[Senate Report 113-240]
[From the U.S. Government Publishing Office]
113th Congress
2d Session SENATE Report
113-240
_______________________________________________________________________
Calendar No. 526
NATIONAL CYBERSECURITY AND
COMMUNICATIONS INTEGRATION CENTER ACT OF 2014
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 2519
TO CODIFY AN EXISTING OPERATIONS CENTER FOR CYBERSECURITY
July 31, 2014.--Ordered to be printed
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
THOMAS R. CARPER, Delaware, Chairman
CARL LEVIN, Michigan TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio
JON TESTER, Montana RAND PAUL, Kentucky
MARK BEGICH, Alaska MICHAEL B. ENZI, Wyoming
TAMMY BALDWIN, Wisconsin KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota
Gabrielle A. Batkin, Staff Director
John P. Kilvington, Deputy Staff Director
Mary Beth Schultz, Chief Counsel
Stephen R. Vina, Chief Counsel for Homeland Security
Matthew R. Grote, Senior Professional Staff Member
Keith B. Ashdown, Minority Staff Director
Christopher J. Barkley, Minority Deputy Staff Director
Andrew C. Dockham, Minority Chief Counsel
Daniel P. Lips, Minority Director of Homeland Security
William H.W. McKenna, Minority Investigative Counsel
Laura W. Kilbride, Chief Clerk
Calendar No. 526
113th Congress
SENATE
Report
2d Session 113-240
======================================================================
NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER ACT OF
2014
_______
July 31, 2014.--Ordered to be printed
_______
Mr. Carper, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 2519]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 2519), to codify an
existing operations center for cybersecurity, having considered
the same, reports favorably thereon with an amendment and
recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................1
III. Legislative History..............................................5
IV. Section-by-Section Analysis......................................5
V. Evaluation of Regulatory Impact..................................6
VI. Congressional Budget Office Cost Estimate........................7
VII. Changes in Existing Law Made by the Bill, as Reported............7
I. Purpose and Summary
S. 2519, the National Cybersecurity and Communications
Integration Center Act of 2014, seeks to codify the Department
of Homeland Security's existing cybersecurity and
communications operations center, known as the National
Cybersecurity and Communications Integration Center (NCCIC).
Codification would enable DHS to execute its cyber mission more
effectively and efficiently.
II. Background and the Need for Legislation
The United States faces a variety and growing set of
sophisticated threats in cyberspace. Cyber criminals, for
example, routinely steal personal identifiable information, as
well as trade secrets and financial information from private
sector and government networks, resulting in the loss of
intellectual property and billions of dollars. For example, a
recent indictment brought by the United States Department of
Justice of six members of the People's Liberation Army
(``PLA''), the military of the People's Republic of China,
alleges several cyber attacks through which the defendants
stole various trade secrets.\1\ One report credibly estimates
the likely annual cost to the global economy from cybercrime at
more than $400 billion a year.\2\ Retired General Keith
Alexander, the former Director of the National Security Agency
and Commander of U.S. Cyber Command, observed that cyber
criminals ``are exploiting these targets on a scale amounting
to the greatest unwilling transfer of wealth in history.''\3\
---------------------------------------------------------------------------
\1\United States of America v. Wang Dong, Sun Kailiang, Wen Xinyu,
Huang Zhenyu, Gu Chunhui, http://www.justice.gov/iso/opa/resources/
5122014519132358461949.pdf.
\2\McAfee--Intel Security and Center for Strategic and
International Studies, ``Net Losses: Estimating the Global Cost of
Cybercrime'' at page 2. (June 2014) http://www.mcafee.com/us/
resources/reports/rp-economic-impact-cybercrime2.pdf (last viewed July
17, 2014).
\3\Hearing to Receive Testimony on U.S. Strategic Command and U.S.
Cyber Command in Review of the Defense Authorization Request for Fiscal
Year 2014 and Future Years Defense Programs, Hearing before the U.S.
Senate Committee on Armed Services, Written Statement of General Keith
B. Alexander, Commander, U.S. Cyber Command (Mar. 12, 2013).
---------------------------------------------------------------------------
Some actors in cyberspace seek to disrupt or destroy
computer systems, including those that control some of our
nation's critical infrastructure--the systems that deliver
power and water to our homes, our energy pipelines, our nuclear
plants and our telecommunications systems. Cyber attacks on
critical infrastructure could potentially lead to massive
disruptions, catastrophic economic damage, and, in worst case
scenarios, the loss of human life. In Saudi Arabia, for
example, a cyber attack against Saudi Aramco, one of the
world's largest oil companies, damaged 30,000 computers on the
company's network.\4\ To date, there has been no similarly
damaging cyber attack with physical effects to critical
infrastructure in the United States. However, in 2013, major
financial institutions were targeted by repeated ``denial-of-
service'' cyber attacks, which attempted to disrupt the
performance of company websites by flooding them with internet
traffic.\5\ Energy and utility companies in the United States
have also reportedly been the targets of cyber attacks. For
example, DHS has reported a widespread, organized intrusion
campaign across the U.S. oil and natural gas sector.\6\ While
no physical damage was reported, once a malicious actor gains
access to a target network, it is not technically difficult to
cause disruptions or damage.
---------------------------------------------------------------------------
\4\See Worldwide Threat Assessment of the US Intelligence
Community, Hearing before the House Permanent Select Committee on
Intelligence, Written Statement of James R. Clapper, Director of
National Intelligence (April 11, 2013).
\5\Id.
\6\See ICS-CERT, ICS-CERT Monthly Monitor, Department of Homeland
Security (April 2012) (online at http://ics-cert.us-cert.gov/monitors).
---------------------------------------------------------------------------
The United States has also seen widespread targeting of,
theft, and disruption of information stored on the federal
government's own networks, where sensitive information,
including information related to the operations of critical
infrastructure, is at risk of disclosure.\7\ For example, the
Nuclear Regulatory Commission stored sensitive cybersecurity
details for nuclear facilities on an unprotected shared drive,
making them more vulnerable to malicious cyber actors.\8\ In
2011, the Thrift Savings Plan (TSP), the retirement savings and
investment plan used by millions of federal employees and
members of the uniformed services, suffered a data security
breach, allowing unauthorized access to the personal
information of approximately 123,000 TSP participants.\9\ And,
in 2013, malicious actors broke into the computer network at
the Department of Energy's Washington headquarters and
compromised the personal information of hundreds of
employees.\10\
---------------------------------------------------------------------------
\7\See ``The Federal Government's Track Record on Cybersecurity and
Critical Infrastructure,'' Minority Staff Report, U.S. Senate Homeland
Security and Governmental Affairs Committee, Sen. Tom Coburn, February
4, 2014.
\8\See Nuclear Regulatory Commission, Office of the Inspector
General, ``Audit of NRC's Shared ``S'' Drive,'' (July 27, 2011).
\9\See Federal Retirement Thrift Investment Board, Press Release,
``Federal Retirement Thrift Investment Board Reports a Cyber Attack on
a Contractor Potentially Affecting TSP Participants'' (May 25, 2012)
https://www.tsp.gov/PDF/formspubs/Press.Release.2012-05-25.Cyber.pdf
(last accessed July 20, 2014).
\10\See Department of Energy, Office of the Inspector General, The
Department of Energy's July 2013 Cyber Security Breach, DOE/IG-0900
(Washington, D.C.: Dec. 6, 2013). http://
energy.gov/sites/prod/files/2013/12/f5/IG-0900.pdf (last accessed July
20, 2014).
---------------------------------------------------------------------------
One of the tactics to mitigate the threat of cyber attacks
against government networks and the private sector is for the
government and private sector partners to share information
about cyber security threats, including information about
threat signatures, system vulnerabilities, and actions that can
be taken to defend networks from attacks. Other tactics include
analyzing threat and vulnerability information, and providing
technical assistance to industry and other partners.
Within the federal government, the Department of Homeland
Security (``DHS'' or ``the Department'') is responsible for
working with the private sector to help protect the nation's
critical infrastructure from physical and cyber threats and
overseeing the protection of the .gov domain. At the center of
DHS' cybersecurity and communications mission is the National
Cybersecurity and Communications Integration Center (NCCIC).
The NCICC is a round-the-clock information sharing, analysis,
and incident response center where government, private sector,
and international partners work together on cybersecurity
matters.
The NCCIC has four components: the United States Computer
Emergency Readiness Team (US-CERT), the Industrial Control
Systems Cyber Emergency Response Team (ICS-CERT), the National
Coordinating Center for Telecommunications (NCC), and
Operations Integration. Among its various functions, the NCCIC:
analyzes cybersecurity and communications threats and
vulnerabilities and coordinates findings with partners to
manage risks to critical systems; creates shared situational
awareness among public sector, private sector, and
international partners by collaboratively developing and
sharing timely and actionable cybersecurity and communications
information; and responds to cybersecurity and communications
incidents and events to mitigate harmful activity, manage
crisis situations, and support recovery efforts.
In fiscal year 2013 alone, the NCCIC responded to more than
228,000 incident reports from a variety of stakeholders,
ranging from minor compromises of personal information to mass
data thefts.\11\ The NCCIC also released over 11,000 cyber
alerts to industry, federal agencies and other partners in
fiscal year 2013, and more than 5,000 organizations have used
the NCCIC's tools to perform self-assessments to identify their
own vulnerabilities. \12\ In 2013, NCCIC's ICS-CERT, conducted
76 onsite assessments across critical infrastructure
sectors.\13\ During the first nine months of Fiscal Year 2014,
the NCCIC has received 508,000 reports of incidents, detected
over 46,599 vulnerabilities, issued over 9,001 actionable
cyber-alerts, and had over 256,003 partners subscribe to its
cyber threat warning sharing initiative.\14\
---------------------------------------------------------------------------
\11\Department of Homeland Security, NCCIC Weekly Cyber Analytics
Report, Week ending 14 June 2014 (on file with Committee staff).
\12\Id.
\13\Department of Homeland Security, ICS-CERT, Year in Review
(2013), page 16, https://ics-cert.us-cert.gov/sites/default/files/
documents/Year_In_Review_FY2013_Final.pdf (last viewed July 17, 2014).
\14\Department of Homeland Security, email correspondence to
Homeland Security and Government Affairs Committee Staff (July 22,
2014) (on file with Committee).
---------------------------------------------------------------------------
Indeed, the NCCIC has played a major role in addressing a
variety of cyber attacks on government and industry networks.
For example, less than 24 hours after the NCCIC learned about
the ``Heartbleed'' vulnerability--a weakness in the widely-used
OpenSSL encryption software that protects the electronic
traffic across much of the internet--the Center released an
alert and posted mitigation information on the US-CERT
website.\15\ During the ``denial of service'' attacks on U.S.
banks in 2012 and 2013 and periodically in 2014, NCCIC's US-
CERT provided technical data and assistance to the banks,
including identifying 600,000 distributed ``denial of service''
related internet protocol addresses.\16\
---------------------------------------------------------------------------
\15\Id.
\16\Id.
---------------------------------------------------------------------------
Industry representatives from several sectors of the
economy sit on the NCCIC floor. In testimony before the
Committee, a representative from the financial industry praised
the NCCIC: ``[o]ur presence [there] has enhanced situational
awareness and information sharing between the financial
services sector and the government with numerous examples of
success.'' The witness further stated that the Financial
Services Sector Coordinating Council--the entity that
coordinates critical infrastructure and homeland security
activities in the financial services industry--``supports
formalization of the NCCIC through legislation.''\17\
---------------------------------------------------------------------------
\17\Strengthening Public-Private Partnerships to Reduce Cyber Risks
to Our Nation's Critical Infrastructure, Hearing before the U.S. Senate
Committee on Homeland Security and Governmental Affairs, Testimony of
Doug Johnson, On behalf of the Financial Services Sector Coordinating
Council (Mar. 26, 2014).
---------------------------------------------------------------------------
The NCCIC currently operates under the Homeland Security
Act's general infrastructure protection authorities.\18\ S.
2519 seeks to clarify those general existing authorities and to
explicitly authorize the existing cybersecurity center within
the Department of Homeland Security, so that the Center can
continue its important work in serving as a federal civilian
information sharing center for cybersecurity. The bill would
also codify several other existing Center responsibilities,
including authorizing the Center to: (1) provide shared
situational awareness to enable quick and coordinated
operational actions across the Federal Government; (2) share
cybersecurity information and analysis by and among Federal,
state, and local government entities and private sector
entities; (3) coordinate cybersecurity information sharing
throughout the Federal Government; (4) conduct analysis of
cybersecurity risks and incidents; (5) provide incident
response and technical assistance to federal and non-federal
entities; and (6) recommend security and resilience measures to
enhance cybersecurity. The bill would continue to allow
personnel from Federal agencies, state and local governments,
and the private sector to serve at the Center at the discretion
of the Under Secretary of the National Protection and Programs
Directorate.
---------------------------------------------------------------------------
\18\See generally, 6 U.S.C. Sec. 121; 6 U.S.C. Sec. 124a; 6 U.S.C.
Sec. 143. See also 44 U.S.C. Sec. 3546.
---------------------------------------------------------------------------
III. Legislative History
Chairman Carper and Ranking Member Coburn introduced S.
2519 on June 24, 2014. The bill was referred to the Committee
on Homeland Security and Governmental Affairs.
The Committee considered S. 2519 at a business meeting on
June 25, 2014. Senator Johnson offered one amendment,
clarifying that S. 2519 does not grant the Secretary of
Homeland Security any new authority to promulgate regulations
or set standards relating to the cybersecurity of private
sector critical infrastructure.
The Committee adopted the amendment and then ordered the
bill, as amended, reported favorably, both by voice vote.
Senators present for both the vote on the amendment and the
vote on the bill were Senators Carper, Levin, Pryor, Landrieu,
McCaskill, Tester, Heitkamp, Coburn, McCain, Johnson, and
Portman. Senators Levin and Tester asked to be recorded as
voting no on the amendment.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title.
The short title of the bill is the ``National Cybersecurity
and Communications Integration Center Act of 2014''.
Section 2. National Cybersecurity and Communications Integration Center
Subsection 2(a) of S. 2519 would amend Subtitle A of title
II of the Homeland Security Act of 2002 (P.L. 107-296) to add
new section--``210G. Operations Center.''
Subsection 210G(a) of the Homeland Security Act would
establish an operations center within the Department of
Homeland Security, which may carry out the responsibilities of
the Under Secretary appointed under section 103(a)(1)(H) of the
Homeland Security Act of 2002 (P.L. 107-296) responsible for
security and resilience (currently named the Under Secretary
for the National Protection and Programs Directorate). The
responsibilities of the operations center would include:
serving as a Federal civilian information sharing hub for
cybersecurity; providing shared situational awareness to enable
real-time operations; sharing cybersecurity threat,
vulnerability, impact and incident information and analysis by
and among Federal, State, and local government entities and
private sectors; coordinating cybersecurity information sharing
throughout the Federal government; conducting analysis of
cybersecurity risks and incidents; providing technical
assistance to Federal and non-Federal entities, upon request,
with respect to threats, attribution, vulnerability mitigation,
and incident response and remediation; and providing
recommendations on security and resilience.
Subsection (b) of the new section of the Homeland Security
Act would direct that the center is to be composed, at the
discretion of the Under Secretary responsible for overseeing
critical infrastructure protection and cybersecurity (see
subsection (e)), of personnel from Federal agencies, including
civilian and law enforcement agencies and the intelligence
community, and representatives from state and local governments
and other non-Federal entities, including representatives from
information sharing and analysis organizations and private
sector owners and operators of critical infrastructure.
Subsection (c) of the new section of the Homeland Security
Act would require the Secretary to submit an annual report one
year after the date of enactment of the S. 2519 and for each of
the next three years thereafter. The subsection requires the
report to include an analysis of the performance of the
operations center in carrying out the functions under
subsection (a); information on the composition of the center;
and information on the policies and procedures established by
the center to safeguard privacy and civil liberties.
Subsection (d) of the new section of the Homeland Security
Act would require the Government Accountability Office to
report to Congress one year after the date of enactment of S.
2519 on the effectiveness of the operations center.
Subsection (e) of the new section of the Homeland Security
Act would make clear that it is within the discretion of the
Under Secretary whether to include in the center, or provide
information and assistance to, governmental or private
entities. It also emphasizes that the fact that one private or
governmental entity was included in the center or received
information or assistance from it does not entitle any other
private or governmental entity to such inclusion, information
or assistance.
Subsection 2(b) of S. 2519 would amend the table of
contents of the Homeland Security Act to reflect the inclusion
in the Act of the new section related to the operations center.
Section 3. Rule of construction
Subsection (a) would provide the term ``critical
infrastructure'' the meaning given under section 2 of the
Homeland Security Act of 2002.
Subsection (b) provides that S. 2519 does not grant the
Secretary of Homeland Security any new authority to promulgate
regulations or set standards relating to the cybersecurity of
private sector critical infrastructure. Under this subsection,
the Secretary retains pre-existing authority to issue
regulations or standards relating to the cybersecurity of
private sector critical infrastructure.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Congressional Budget Office Cost Estimate
July 25, 2014.
Hon. Tom Carper,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 2519, the National
Cybersecurity and Communications Integration Center Act of
2014.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Jason
Wheelock.
Sincerely,
Douglas W. Elmendorf.
Enclosure.
S. 2519--National Cybersecurity and Communications Integration Center
Act of 2014
S. 2519 would codify in statute the existence of the
National Cybersecurity and Communications Integration Center
(NCCIC) of the Department of Homeland Security (DHS). The
NCCIC, which was established in 2009, is located in the
National Protection and Programs Directorate of DHS and is
funded by appropriations provided to the Infrastructure
Protection and Information Security appropriation account. So
far in 2014 that account has received approximately $1.2
billion, of which almost $800 million is for cybersecurity
programs.
S. 2519 would codify NCCIC's current role in protecting
federal civilian agencies in cyberspace, sharing information on
cybersecurity threats with DHS partners, and analyzing
cybersecurity risks and incidents. CBO estimates that
implementing the legislation would not result in a significant
cost.
Enacting S. 2519 would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply.
S. 2519 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act and
would impose no costs on state, local, or tribal governments.
The CBO staff contact for this estimate is Jason Wheelock.
The estimate was approved by Theresa Gullo, Deputy Assistant
Director for Budget Analysis.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
S. 2519 as reported are shown as follows (existing law proposed
to be omitted is enclosed in brackets, new matter is printed in
italic, and existing law in which no change is proposed is
shown in roman):
HOMELAND SECURITY ACT OF 2002
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) * * *
(b) Table of Contents.--The table of contents for this Act
is as follows:
* * * * * * *
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION
* * * * * * *
Subtitle A--Information and Analysis and Infrastructure Protection;
Access to Information
Sec. 201. Information and Analysis and Infrastructure Protection
* * * * * * *
Sec. 210G. Operations Center
* * * * * * *
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION
* * * * * * *
Subtitle A--Information and Analysis and Infrastructure Protection;
Access to Information
* * * * * * *
SEC. 210G. OPERATIONS CENTER.
(a) Functions.--There is in the Department an operations
center, which may carry out the responsibilities of the Under
Secretary appointed under section 103(a)(1)(H) with respect to
security and resilience, including by--
(1) serving as a Federal civilian information sharing
interface for cybersecurity;
(2) providing shared situational awareness to enable
real-time, integrated, and operational actions across
the Federal Government;
(3) sharing cybersecurity threat, vulnerability,
impact, and incident information and analysis by and
among Federal, State, and local government entities and
private sector entities;
(4) coordinating cybersecurity information sharing
throughout the Federal Government;
(5) conducting analysis of cybersecurity risks and
incidents;
(6) upon request, providing timely technical
assistance to Federal and non-Federal entities with
respect to cybersecurity threats and attribution,
vulnerability mitigation, and incident response and
remediation; and
(7) providing recommendations on security and
resilience measures to Federal and non-Federal
entities.
(b) Composition.--The operations center shall be composed
of--
(1) personnel or other representatives of Federal
agencies, including civilian and law enforcement
agencies and elements of the intelligence community, as
such term is defined under section 3(4) of the National
Security Act of 1947 (50 U.S.C. 3003(4)); and
(2) representatives from State and local governments
and other non-Federal entities, including--
(A) representatives from information sharing
and analysis organizations; and
(B) private sector owners and operators of
critical information systems.
(c) Annual Report.--Not later than 1 year after the date of
enactment of the National Cybersecurity and Communications
Integration Center Act of 2014, and every year thereafter for 3
years, the Secretary shall submit to the Committee on Homeland
Security and Governmental Affairs of the Senate and the
Committee on Homeland Security of the House of Representatives
a report on the operations center, which shall include--
(1) an analysis of the performance of the operations
center in carrying out the functions under subsection
(a);
(2) information on the composition of the center,
including--
(A) the number of representatives from non-
Federal entities that are participating in the
operations center, including the number of
representatives from States, nonprofit
organizations, and private sector entities,
respectively; and
(B) the number of requests from non-Federal
entities to participate in the operations
center and the response to such requests,
including--
(i) the average length of time to
fulfill such identified requests by the
Federal agency responsible for
fulfilling such requests; and
(ii) a description of any obstacles
or challenges to fulfilling such
requests; and
(3) the policies and procedures established by the
operations center to safeguard privacy and civil
liberties.
(d) GAO Report.--Not later than 1 year after the date of
enactment of the National Cybersecurity and Communications
Integration Center Act of 2014, the Comptroller General of the
United States shall submit to the Committee on Homeland
Security and Governmental Affairs of the Senate and the
Committee on Homeland Security of the House of Representatives
a report on the effectiveness of the operations center.
(e) No Right or Benefit.--The provision of assistance or
information to, and inclusion in the operations center of,
governmental or private entities under this section shall be at
the discretion of the Under Secretary appointed under section
103(a)(1)(H). The provision of certain assistance or
information to, or inclusion in the operations center of, one
governmental or private entity pursuant to this section shall
not create a right or benefit, substantive or procedural, to
similar assistance or information for any other governmental or
private entity.
* * * * * * *
�