[Congressional Record Volume 161, Number 146 (Tuesday, October 6, 2015)]
[House]
[Pages H6813-H6815]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




   DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY STRATEGY ACT OF 2015

  Mr. RATCLIFFE. Mr. Speaker, I move to suspend the rules and pass the 
bill (H.R. 3510) to amend the Homeland Security Act of 2002 to require 
the Secretary of Homeland Security to develop a cybersecurity strategy 
for the Department of Homeland Security, and for other purposes, as 
amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 3510

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Department of Homeland 
     Security Cybersecurity Strategy Act of 2015''.

     SEC. 2. CYBERSECURITY STRATEGY FOR THE DEPARTMENT OF HOMELAND 
                   SECURITY.

       (a) In General.--Subtitle C of title II of the Homeland 
     Security Act of 2002 (6 U.S.C. 141 et seq.) is amended by 
     adding at the end the following new section:

     ``SEC. 230. CYBERSECURITY STRATEGY.

       ``(a) In General.--Not later than 60 days after the date of 
     the enactment of this section, the Secretary shall develop a 
     departmental strategy to carry out cybersecurity 
     responsibilities as set forth in law.
       ``(b) Contents.--The strategy required under subsection (a) 
     shall include the following:
       ``(1) Strategic and operational goals and priorities to 
     successfully execute the full range of the Secretary's 
     cybersecurity responsibilities.
       ``(2) Information on the programs, policies, and activities 
     that are required to successfully execute the full range of 
     the Secretary's cybersecurity responsibilities, including 
     programs, policies, and activities in furtherance of the 
     following:
       ``(A) Cybersecurity functions set forth in the second 
     section 226 (relating to the national cybersecurity and 
     communications integration center).
       ``(B) Cybersecurity investigations capabilities.
       ``(C) Cybersecurity research and development.
       ``(D) Engagement with international cybersecurity partners.
       ``(c) Considerations.--In developing the strategy required 
     under subsection (a), the Secretary shall--
       ``(1) consider--
       ``(A) the cybersecurity strategy for the Homeland Security 
     Enterprise published by the Secretary in November 2011;
       ``(B) the Department of Homeland Security Fiscal Years 
     2014-2018 Strategic Plan; and
       ``(C) the most recent Quadrennial Homeland Security Review 
     issued pursuant to section 707; and

[[Page H6814]]

       ``(2) include information on the roles and responsibilities 
     of components and offices of the Department, to the extent 
     practicable, to carry out such strategy.
       ``(d) Implementation Plan.--Not later than 90 days after 
     the development of the strategy required under subsection 
     (a), the Secretary shall issue an implementation plan for the 
     strategy that includes the following:
       ``(1) Strategic objectives and corresponding tasks.
       ``(2) Projected timelines and costs for such tasks.
       ``(3) Metrics to evaluate performance of such tasks.
       ``(e) Congressional Oversight.--The Secretary shall submit 
     to the Committee on Homeland Security of the House of 
     Representatives and the Committee on Homeland Security and 
     Governmental Affairs of the Senate for assessment the 
     following:
       ``(1) A copy of the strategy required under subsection (a) 
     upon issuance.
       ``(2) A copy of the implementation plan required under 
     subsection (d) upon issuance, together with detailed 
     information on any associated legislative or budgetary 
     proposals.
       ``(f) Classified Information.--The strategy required under 
     subsection (a) shall be in an unclassified form but may 
     contain a classified annex.
       ``(g) Rule of Construction.--Nothing in this section may be 
     construed as permitting the Department to engage in 
     monitoring, surveillance, exfiltration, or other collection 
     activities for the purpose of tracking an individual's 
     personally identifiable information.
       ``(h) Definitions.--In this section:
       ``(1) Cybersecurity risk.--The term `cybersecurity risk' 
     has the meaning given such term in the second section 226, 
     relating to the national cybersecurity and communications 
     integration center.
       ``(2) Homeland security enterprise.--The term `Homeland 
     Security Enterprise' means relevant governmental and 
     nongovernmental entities involved in homeland security, 
     including Federal, State, local, and tribal government 
     officials, private sector representatives, academics, and 
     other policy experts.
       ``(3) Incident.--The term `incident' has the meaning given 
     such term in the second section 226, relating to the national 
     cybersecurity and communications integration center.''.
       (b) Prohibition on Reorganization.--The Secretary of 
     Homeland Security may not change the location or reporting 
     structure of the National Protection and Programs Directorate 
     of the Department of Homeland Security, or the location or 
     reporting structure of any office or component of the 
     Directorate, unless the Secretary receives prior 
     authorization from Congress permitting such change.
       (c) Clerical Amendment.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 is amended by 
     adding at the end of the list of items for subtitle C of 
     title II the following new item:

``Sec. 230. Cybersecurity strategy.''.
       (d) Amendment to Definition.--Paragraph (2) of subsection 
     (a) of the second section 226 of the Homeland Security Act of 
     2002 (6 U.S.C. 148; relating to the national cybersecurity 
     and communications integration center) is amended to read as 
     follows:
       ``(2) the term `incident' means an occurrence that actually 
     or imminently jeopardizes, without lawful authority, the 
     integrity, confidentiality, or availability of information on 
     an information system, or actually or imminently jeopardizes, 
     without lawful authority, an information system;''.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Texas (Mr. Ratcliffe) and the gentleman from Louisiana (Mr. Richmond) 
each will control 20 minutes.
  The Chair recognizes the gentleman from Texas.


                             General Leave

  Mr. RATCLIFFE. Mr. Speaker, I ask unanimous consent that all Members 
may have 5 legislative days in which to revise and extend their remarks 
and to include any extraneous material on the bill under consideration.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Texas?
  There was no objection.
  Mr. RATCLIFFE. Mr. Speaker, I yield myself such time as I may 
consume.
  Mr. Speaker, I rise today in support of H.R. 3510, the Department of 
Homeland Security Cybersecurity Strategy Act of 2015, sponsored by 
Representative Cedric Richmond, ranking member of the Cybersecurity, 
Infrastructure Protection, and Security Technologies Subcommittee, of 
which I am the chairman.
  This legislation would require the Department of Homeland Security to 
develop and to submit to Congress a cybersecurity strategy and 
implementation plan. Because the Department of Homeland Security is 
charged with securing the dot-gov domain and working with the private 
sector to secure the dot-com domain, a comprehensive strategic plan and 
implementation plan will support DHS' essential cybersecurity mission.
  Mr. Speaker, too often these days cyber attacks disrupt the 
operations of government, of businesses, and of the lives of the 
American people. The increasingly sophisticated nature of the cyber 
threats we face on a daily basis underscore the need to manage and 
strengthen the cybersecurity of our Nation's critical infrastructure.
  The Government Accountability Office has recommended the 
implementation of an overarching Federal cybersecurity strategy. H.R. 
3510 is an important step toward accomplishing this task.
  H.R. 3510 also precludes any reorganization effort of the Department 
of Homeland Security's National Protection and Programs Directorate, or 
NPPD, without congressional approval. This is an effort to ensure that 
congressional oversight is conducted.
  Mr. Speaker, in June of this year, a story in the press announced 
that the NPPD was planning a significant reorganization. Since June, 
very few specifics have emerged, and even those that have have been 
very sparse in detail.
  The details that have been made public elicit concern because they 
support overhauling the infrastructure protection and cybersecurity 
functions of the directorate without providing details on exactly what 
this would mean for the mission, for the structure, or for the 
workforce of the directorate.
  The language in this bill follows a bipartisan letter sent just last 
month to the Department expressing congressional concern with the lack 
of transparency surrounding this proposed reorganization and 
communicating the congressional intent to provide oversight on this 
issue. The letter also clearly stated that any reorganization or 
realignment should require congressional authorization.
  Over the past several years, the Committee on Homeland Security, on 
which I serve, has built up a collaborative working relationship with 
the NPPD, consulting with it to pass several strong and bipartisan 
pieces of legislation to improve chemical security and to strengthen 
DHS' cybersecurity mission and stature in the Federal Government.
  Given our shared goal of protecting this country and the committee's 
continued legislative oversight efforts to strengthen DHS' 
cybersecurity functions, it is essential that the Department submit any 
proposal to Congress prior to reorganization or realignment.
  It is Congress' role and responsibility to authorize the key 
responsibilities of the executive branch to include strengthening our 
cybersecurity posture and ensuring the security and resiliency of our 
Nation's critical infrastructure.
  I would like to thank Mr. Richmond for the work that he and his staff 
have done to come together in a bipartisan way on this legislation.
  I urge all Members to join me in supporting this bill.
  I reserve the balance of my time.
  Mr. RICHMOND. Mr. Speaker, I yield myself such time as I may consume.
  I rise in support of H.R. 3510.
  Mr. Speaker, I want to thank the chairman of the subcommittee, Mr. 
Ratcliffe. I want to thank the chairman of the full committee, Mr. 
McCaul, and the ranking member of the full committee, Mr. Thompson, who 
all signed on and support this legislation.
  H.R. 3510, the Department of Homeland Security Cybersecurity Strategy 
Act of 2015, will require the Secretary of Homeland Security to develop 
a comprehensive strategy and implementation plan for carrying out its 
diverse and complex cyber and information security missions.
  Today the Department of Homeland Security is not only responsible for 
working with Federal agencies to protect Federal civilian networks, but 
also for helping to bolster information security within the private 
sector, principally through the National Cybersecurity and 
Communications Integration Center.
  It also plays a major role in information security research and 
development, cyber crime investigations, and international engagement 
with cybersecurity partners.
  My bill requires DHS to put in place a strategy that includes 
necessary strategic and operational goals for executing the Secretary's 
broad responsibilities.

[[Page H6815]]

  In September, the inspector general issued a report highlighting the 
need for such strategy. The report, entitled ``DHS Can Strengthen Its 
Cyber Mission Coordination Efforts,'' found that intradepartmental 
coordination was lacking and recommended that the Department develop a 
comprehensive cross-departmental strategic implementation plan that 
defines each component's cyber missions and responsibilities.

  The Department operates frontline programs that protect this Nation 
from manmade and natural disasters. With cyber threats increasingly at 
the forefront today, it is essential that all of the Department's day-
to-day programs, policies, and activities are effective and meeting its 
multi-layered cybersecurity responsibilities.
  As the lead Federal agency responsible for securing Federal civilian 
networks and as the vital cyber information-sharing partner to national 
critical infrastructures, it is crucial that the Department have a 
comprehensive and achievable strategic plan in place.
  Mr. Speaker, in recent years, Congress has provided significant 
resources to the Department to expand its cyber operations and 
workforce.
  A lot of money has been spent to respond to cyber events and 
persistent information security threats. We must make sure our 
investments in operational plans and research and development are 
technically achievable and transparent where they can be.
  Fundamentally, my bill seeks to ensure that the Department takes a 
measurable, strategic posture that can be a model for others and to 
help protect our Nation's vulnerable information security networks.
  I ask for my colleagues' support.
  I yield back the balance of my time.

                              {time}  1730

  Mr. RATCLIFFE. Mr. Speaker, I yield myself such time as I may 
consume.
  Mr. Speaker, I once again urge my colleagues to support H.R. 3510.
  I thank Congressman Richmond for his bipartisan approach in bringing 
this bill to the floor today.
  I yield back the balance of my time.
  Ms. JACKSON LEE. Mr. Speaker, as a senior member of the Homeland 
Security Committee, I rise in support of H.R. 3510, the ``Department of 
Homeland Security Cybersecurity Strategy Act of 2015,'' which amends 
the Homeland Security Act of 2002, to require the Secretary of Homeland 
Security to develop a cybersecurity strategy for the Department of 
Homeland Security.
  The strategy must include information on the programs, policies, and 
activities that are required to successfully execute the full range of 
the cybersecurity programs, policies, and activities in furtherance of 
the Department of Homeland Security's mission regarding the National 
Cybersecurity and Communication Integration Center.
  The National Cybersecurity and Communication Integration Center 
addresses cybersecurity risks faced by federal and non-federal 
entities.
  In July of this year it was reported that the Office of Personnel 
Management lost personal information on 21.5 million current and former 
federal employees and their families.
  In 2014, the following agencies reported breaches: The State 
Department revealed that its unclassified email network had been 
breached in a cyberattack; the U.S. Postal Service reported that 
800,000 personnel files were potentially affected by a cyber breach; 
the Department of Health and Human Services reported cyber intruders 
had accessed a server used to test code for the healthcare.gov website 
and installed malicious software; and the Nuclear Regulatory 
Commission, the agency that oversees the U.S. nuclear power industry, 
revealed a number of attempted intrusions and three successful 
intrusions into its computer systems.
  In cyber time, which is near the speed of light--federal computer 
networks will not get a warning from a determined enemy that an attack 
is occurring.
  Our nation's critical infrastructure and civilian government agencies 
depend on the cybersecurity talent and resources that the Department of 
Homeland Security can provide on the frontline to defend against 
attacks.
  As with other threats that this nation has faced and overcome, we 
must create the resources and the institutional responses to protect 
our nation against cyber threats while preserving our liberties and 
freedoms.
  We cannot accomplish this task without the full cooperation and 
support of the private sector, computing research community and 
academia.
  This level of engagement requires the trust and confidence of the 
American people that this new cyber threat center will be used for the 
purpose it was created and that the collaboration of others in this 
effort to better protect computing networks will be used only for 
protection and defense.
  There are people with skills and those with the potential to develop 
skills that would be of benefit to our nation's efforts to develop an 
effective cybersecurity defense and deterrence posture.
  It is my hope that as we move forward the Committee on Homeland 
Security will continue in a bipartisan manner to seek out the best ways 
to bring the brightest and most qualified people into the government as 
cybersecurity professionals.
  Toward that end, I am hosting a Town Hall on Wednesday, October 7, 
2015, Town Hall'' on Minority Representation in the Cybersecurity 
Workforce.
  I am pleased to have the Chair of the Congressional Hispanic Caucus 
join me in support of this important Town Hall.
  The message from the federal government to the public regarding the 
employment opportunities available in STEM careers that include 
cybersecurity.
  It is my commitment that Historically Black Colleges and 
Universities, Hispanic Serving Institutions, Native American Colleges 
and Women's Colleges and Universities should be actively engaged when 
agencies conduct outreach and program development on cybersecurity.
  The Brookings' Metropolitan Policy Program's report ``The Hidden STEM 
Economy,'' reported that in 2011, 26 million jobs or 20 percent of all 
occupations required knowledge in 1 or more STEM areas.
  Half of all STEM jobs are available to workers without a 4 year 
degree and these jobs pay on average $53,000 a year, which is 10 
percent higher than jobs with similar education requirements.
  There will be STEM winners and losers, but not because the skills 
needed are too difficult to obtain, but because people are not aware of 
the jobs that are going unfilled today, nor do they know what education 
or training will create job security for the next 2 to 3 decades.
  I am very aware of the importance of STEM job training and education.
  A third of Houston jobs are in STEM-based fields.
  Houston has the second largest concentrations of engineers (22.4 for 
every 1,000 workers according to the Greater Houston Partnership.)
  Houston has 59,070 engineers, the second largest populations in the 
nation.
  STEM jobs are at the core of Houston's economic success, but what we 
have done with STEM innovation and job creation in the city of Houston 
is not enough to satisfy the regions demand for STEM trained workers.
  We anticipate that in the next 5 years the gap in the number of 
people with STEM skills and training will not keep up with the number 
of positions requiring those skills.
  I ask my colleagues to join me in support of H.R. 3510, the 
``Department of Homeland Security Cybersecurity Strategy Act of 2015.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from Texas (Mr. Ratcliffe) that the House suspend the rules 
and pass the bill, H.R. 3510, as amended.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill, as amended, was passed.
  A motion to reconsider was laid on the table.

                          ____________________