysis of the performance of the operations center in carrying out the functions under subsection (a); (2) information on the composition of the center, including-- (A) the number of representatives from non- Federal entities that are participating in the operations center, including the number of representatives from States, nonprofit organizations, and private sector entities, respectively; and (B) the number of requests from non-Federal entities to participate in the operations center and the response to such requests, including-- (i) the average length of time to fulfill such identified requests by the Federal agency responsible for fulfilling such requests; and (ii) a description of any obstacles or challenges to fulfilling such requests; and (3) the policies and procedures established by the operations center to safeguard privacy and civil liberties. (d) GAO Report.--Not later than 1 year after the date of enactment of the National Cybersecurity and Communications Integration Center Act of 2014, the Comptroller General of the United States shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the effectiveness of the operations center. (e) No Right or Benefit.--The provision of assistance or information to, and inclusion in the operations center of, governmental or private entities under this section shall be at the discretion of the Under Secretary appointed under section 103(a)(1)(H). The provision of certain assistance or information to, or inclusion in the operations center of, one governmental or private entity pursuant to this section shall not create a right or benefit, substantive or procedural, to similar assistance or information for any other governmental or private entity. * * * * * * *