[Congressional Record Volume 165, Number 156 (Thursday, September 26, 2019)]
[House]
[Pages H8015-H8019]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
UNIFYING DHS INTELLIGENCE ENTERPRISE ACT
Ms. JACKSON LEE. Mr. Speaker, I move to suspend the rules and pass
the bill (H.R. 2589) to amend the Homeland Security Act of 2002 to
establish a homeland intelligence doctrine for the Department of
Homeland Security, and for other purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 2589
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Unifying DHS Intelligence
Enterprise Act''.
SEC. 2. HOMELAND INTELLIGENCE DOCTRINE.
(a) In General.--Subtitle A of title II of the Homeland
Security Act of 2002 (6 U.S.C. 121 et seq.) is amended by
adding at the end the following new section:
``SEC. 210H. HOMELAND INTELLIGENCE DOCTRINE.
``(a) In General.--Not later than 180 days after the date
of the enactment of this section, the Secretary, acting
through the Chief Intelligence Officer of the Department, in
coordination with intelligence components of the Department,
the Office of the General Counsel, the Privacy Office, and
the Office for Civil Rights and Civil Liberties, shall
develop and disseminate written Department-wide guidance for
the processing, analysis, production, and dissemination of
homeland security information (as such term is defined in
section 892) and terrorism information (as such term is
defined in section 1016 of the Intelligence Reform and
Terrorism Prevention Act of 2004 (6 U.S.C. 485)).
``(b) Contents.--The guidance required under subsection (a)
shall, at a minimum, include the following:
``(1) A description of guiding principles and purposes of
the Department's intelligence enterprise.
``(2) A summary of the roles, responsibilities, and
programs of each intelligence component of the Department in
the processing, analysis, production, or dissemination of
homeland security information and terrorism information,
including relevant authorities and restrictions applicable to
each such intelligence component.
``(3) Guidance for the processing, analysis, and production
of such information.
``(4) Guidance for the dissemination of such information,
including within the Department, among and between Federal
departments and agencies, among and between State, local,
Tribal, and territorial governments, including law
enforcement, and with foreign partners and the private
sector, consistent with the protection of privacy, civil
rights, and civil liberties.
``(5) A description of how the dissemination to the
intelligence community (as such term is defined in section
3(4) of the National Security Act of 1947 (50 U.S.C.
3003(4))) and Federal law enforcement of such information
assists such entities in carrying out their respective
missions.
``(c) Form.--The guidance required under subsection (a)
shall be submitted in unclassified form, but may include a
classified annex.
``(d) Annual Review.--For each of the five fiscal years
beginning with the first fiscal year that begins after the
date of the enactment of this section, the Secretary shall
conduct a review of the guidance required under subsection
(a) and, as appropriate, revise such guidance.''.
(b) Clerical Amendment.--The table of contents in section
1(b) of the Homeland Security Act of 2002 is amended by
inserting
[[Page H8016]]
after the item relating to section 210G the following new
item:
``Sec. 210H. Homeland intelligence doctrine.''.
SEC. 3. COMPTROLLER GENERAL ASSESSMENT.
(a) Annual Assessment Required.--Not later than one year
after the date of the enactment of this Act and again not
later than five years thereafter, the Comptroller General of
the United States shall submit to the Committee on Homeland
Security of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the Senate an
assessment of the degree to which guidance established
pursuant to section 210H of the Homeland Security Act of 2002
(as added by section 2 of this Act) is implemented across the
Department of Homeland Security. Such assessment should
evaluate the extent to which such guidance is carried out in
a manner that protects privacy, civil rights, and civil
liberties.
(b) Elements of Assessment.--In conducting each assessment
under subsection (a), the Comptroller General of the United
States shall--
(1) use standard methodology and reporting formats in order
to demonstrate and display any changes over time; and
(2) include any other subject matter the Comptroller
General determines appropriate.
(c) Access to Relevant Data.--To carry out this section,
the Secretary of Homeland Security shall ensure that the
Comptroller General of the United States has access to all
relevant data.
SEC. 4. ANALYSTS FOR THE CHIEF INTELLIGENCE OFFICER.
Paragraph (1) of section 201(e) of the Homeland Security
Act of 2002 (6 U.S.C. 121(e)) is amended by adding at the end
the following new sentence: ``The Secretary shall also
provide the Chief Intelligence Officer with a staff having
appropriate expertise and experience to assist the Chief
Intelligence Officer.''.
The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from
Texas (Ms. Jackson Lee) and the gentleman from Tennessee (Mr. Green)
each will control 20 minutes.
The Chair recognizes the gentlewoman from Texas.
General Leave
Ms. JACKSON LEE. Mr. Speaker, I ask unanimous consent that all
Members may have 5 legislative days to revise and extend their remarks
and to include extraneous material on this measure.
The SPEAKER pro tempore. Is there objection to the request of the
gentlewoman from Texas?
There was no objection.
Ms. JACKSON LEE. Mr. Speaker, I yield myself such time as I may
consume.
Mr. Speaker, I rise today in support of H.R. 2589, the Unifying DHS
Intelligence Enterprise Act.
H.R. 2589 seeks to improve the Department of Homeland Security's
intelligence enterprise by ensuring intelligence officers across DHS
are sharing information and countering threats in a unified manner.
Since the Department was established, intelligence and information
sharing capabilities have matured, but DHS still lacks a coordinated
intelligence enterprise.
In 2016, the Committee on Homeland Security released a comprehensive
review of the Department of Homeland Security's use of intelligence to
counter terrorist threats and prescribed 30 recommendations.
As a result, this bill directs the Secretary of Homeland Security,
through a DHS chief intelligence officer, to develop and disseminate
written DHS-wide guidance for the processing, analysis, production, and
dissemination of Homeland Security and terrorism information, and
ensures this guidance is consistent with the protection of privacy,
civil rights, and civil liberties.
Given the diversity of missions across the Department, it is vital
that component intelligence officers are working together, sharing
information, and vetting that information against the broader U.S.
intelligence community holdings.
H.R. 2589 requires an assessment and description of how the
dissemination of information to the intelligence community and Federal
law enforcement assists such entities in carrying out their respective
missions.
One of the key missions of DHS is to act as a clearinghouse for
threat information, and this bill will ensure that the Department
continues to evolve into a better, more effective asset in responding
to threats to the homeland.
Mr. Speaker, I urge my colleagues to support H.R. 2589, and I reserve
the balance of my time.
Mr. GREEN of Tennessee. Mr. Speaker, I yield myself such time as I
may consume.
Mr. Speaker, I rise today in support of H.R. 2589, the Unifying DHS
Intelligence Enterprise Act.
In December of 2003, I had the unbelievable opportunity to fly with
our Nation's elite special operations aviation unit, the Night
Stalkers, in conjunction with our Army's tier I counterterrorism unit
in the capture of Iraqi dictator Saddam Hussein. It was the highlight
of my Army career.
Whether it was on missions in Iraq or hunting Osama bin Laden in
Afghanistan, I realized that having a systematic way to gather,
process, analyze, and disseminate intelligence information was critical
to our success on the battlefield. That experience encouraged me to
introduce this bill back in May so that DHS can best fulfill its very
important mission to keep America safe.
This bill requires the Department's chief intelligence officer, or
CINT, to establish a homeland intelligence doctrine for the Department,
and it requires the CINT to maintain a dedicated staff.
In the years following the terrorist attacks of September 11, the
Department was established to consolidate 22 existing Federal agencies
and reshape the domestic intelligence and counterterrorism structure of
the U.S.
Over the years, DHS has matured and refined its intelligence
enterprise. Significant improvements have been made, but there is not
yet complete unity among the various intelligence offices within all
the component agencies.
In 2016, the House Committee on Homeland Security released a
comprehensive review of the Department's use of intelligence to counter
terrorist attacks. They recognized that DHS, ``has improved its ability
to protect the homeland against terrorist threats over time, but major
gaps remain.'' They prescribed over 30 recommendations to the
Department for improved intelligence sharing.
The goal of H.R. 2589 is to ensure all of the component entities at
DHS are speaking the same language, using the same trade craft, and
disseminating their products to the appropriate stakeholders, which
include both intelligence communities and State and local partners.
This legislation will help professionalize the DHS intelligence
enterprise by establishing a shared intelligence doctrine.
Across DHS, dedicated border and immigration agents are gathering
information on individuals seeking to enter the United States. Threats
to transportation systems and critical infrastructure are gathered and
assessed, and real-time cyber threats to the government and private
networks are analyzed.
The incredible differences in the agencies of the Department create
natural barriers to information flow. Given this diversity of missions,
it is vital that component intelligence offices are working together,
sharing information, and vetting that information against intelligence
community holdings.
As a former member of the Army special operations task forces, I know
the value of synchronized intelligence processes in order to connect
the dots and successfully carry out a mission. This bill also
authorizes the continued dedication to providing staff to the chief
intelligence officer ensuring that this distinct mission continues to
provide the value necessary to support the intelligence enterprise.
I support this legislation, and I urge my colleagues to join me in
doing so.
Mr. Speaker, I reserve the balance of my time.
Ms. JACKSON LEE. Mr. Speaker, I yield myself such time as I may
consume.
Mr. Speaker, I thank the gentleman from Tennessee (Mr. Green) for his
service, and I thank him for this legislation.
It is worth noting that the bill that we just passed and the bill
that we are now debating specifically dealing with cybersecurity and
intelligence are crucial elements of our security.
I think that with the combination of recognizing the importance of
the intelligence community that is on the front lines of providing our
safety and then acknowledging the vulnerabilities in the cyber system
as one of the components of new technology, I started out my remarks by
taking note of the drone attack on the refineries in Saudi
[[Page H8017]]
Arabia. Here we are talking about cyber and its impact.
But I think the overall sense of these two initiatives is to ensure
that we in Homeland Security are on the front end of dealing with the
importance of securing this Nation on the new technologies that we are
facing every single day.
I ask my colleagues to support the underlying legislation.
I include in the Record the following articles on this very topic:
``Thousands of Vulnerabilities in Seattle's IT Network Attributed to
Siloed Approach to Cybersecurity,'' September 17, 2019; ``Leader of New
NSA Cybersecurity Directorate Outlines Threats, Objectives,'' dated
September 5, 2019; and then, August 30, 2019, ``Why Focusing on Threat
Hunting May Leave You Vulnerable.''
[September 17, 2019]
Thousands of Vulnerabilities in Seattle's IT Network Attributed to
Siloed Approach to Cybersecurity
(By David Kroman)
Last May, Seattle's head of information security flagged a
problem within the city's technology department: Because of a
process breakdown, employees were indicating that they had
fixed vulnerabilities in the department's computer network
when, in fact, they had not been fixed.
``It has been discovered that there are currently over
21,000 known critical and high vulnerabilities on systems
throughout Seattle IT,'' Andrew Whitaker, then the
department's chief information security officer, wrote in a
May 22 email to technology leadership. ``Tickets have been
closed out, claiming to have vulnerabilities remediated, but
upon follow-up review they were, with a few exceptions, not
remediated.''
The result was that the servers, desktops and applications
within the newly consolidated Department of Information
Technology--which now handles the vast majority of the city
of Seattle's technology functions, from utilities to the fire
department--contained open miniportals that could be accessed
by would-be hackers.
When left unremediated, vulnerabilities provide possible
paths for hackers to plant spyware, ransomware, viruses and
other malicious software that can be immensely harmful to an
organization, especially one that provides critical services.
Cities are often particularly open to an attack and the
effect can be devastating, as recent ransom attacks in
Baltimore and Atlanta have shown.
Saad Bashir, Seattle's new head of the Department of
Information Technology, said in an interview that he believes
the vulnerabilities are manageable. He said Seattle is at
risk, as are all organizations, but, in general, not
abnormally so.
However, Bashir acknowledged the process breakdown was
indicative of a broader problem (https://crosscut.com/2017/
07/at-city-hall-a-massive-department-is-mired-in-chaos) he
has been attempting to address within the organization since
taking his position earlier this year. ``What I observed very
early was that there was a siloed approach in how
cybersecurity was being practiced in the world of IT,'' he
said.
Because of a disconnect between teams, Bashir said, some
part of the security process would get completed, but would
not be properly handed off to the next team. ``If you're not
clear, then you may not know whether that particular
vulnerability management work has been completed the way it's
supposed to be completed,'' Bashir said.
In an effort to improve the processes within the
department, Bashir began a major reorganization of the
relatively new department--including his firing of 14
directors and managers (https://crosscut.com/2019/05/
seattles-new-it-boss-fires-14-directors-part-organizational-
change)--just two days before Whitaker's message. The
reorganization was not motivated solely by security
weaknesses, he said, but was intended to create a smoother
structure that would better catch possible entry points. When
asked if the city was safer from an attack since he took
over, Bashir said, ``Absolutely.''
Every organization contains some number of vulnerabilities.
The trick is to continually identify and address them as they
arise--an e-windshield wiper of sorts, where the
vulnerabilities are the raindrops.
Experts say hackers are increasingly less likely to gain
access through a vulnerability than they are through a
phishing expedition. In such cases, a deceiving email message
persuades employees to provide passwords or a malware-
infected USB drive is left in a parking lot in hopes that
someone finds it and plugs it in to their computer.
But addressing vulnerabilities in the city's systems
continues to be an important function of its IT department.
``If I were a serious bad guy I'd be looking at the most
vulnerable place,'' said Dr. Barbara Endicott-Popovsky,
executive director of the Center for Information Assurance &
Cybersecurity at the University of Washington. ``I'd be
looking at cities and I'd be looking at universities, because
they're open and they can't afford the latest and greatest.
It's kind of like, `Open sesame.' ''
Mike Hamilton, founder of CI Security and Seattle's chief
information security officer from 2006 to 2013, said there
are a number of reasons cities struggle to stay ahead of
cyberattacks.
For one, the number of qualified security experts is down
across the country, he said. And of those who are on the
market, cities can't match the pay of large companies like
Amazon or Microsoft.
``The ones that are good are in short supply, which means
that local governments cannot compete for those resources,''
he said.
Additionally, cities are responsible for the security of
all their departments, each of which may require vastly
different things. ``Because government is a federation of
agencies, that makes it a little difficult to have policies
in place that apply to [for example] the regulated industry
of human resources without raising the ire of unions,'' he
said.
Hamilton also said the biennial budgeting of local
government makes keeping up challenging. ``Technology moves a
whole lot freaking faster,'' he said.
All of this, Hamilton said, is in the context of extremely
high stakes. Compared with for-profit companies, ``the
potential impact [of an attack on government] is so much
greater and government can't afford it,'' said Hamilton. ``We
know something needs to be fixed, and we don't fix it until
something blows up.''
Bashir said the new processes he's put into place has made
him ``confident that we no longer have any glaring process
gaps.'' He couldn't say exactly how many vulnerabilities are
still open on city systems, but that it was less than 21,000.
The ideal number, Bashir said, is zero, but that's also
extremely unlikely, which makes it hard to identify what a
``good'' number is.
``I worry about all of them,'' said Andrew Cushman, the
city's new chief security officer. ``Whether that number is
21,000 or whether that number is 10 depends on the attacker
and how skilled that attacker is and how motivated that
attacker is. So I don't worry more because that number is
21,000, then I do if that number is 10.''
Going forward, Bashir said he wants ``to create a high
level of security awareness mindset across the
organization.'' The city could have zero vulnerabilities and
it wouldn't matter if one employee plugs in the wrong USB to
a work computer.
Hamilton said there are several easy things cities can do
that, while not offering total protection, would make it so
they are no longer ``the slowest gnu in the herd getting
picked off.'' For one, mandate zero personal use of city
equipment, something Singapore implemented in 2017.
Phishing attacks remain the easiest entry point for hackers
and so that's where the bulk of the city's attention should
focus, Hamilton said. Because no matter how many protections
are put into place, ``There is not now, nor will there ever
be, a firewall for stupid.''
____
[From CSO Online, Sept. 5, 2019]
Leader of new NSA Cybersecurity Directorate Outlines Threats,
Objectives
(By Cynthia Brumfield)
Ransomware, Russia, China, Iran and North Korea are the top
cybersecurity threats that will be the focus of a new
division within the National Security Agency (NSA), the
Cybersecurity Directorate, which is set to be operational on
October 1, according to NSA director of cybersecurity Anne
Neuberger. She was tapped in July by Director General Paul
Nakasone to head the group. The Directorate aims to bring the
agency's foreign intelligence and cyber operations together
and ``operationalize [its] threat intelligence, vulnerability
assessments and cyber defense expertise,'' the agency
announced when launching the new division.
``NSA really had to up its game,'' Neuberger said in a
fireside chat with Niloofar Razi Howe, cybersecurity venture
investor and executive at the Billington Cybersecurity Summit
in Washington on September 4. ``And that's what drove this
desire to stand up a directorate and frankly to set a pretty
aggressive mission, which is to prevent and eradicate cyber
actors from national security systems and critical
infrastructure with a focus on the defense industrial base.''
In terms of the threats, ``Clearly ransomware is the focus.
We've seen there are roughly 4,000 ransomware attacks a
day,'' Neuberger said. ``When we look at Russia, we see a
country that uses influence operations, uses cyber [that is]
really integrated and below the level of armed conflict. They
also use entities who aren't necessarily tied to the
government, whether the Internet Research Agency for
potential elections influence or China has its own unique
approach to how the country uses cyber threats to achieve its
national security and military objectives, Neuberger said.
China's cyber threats are exemplified by three different and
wholly distinct types of operations: the 2015 theft of 21.5
million records from the Office of Personnel Management, the
hacking campaign known as Cloud Hopper that targeted eight of
the world's biggest technology service providers, and ongoing
theft of intellectual property such as when Chinese
intelligence and business insiders sought to steal
information related to a turbofan engine used in commercial
airliners.
Iran is very volatile and uses destructive attacks in its
own region primarily, Neuberger said. ``North Korea always
fascinates us as essentially a nation-state
[[Page H8018]]
criminal, as a country under sanctions using creative ways of
cyber, whether it's crypto currency, whether it's
cryptomining to gain hard currency and essentially keep the
regime afloat.''
Neuberger previously headed the agency's ``Russia Small
Group,'' a joint NSA-Cyber Command task force to combat
Russian election interference and influence campaigns. The
task force ``was stood up out of a realization that something
had dramatically changed and we had to reboot our approach as
a US government,'' Neuberger said.
``Now influence operations have been around since the days
of Adam and Eve, but what really changed was the age of
social media,'' she said. Not only could an adversary send
out broad messaging, but it could also target disinformation
to particular ethnic groups, particular elements of a
country, and do it in a ``pretty cheap way ... looking as if
one is an American.''
``So, we realized that it took a more creative approach to
protect our democracy. In the Russia Small Group, we worked
closely with the DHS and FBI to ensure that from a cyber
perspective they had all the threat information we had in a
way that can be quickly actionable'' Neuberger said. ``We're
tremendously proud of the work we did between NSA, Cyber
Command, DHS and the FBI to defend the integrity of our
elections and ensure that every American know that their vote
counted and their vote matters.,'' referring to the Russia
Small Group's efforts to protect the 2018 midterm elections.
When it comes to warding off 2020 election threats, the
Directorate will take the same approach the Russia Small
Group applied in the 2018 elections. ``Ensure there is threat
intelligence, gain those insights, share that intelligence,
and be prepared to impose costs on an adversary who may
attempt to influence our elections,'' Neuberger said. ``We
will do the same work that we did in 2018 looking to see who
are the actors seeking to shake confidence in the integrity
of our elections, and share that with the FBI.''
Ransomware has emerged as a bigger threat to the election
infrastructure than it has before. The recent shift
ransomware attackers have taken from targeting individuals to
targeting entities is ``certainly something that would make
it be a key concern for the elections. The best protection is
the same security advice we give: ensure one uses principles
of least privilege [and] computers with admin access
shouldn't have access to the Internet at all times.''
Partnering with other government agencies and private
sector companies and organizations will be a major focus of
the Directorate. ``Everything we do, we do in partnership
with other agencies, with allies around the world and
certainly the private sector plays a role,'' Neuberger said,
noting that she wants to unify all the various communities
involved in cybersecurity to enhance collaboration and focus
on the hardest cybersecurity problems.
``Partners are key; they are the root of everything we can
accomplish,'' she said. Among the partners the Directorate
plans to include in its efforts are the Department of
Defense, Cyber Command, DHS, the acquisition community, U.S.
allies and certainly the private the sector. ``The private
sector is often the first indicator of a significant threat
or a significant compromise.''
The goal is to push out as much unclassified information as
possible and bring together all the elements that are needed
to quickly identify and head off threats. ``Ideally, we are
sharing the threat information to prevent an attack, to
prevent exploitation rather than being part of a team that
helps with incident response,'' Neuberger said.
Although the Directorate doesn't have a ``moonshot''
objective as it begins operations, one goal is to address the
``rampant abuse of Internet infrastructure,'' Neuberger said,
particularly protecting the Domain Name System (DNS), the
naming system underlying the Internet which has been subject
to increasing attacks and redirections by malicious actors.
``DNS is a key way that adversaries use for command and
control for exploitation,'' she said. Neuberger would like to
see efforts such as the UK's NCSC's Protective Domain Name
System, which was built to thwart the use of DNS for malware
distribution and operation, more widely used. The Directorate
can help by adding or contributing threat information to make
those services even more effective.
The Directorate can serve to interconnect these efforts so
they could communicate beyond internet transactions. ``If we
could achieve that, it would have even broader impact beyond
cybersecurity.''
____
[From Infosecurity Magazine] Aug. 30, 2019
Why Focusing on Threat Hunting May Leave You Vulnerable
(By Bob Shaker)
The cybersecurity threat landscape is becoming increasingly
complex and crowded, and with security teams around the world
largely understaffed and facing burnout, experts are looking
for the most efficient way to combat cybercrime.
One approach that has gained significant momentum of late
is threat hunting--the proactive searching of threat
indicators within an environment to sniff out highly advanced
cyber threats. In threat hunting, security analysts search
their environment for known indicators of compromise (IoCs)
and adversary tactics, techniques, and procedures (TTPs)--if
any of these are found, there's a good chance that an attack
is underway.
While threat hunting is a key element of a robust
cybersecurity strategy, many organizations rely too heavily
on this approach. A narrow focus on specific IoCs and TTPs
paints an incomplete picture of the threat environment and
means that the attacks that don't bear these hallmarks will
get missed.
In this evolving threat landscape, enterprises can't just
rely on threat hunting to keep their environments secure--
they must broaden their cybersecurity approach, assessing
security environments in a more holistic way to better detect
advanced and stealth attacks.
Why threat hunting has become so popular
Threat hunting has recently become a major buzzword in the
security industry in large part because it connotes a cooler,
more technical and more skilled approach to security. As a
result, security experts are gravitating toward it for
career-building opportunities and advancing their security
approach.
While threat hunting might be overhyped, there are also
genuine benefits to the practice (when done correctly) that
help explain why enterprises are so ready to adopt it. Threat
hunting helps refocus security teams on emerging threats,
since existing security technologies tend to address things
we already know about.
Actively looking for emerging threats can mean identifying
threats that might be lurking in the environment--reducing
dwell time and tackling threats before they escalate and turn
into full-blown security breaches.
In addition, adopting threat hunting tactics often leads to
discovering visibility gaps in your current security
approach--for example, your S3 buckets might not be
configured properly or perhaps some firewall rules got
changed, or maybe you're able to identify an employee or
group within your organization that is violating a security
policy. Uncovering these poorly managed security solutions is
a useful byproduct of threat hunting.
The downfalls of threat hunting
However, many organizations rely too heavily on threat
hunting as they are unable to invest in the required
infrastructure, resources and expertise to continually
analyze all activity for possible threats. Often, this threat
hunting is provided by third-party security companies, as
many enterprises either lack the skills and resources
entirely or are only able dedicate their in-house teams to a
few days of threat hunting a year.
With the major talent gap facing cybersecurity, most
enterprises simply cannot find or afford to hire
professionals with the required level of expertise. As a
result, many are turning to managed services offered by
security companies to help close the gap. According to
Gartner, by 2024, 25% of organizations will be using MDR
services, up from less than 5% today.
Threat hunting services often focus almost exclusively on
threats posed by splashy, sexy attack groups--whether it is
notable criminal APTs or nation state groups. A strong
security program focuses on risk management, and one of the
most important things security teams can do is accurately
identify the risks that they are susceptible to, which for
many enterprises isn't a nation-state attack.
While threat-hunting addresses attacks that everyone is
talking about, the reality is that many enterprises should be
equally--if not more cognizant--of commodity threats. While
sophisticated threats exist and are important to defend
against through threat hunting, the majority of threats
facing enterprises are better addressed through good security
hygiene.
Over-investing in threat hunting can lead to an incomplete
and irregular picture of the risks enterprises face. In fact,
a singular reliance on threat hunting alone means that many
types of attacks will get missed if you're not specifically
looking for them.
Taking a holistic approach
By over-rotating on big name threats, security teams leave
open the possibility that they are going to miss the obvious.
In this threat environment, security teams can't afford to
drop the ball on the basics--a recent ESG survey of
enterprise cybersecurity leaders revealed that more than
three-quarters (76%) believe that threat detection and
incident response is more difficult today than it was just
two years ago.
To ensure a strong security posture, enterprises should
take a comprehensive, multi-faceted approach that goes beyond
threat hunting. As they build out a holistic approach, they
should be sure to:
Collect data on everything they can. Often when
investigating a breach or incident, security teams find that
they don't have any evidence because they aren't collecting
and retaining the right data--it's usually the exception when
there's sufficient logging for an incident. With living off
the land attacks increasing (many of which fly under the
radar of traditional logging), it's ever more important that
teams don't skimp on data collection, as relying on a mixture
of sources is more likely to help you detect threats early
and prevent bad actors from getting in unnoticed.
Use multiple security tools and strategies. We've recently
seen a trend toward new technologies like AI and machine
learning across security programs. It's important to layer
these tools and strategies as they each have their strengths
and weaknesses. To maximize effectiveness, use a mixture of
tools, methodologies and frameworks that integrate multiple
attack and adversary considerations such as MITRE ATT&CK as
well as
[[Page H8019]]
simple IOCs, rule-based detection, statistical models,
linguistic models, and machine learning models--and then
correlate with global threat intelligence, validating and
augmenting with human expertise.
Don't underestimate the importance of humans. The human
side of the investigation is critical. There is no better
computer for detecting, recognizing and responding to threats
than the human mind. While automated systems have helped
advance the security industry significantly, a true ``eyes on
glass'' approach to threat detection requires years of
experience and the corresponding intuition of knowing when
something is amiss.
Ms. JACKSON LEE. Mr. Speaker, I ask that my colleagues support the
underlying legislation, and I reserve the balance of my time.
Mr. GREEN of Tennessee. Mr. Speaker, there is bipartisan support for
a professional, coordinated Department of Homeland Security
intelligence architecture.
I want to thank Chairman Thompson and Ranking Member Rogers for
supporting this legislation and bringing it to the floor. It is time
for DHS to be able to function with the same precision in the handling
of intelligence information as our warriors in the Department of
Defense, and I am honored to have the opportunity to help them do so.
Mr. Speaker, I urge support of the bill, and I yield back the balance
of my time.
Ms. JACKSON LEE. Mr. Speaker, I ask my colleagues to support the
underlying bill, and I yield back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentlewoman from Texas (Ms. Jackson Lee) that the House suspend the
rules and pass the bill, H.R. 2589, as amended.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill, as amended, was passed.
A motion to reconsider was laid on the table.
____________________