[Senate Report 115-412]
[From the U.S. Government Publishing Office]
Calendar No. 716
115th Congress } { Report
SENATE
2d Session } { 115-412
_______________________________________________________________________
DHS CYBER INCIDENT RESPONSE TEAMS ACT OF 2018
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 3309
TO AUTHORIZE CYBER INCIDENT RESPONSE TEAMS AT THE
DEPARTMENT OF HOMELAND SECURITY, AND FOR OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
December 4, 2018.--Ordered to be printed
______
U.S. GOVERNMENT PUBLISHING OFFICE
89-010 WASHINGTON : 2018
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma HEIDI HEITKAMP, North Dakota
MICHAEL B. ENZI, Wyoming GARY C. PETERS, Michigan
JOHN HOEVEN, North Dakota MAGGIE HASSAN, New Hampshire
STEVE DAINES, Montana KAMALA D. HARRIS, California
JON KYL, Arizona DOUG JONES, Alabama
Christopher R. Hixon, Staff Director
Gabrielle D'Adamo Singer, Chief Counsel
Michelle D. Woods, Senior Professional Staff Member
Margaret E. Daum, Minority Staff Director
Charles A. Moskowitz, Minority Senior Legislative Counsel
Subhasri Ramanathan, Minority Counsel
Laura W. Kilbride, Chief Clerk
Calendar No. 716
115th Congress } { Report
SENATE
2d Session } { 115-412
======================================================================
DHS CYBER INCIDENT RESPONSE TEAMS ACT OF 2018
_______
December 4, 2018.--Ordered to be printed
_______
Mr. Johnson, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 3309]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 3309) to authorize
cyber incident response teams at the Department of Homeland
Security, and for other purposes, having considered the same
reports favorably thereon with an amendment (in the nature of a
substitute) and recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................4
IV. Section-by-Section Analysis......................................4
V. Evaluation of Regulatory Impact..................................5
VI. Congressional Budget Office Cost Estimate........................5
VII. Changes in Existing Law Made by the Bill, as Reported............6
I. Purpose and Summary
The purpose of S. 3309, the Department of Homeland Security
Cyber Incident Response Teams Act of 2018, is to authorize the
Department to maintain cyber hunt and incident response teams
(teams), codify an existing program within the Department, and
foster public-private cooperation. The legislation instructs
the Department to ensure that the teams assist in protecting
infrastructure from cyber threats and help restore the
functionality of private or public infrastructure following a
cyberattack. The teams must also identify cybersecurity risks,
develop mitigation strategies, and provide guidance to
infrastructure owners.
The bill helps build public-private partnerships by
authorizing the Department to include private cybersecurity
specialists on the teams. To help inform the Congress about the
extent to which the teams are effective in accomplishing their
mission and whether the Department was effectively mitigating
cybersecurity risk, the Department must maintain metrics and
provide reports to the appropriate Congressional committees.
II. Background and the Need for Legislation
In 2009, the Department created the National Cybersecurity
and Communications Integration Center (NCCIC) to coordinate and
streamline the nation's response to cyber threats.\1\ The
National Cybersecurity Protection Act of 2014 and the amendment
by the Cybersecurity Act of 2015 authorized the NCCIC to
``receive, analyze, and disseminate information about
cybersecurity risks and incidents and to provide guidance,
assessments, incident response support, and other technical
assistance upon request.''\2\
---------------------------------------------------------------------------
\1\Press release Dep't of Homeland Sec., Secretary Napolitano Opens
New National Cybersecurity and Communications Integration Center (Oct.
30, 2009), available at https://www.dhs.gov/news/2009/10/30/new-
national-cybersecurity-center-opened.
\2\Dep't of Homeland Sec., U.S. Department Of Homeland Security
Cybersecurity Strategy, (May 15, 2018), available at https://
www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-
Strategy_0.pdf.
---------------------------------------------------------------------------
In an effort to advance these responsibilities, the NCCIC
combined the incident response capabilities within the United
States Computer Emergency Readiness Team and the Industrial
Control Systems Computer Emergency Response Team, to form the
Hunt and Incident Response Team (HIRT).\3\ The goal of HIRT is
to provide ``onsite incident response, free of charge, to
organizations that require immediate investigation and
resolution of cyber-attacks.''\4\ According to the NCCIC:
---------------------------------------------------------------------------
\3\See Dep't of Homeland Sec., National Cybersecurity and
Communications Integration Center, NCCIC Fact Sheet (last accessed Nov.
20, 2018), available at https://ics-cert.us-cert.gov/sites
/default/files/FactSheets/NCCIC%20ICS_FactSheet_NCCIC%20ICS_S508C.pdf.
\4\Id.
Upon notification of a cyber incident, HIRT will
perform a preliminary diagnosis to determine the extent
of the compromise. At the customer's request, HIRT can
deploy a team to meet with the affected organization to
review network topology, identify infected systems,
image drives for analysis, and collect other data as
needed to perform thorough follow on analysis. HIRT is
able to provide mitigation strategies and assist asset
owners/operators in restoring service and provide
recommendations for improving overall network and
control systems security.\5\
---------------------------------------------------------------------------
\5\Id.
During the 115th Congress, the Committee held hearings
regarding cyber threats facing the United States and the need
to mitigate the nation's cybersecurity risk. In May 2017, Mr.
Stephen Chabinsky, a former official with the Federal Bureau of
Investigation and a cybersecurity expert, testified before the
Committee and described the cybersecurity landscape in stark
---------------------------------------------------------------------------
terms:
The cyber threat is real and growing. Our
vulnerabilities are real and growing. Our reliance on
technology is real and growing. The harm from cyber-
attacks is real and growing. Government agency cyber
risk is real and growing. The risk to our national
security is real and growing. The amount of time,
money, and talent that our country is diverting from
other issues and devoting to cybersecurity is real and
growing. All of these problems are real and growing,
and they are getting worse.\6\
---------------------------------------------------------------------------
\6\Cyber Threats Facing America: An Overview of the Cybersecurity
Threat Landscape: Hearing before S. Comm. on Homeland Sec. &
Governmental Affairs 115th Cong. (2017) (Statement of Steven Chabinsky,
Global Chair of Data, Privacy, and Cyber Security, White & Case LLP),
https://www.hsgac.senate.gov/imo/media/doc/Testimony-Chabinsky-2017-05-
10-REVISED.pdf.
The Committee also heard testimony about the role that the
Department of Homeland Security plays in addressing national
cybersecurity risk. In April 2018, Jeanette Manfra, Assistant
Secretary, Office of Cybersecurity and Communications, with the
National Protection and Programs Directorate (NPPD), testified
---------------------------------------------------------------------------
about NPPD's role:
We endeavor to enhance cyber threat information-
sharing across the globe to stop cyber incidents before
they start and help businesses and government agencies
to protect their cyber systems and quickly recover
should such an attack occur.\7\
---------------------------------------------------------------------------
\7\Mitigating America's Cybersecurity Risk: Hearing before S. Comm.
on Homeland Sec. & Governmental Affairs 115th Cong. (2018) (Statement
of Jeanette Manfra, Assistant Sec., Office of Cybersecurity &
Communications, Nat'l Programs & Prot. Directorate, U.S. Dep't of
Homeland Sec.), available at https://www.hsgac.senate.gov/imo/media/
doc/Testimony-Manfra-2018-04-24.pdf.
Gregory Wilshusen, Director of Information Security Issues
at the Government Accountability Office, testified about the
Department's need to ``enhance efforts to improve and promote
the security of federal and private sector networks.''\8\ Mr.
Wilshusen described opportunities for the NCCIC to enhance its
work to support national cybersecurity:
---------------------------------------------------------------------------
\8\Id. (Statement of Gregor Wilshusen, Director of Information
Security Issues, U.S. Gov't Accountability Office), available at
https://www.hsgac.senate.gov/imo/media/doc/Testimony-Wilshusen-2018-04-
24.pdf.
[T]he extent to which the [NCCIC] had performed its
required functions in accordance with statutorily
defined implementing principles was unclear, in part,
because the [NCCIC] had not established metrics and
methods by which to evaluate its performance against
the principles. Further, in its role as the lead
federal agency for collaborating with eight critical
infrastructure sectors including the communications and
dams sectors, DHS had not developed metrics to measure
and report on the effectiveness of its cyber risk
mitigation activities or on the cybersecurity posture
of the eight sectors.\9\
---------------------------------------------------------------------------
\9\Id.
S. 3309 codifies the Department's cyber hunt and incident
response teams and requires the NCCIC to assess the cyber
incident response teams and their operations. The legislation
also requires the NCCIC to report to congressional committees
annually about these teams and provide data about their
performance. The combinations of these metrics and annual
reporting will help Congress better understand the team's and
NCCIC's ability to mitigate national cybersecurity risk.
III. Legislative History
Senators Margaret Wood Hassan (D-NH) and Rob Portman (R-OH)
introduced S. 3309 on July 13, 2018. The bill was referred to
the Committee on Homeland Security and Governmental Affairs.
The Committee considered S. 3309 at a business meeting on
September 26, 2018. Senator Hassan offered a substitute
amendment and a modification to the substitute amendment that
clarify the Department's responsibility for Federal asset
response and for providing technical assistance to non-Federal
entities and critical infrastructure sectors. Additionally, the
modified substitute amendment authorizes the Department to use
private sector cybersecurity specialists, upon notice and
approval of the Secretary, on cyber incident and response
teams. The Committee adopted the amendment as modified and
ordered the bill, as amended, reported favorably, both by voice
vote. Senators present for both the vote on the modified
amendment and the vote on the underlying bill were: Johnson,
Portman, Lankford, Enzi, Hoeven, McCaskill, Carper, Heitkamp,
Peters, Hassan, Harris, and Jones.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title
This section provides the bill's short title, the ``DHS
cyber Incident Response Teams Act of 2018.''
Section 2. Department of Homeland Security cyber hunt incident response
teams
Subsection (a) amends the Homeland Security Act to allow
DHS to include private sector cybersecurity specialists in the
composition of entities and persons at the NCCIC, as well as
members of cyber hunt and incident response teams.
The subsection further authorizes the NCCIC to maintain
cyber hunt and incident response teams to provide assistance
upon request for specific purposes. The legislation authorizes
the teams to provide cybersecurity response and technical
assistance, upon request, to Federal and non-Federal entities.
The types of assistance can include, ``restoring services
following a cyber incident''; ``identification of cybersecurity
risk and unauthorized cyber activity''; ``mitigation strategies
to prevent, deter, and protect against cybersecurity risks'';
and ``recommendations to asset owners and operators for
improving overall network and control systems security to lower
cybersecurity risks''.
This subsection requires the NCCIC to assess and evaluate
cyber incident response teams and their operations using
``robust metrics.'' The subsection also requires NCCIC to
submit a report to Congress annually for the first four fiscal
years following the legislation's enactment. The annual report
should reflect the assessment, evaluation, and robust metrics
obtained by DHS and the NCCIC.
Subsection (b) states that no additional funds are
authorized by the legislation.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Congressional Budget Office Cost Estimate
U.S. Congress,
Congressional Budget Office,
Washington, DC, October 9, 2018.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental
Affairs, U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 3309, the DHS Cyber
Incident Response Teams Act of 2018.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is William Ma.
Sincerely,
Keith Hall,
Director.
Enclosure.
S. 3309--DHS Cyber Incident Response Teams Act of 2018
S. 3309 would codify the establishment and responsibilities
of hunt and incident response teams (HIRTs) under the authority
of the National Cybersecurity and Communications Integration
Center (NCCIC) in the Department of Homeland Security (DHS).
Under the bill, HIRTs would continue to provide assistance to
federal and nonfederal entities affected by malicious cyber
activity.
S. 3309 also would require the NCCIC to report to the
Congress on HIRTs' activities at the end of each of the first
four fiscal years following the bill's enactment. Using
information from DHS and considering information about similar
reporting requirements, CBO estimates that implementing S. 3309
would cost less than $500,000 over the 2019-2023 period; such
spending would be subject to the availability of appropriated
funds.
Enacting S. 3309 would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply.
CBO estimates that enacting S. 3309 would not increase net
direct spending or on-budget deficits in any of the four
consecutive 10-year periods beginning in 2029.
S. 3309 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act.
On March 15, 2018, CBO transmitted a cost estimate for H.R.
5074, the DHS Cyber Incident Response Teams Act of 2018, as
ordered reported by the House Committee on Homeland Security on
March 7, 2018. The two pieces of legislation are similar and
the estimated budgetary effects are the same.
The CBO staff contact for this estimate is William Ma. The
estimate was reviewed by Leo Lex, Deputy Assistant Director for
Budget Analysis.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
S. 3309 as reported are shown as follows (existing law proposed
to be omitted is enclosed in brackets, new matter is printed in
italic, and existing law in which no change is proposed is
shown in roman):
HOMELAND SECURITY ACT OF 2002
* * * * * * *
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION
* * * * * * *
Subtitle B--Critical Infrastructure Information
* * * * * * *
SEC. 227. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.
* * * * * * *
(a) * * *
* * * * * * *
(d) Composition.--
(1) In general.--The Center shall be composed of--
(A) * * *
(B) appropriate representatives of non-Federal
entities, such as--
(i) State, local, and tribal
governments;
(ii) information sharing and analysis
organizations, including information
sharing and analysis centers;
(iii) owners and operators of critical
information systems; and
(iv) private entities, including
cybersecurity specialists;
* * * * * * *
(e) * * *
(f) Cyber Hunt and Incident Response Teams.--
(1) In general.--The Center shall maintain cyber hunt
and incident response teams for the purpose of leading
Federal asset response activities and providing timely
technical assistance to Federal and non-Federal
entities, including across all critical infrastructure
sectors, regarding actual or potential security
incidents, as appropriate and upon request, including--
(A) assistance to asset owners and operators
in restoring services following a cyber
incident;
(B) identification and analysis of
cybersecurity risk and unauthorized cyber
activity;
(C) mitigation strategies to prevent, deter,
and protect against cybersecurity risks;
(D) recommendations to asset owners and
operators for improving overall network and
control systems security to lower cybersecurity
risks, and other recommendations, as
appropriate; and
(E) such other capabilities as the Secretary
determines appropriate.
(2) Associated metrics.--The Center shall continually
assess and evaluate the cyber hunt and incident
response teams and the operations of those cyber hunt
and incident response teams using robust metrics.
(3) Report.--At the conclusion of each of the first 4
fiscal years after the date of the enactment of the DHS
Cyber Incident Response Teams Act of 2018, the Center
shall submit to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on
Homeland Security of the House of Representatives a
report that includes--
(A) information relating to the metrics used
for evaluation and assessment of the cyber hunt
and incident response teams and operations
under paragraph (2), including the resources
and staffing of those cyber hunt and incident
response teams; and
(B) for the period covered by the report--
(i) the total number of incident
response requests received;
(ii) the number of incident response
tickets opened; and
(iii) a statement of--
(I) all interagency staffing
of cyber hunt and incident
response teams; and
(II) the interagency
collaborations established to
support cyber hunt and incident
response teams.
(4) Cybersecurity specialists.--After notice to, and
with the approval of, the entity requesting action by
or technical assistance from the Center, the Secretary
may include cybersecurity specialists from the private
sector on a cyber hunt and incident response team.
[f](g) No Right or Benefit.--
(1) In general.--The provision of assistance or
information to, and inclusion in the Center, or any
team or activity of the Center, of, governmental or
private entities under this section shall be at the
sole and unreviewable discretion of the Under Secretary
appointed under section 103(a)(1)(H).
(2) Certain assistance or information.--The provision
of certain assistance or information to, or inclusion
in the Center, or any team or activity of the Center,
of, one governmental or private entity pursuant to this
section shall not create a right or benefit,
substantive or procedural, to similar assistance or
information for any other governmental or private
entity.
[g](h) Automated Information Sharing.--
* * * * * * *
[h](i) Voluntary Information Sharing Procedures.--
* * * * * * *
[i](j) Direct Reporting.-- * * *
[j](k) Reports on International Cooperation.--* * *
[k](l) Outreach.-- * * *
* * * * * * *
[l](m) Cybersecurity Outreach.--
* * * * * * *
[m](n) Coordinated Vulnerability Disclosure.-- * * *
* * * * * * *
[all]