[Senate Report 115-412]
[From the U.S. Government Publishing Office]


                                                     Calendar No. 716
115th Congress        }                       {               Report
                                 SENATE
 2d Session           }                       {               115-412
_______________________________________________________________________

                                     


             DHS CYBER INCIDENT RESPONSE TEAMS ACT OF 2018

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 3309

           TO AUTHORIZE CYBER INCIDENT RESPONSE TEAMS AT THE
        DEPARTMENT OF HOMELAND SECURITY, AND FOR OTHER PURPOSES
        
        
        
        
        

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]







                December 4, 2018.--Ordered to be printed
                                   ______

                      U.S. GOVERNMENT PUBLISHING OFFICE 

89-010                       WASHINGTON : 2018




                
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio                    CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             HEIDI HEITKAMP, North Dakota
MICHAEL B. ENZI, Wyoming             GARY C. PETERS, Michigan
JOHN HOEVEN, North Dakota            MAGGIE HASSAN, New Hampshire
STEVE DAINES, Montana                KAMALA D. HARRIS, California
JON KYL, Arizona                     DOUG JONES, Alabama

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
          Michelle D. Woods, Senior Professional Staff Member
               Margaret E. Daum, Minority Staff Director
       Charles A. Moskowitz, Minority Senior Legislative Counsel
                 Subhasri Ramanathan, Minority Counsel
                     Laura W. Kilbride, Chief Clerk








                                                     Calendar No. 716
115th Congress         }                      {               Report
                                 SENATE
 2d Session            }                      {               115-412

======================================================================



 
             DHS CYBER INCIDENT RESPONSE TEAMS ACT OF 2018

                                _______
                                

                December 4, 2018.--Ordered to be printed

                                _______
                                

 Mr. Johnson, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 3309]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 3309) to authorize 
cyber incident response teams at the Department of Homeland 
Security, and for other purposes, having considered the same 
reports favorably thereon with an amendment (in the nature of a 
substitute) and recommends that the bill, as amended, do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................4
 IV. Section-by-Section Analysis......................................4
  V. Evaluation of Regulatory Impact..................................5
 VI. Congressional Budget Office Cost Estimate........................5
VII. Changes in Existing Law Made by the Bill, as Reported............6

                         I. Purpose and Summary

    The purpose of S. 3309, the Department of Homeland Security 
Cyber Incident Response Teams Act of 2018, is to authorize the 
Department to maintain cyber hunt and incident response teams 
(teams), codify an existing program within the Department, and 
foster public-private cooperation. The legislation instructs 
the Department to ensure that the teams assist in protecting 
infrastructure from cyber threats and help restore the 
functionality of private or public infrastructure following a 
cyberattack. The teams must also identify cybersecurity risks, 
develop mitigation strategies, and provide guidance to 
infrastructure owners.
    The bill helps build public-private partnerships by 
authorizing the Department to include private cybersecurity 
specialists on the teams. To help inform the Congress about the 
extent to which the teams are effective in accomplishing their 
mission and whether the Department was effectively mitigating 
cybersecurity risk, the Department must maintain metrics and 
provide reports to the appropriate Congressional committees.

              II. Background and the Need for Legislation

    In 2009, the Department created the National Cybersecurity 
and Communications Integration Center (NCCIC) to coordinate and 
streamline the nation's response to cyber threats.\1\ The 
National Cybersecurity Protection Act of 2014 and the amendment 
by the Cybersecurity Act of 2015 authorized the NCCIC to 
``receive, analyze, and disseminate information about 
cybersecurity risks and incidents and to provide guidance, 
assessments, incident response support, and other technical 
assistance upon request.''\2\
---------------------------------------------------------------------------
    \1\Press release Dep't of Homeland Sec., Secretary Napolitano Opens 
New National Cybersecurity and Communications Integration Center (Oct. 
30, 2009), available at https://www.dhs.gov/news/2009/10/30/new-
national-cybersecurity-center-opened.
    \2\Dep't of Homeland Sec., U.S. Department Of Homeland Security 
Cybersecurity Strategy, (May 15, 2018), available at https://
www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-
Strategy_0.pdf.
---------------------------------------------------------------------------
    In an effort to advance these responsibilities, the NCCIC 
combined the incident response capabilities within the United 
States Computer Emergency Readiness Team and the Industrial 
Control Systems Computer Emergency Response Team, to form the 
Hunt and Incident Response Team (HIRT).\3\ The goal of HIRT is 
to provide ``onsite incident response, free of charge, to 
organizations that require immediate investigation and 
resolution of cyber-attacks.''\4\ According to the NCCIC:
---------------------------------------------------------------------------
    \3\See Dep't of Homeland Sec., National Cybersecurity and 
Communications Integration Center, NCCIC Fact Sheet (last accessed Nov. 
20, 2018), available at https://ics-cert.us-cert.gov/sites
/default/files/FactSheets/NCCIC%20ICS_FactSheet_NCCIC%20ICS_S508C.pdf.
    \4\Id.

          Upon notification of a cyber incident, HIRT will 
        perform a preliminary diagnosis to determine the extent 
        of the compromise. At the customer's request, HIRT can 
        deploy a team to meet with the affected organization to 
        review network topology, identify infected systems, 
        image drives for analysis, and collect other data as 
        needed to perform thorough follow on analysis. HIRT is 
        able to provide mitigation strategies and assist asset 
        owners/operators in restoring service and provide 
        recommendations for improving overall network and 
        control systems security.\5\
---------------------------------------------------------------------------
    \5\Id.

    During the 115th Congress, the Committee held hearings 
regarding cyber threats facing the United States and the need 
to mitigate the nation's cybersecurity risk. In May 2017, Mr. 
Stephen Chabinsky, a former official with the Federal Bureau of 
Investigation and a cybersecurity expert, testified before the 
Committee and described the cybersecurity landscape in stark 
---------------------------------------------------------------------------
terms:

          The cyber threat is real and growing. Our 
        vulnerabilities are real and growing. Our reliance on 
        technology is real and growing. The harm from cyber-
        attacks is real and growing. Government agency cyber 
        risk is real and growing. The risk to our national 
        security is real and growing. The amount of time, 
        money, and talent that our country is diverting from 
        other issues and devoting to cybersecurity is real and 
        growing. All of these problems are real and growing, 
        and they are getting worse.\6\
---------------------------------------------------------------------------
    \6\Cyber Threats Facing America: An Overview of the Cybersecurity 
Threat Landscape: Hearing before S. Comm. on Homeland Sec. & 
Governmental Affairs 115th Cong. (2017) (Statement of Steven Chabinsky, 
Global Chair of Data, Privacy, and Cyber Security, White & Case LLP), 
https://www.hsgac.senate.gov/imo/media/doc/Testimony-Chabinsky-2017-05-
10-REVISED.pdf.

    The Committee also heard testimony about the role that the 
Department of Homeland Security plays in addressing national 
cybersecurity risk. In April 2018, Jeanette Manfra, Assistant 
Secretary, Office of Cybersecurity and Communications, with the 
National Protection and Programs Directorate (NPPD), testified 
---------------------------------------------------------------------------
about NPPD's role:

          We endeavor to enhance cyber threat information-
        sharing across the globe to stop cyber incidents before 
        they start and help businesses and government agencies 
        to protect their cyber systems and quickly recover 
        should such an attack occur.\7\
---------------------------------------------------------------------------
    \7\Mitigating America's Cybersecurity Risk: Hearing before S. Comm. 
on Homeland Sec. & Governmental Affairs 115th Cong. (2018) (Statement 
of Jeanette Manfra, Assistant Sec., Office of Cybersecurity & 
Communications, Nat'l Programs & Prot. Directorate, U.S. Dep't of 
Homeland Sec.), available at https://www.hsgac.senate.gov/imo/media/
doc/Testimony-Manfra-2018-04-24.pdf.

    Gregory Wilshusen, Director of Information Security Issues 
at the Government Accountability Office, testified about the 
Department's need to ``enhance efforts to improve and promote 
the security of federal and private sector networks.''\8\ Mr. 
Wilshusen described opportunities for the NCCIC to enhance its 
work to support national cybersecurity:
---------------------------------------------------------------------------
    \8\Id. (Statement of Gregor Wilshusen, Director of Information 
Security Issues, U.S. Gov't Accountability Office), available at 
https://www.hsgac.senate.gov/imo/media/doc/Testimony-Wilshusen-2018-04-
24.pdf.

          [T]he extent to which the [NCCIC] had performed its 
        required functions in accordance with statutorily 
        defined implementing principles was unclear, in part, 
        because the [NCCIC] had not established metrics and 
        methods by which to evaluate its performance against 
        the principles. Further, in its role as the lead 
        federal agency for collaborating with eight critical 
        infrastructure sectors including the communications and 
        dams sectors, DHS had not developed metrics to measure 
        and report on the effectiveness of its cyber risk 
        mitigation activities or on the cybersecurity posture 
        of the eight sectors.\9\
---------------------------------------------------------------------------
    \9\Id.

    S. 3309 codifies the Department's cyber hunt and incident 
response teams and requires the NCCIC to assess the cyber 
incident response teams and their operations. The legislation 
also requires the NCCIC to report to congressional committees 
annually about these teams and provide data about their 
performance. The combinations of these metrics and annual 
reporting will help Congress better understand the team's and 
NCCIC's ability to mitigate national cybersecurity risk.

                        III. Legislative History

    Senators Margaret Wood Hassan (D-NH) and Rob Portman (R-OH) 
introduced S. 3309 on July 13, 2018. The bill was referred to 
the Committee on Homeland Security and Governmental Affairs.
    The Committee considered S. 3309 at a business meeting on 
September 26, 2018. Senator Hassan offered a substitute 
amendment and a modification to the substitute amendment that 
clarify the Department's responsibility for Federal asset 
response and for providing technical assistance to non-Federal 
entities and critical infrastructure sectors. Additionally, the 
modified substitute amendment authorizes the Department to use 
private sector cybersecurity specialists, upon notice and 
approval of the Secretary, on cyber incident and response 
teams. The Committee adopted the amendment as modified and 
ordered the bill, as amended, reported favorably, both by voice 
vote. Senators present for both the vote on the modified 
amendment and the vote on the underlying bill were: Johnson, 
Portman, Lankford, Enzi, Hoeven, McCaskill, Carper, Heitkamp, 
Peters, Hassan, Harris, and Jones.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    This section provides the bill's short title, the ``DHS 
cyber Incident Response Teams Act of 2018.''

Section 2. Department of Homeland Security cyber hunt incident response 
        teams

    Subsection (a) amends the Homeland Security Act to allow 
DHS to include private sector cybersecurity specialists in the 
composition of entities and persons at the NCCIC, as well as 
members of cyber hunt and incident response teams.
    The subsection further authorizes the NCCIC to maintain 
cyber hunt and incident response teams to provide assistance 
upon request for specific purposes. The legislation authorizes 
the teams to provide cybersecurity response and technical 
assistance, upon request, to Federal and non-Federal entities. 
The types of assistance can include, ``restoring services 
following a cyber incident''; ``identification of cybersecurity 
risk and unauthorized cyber activity''; ``mitigation strategies 
to prevent, deter, and protect against cybersecurity risks''; 
and ``recommendations to asset owners and operators for 
improving overall network and control systems security to lower 
cybersecurity risks''.
    This subsection requires the NCCIC to assess and evaluate 
cyber incident response teams and their operations using 
``robust metrics.'' The subsection also requires NCCIC to 
submit a report to Congress annually for the first four fiscal 
years following the legislation's enactment. The annual report 
should reflect the assessment, evaluation, and robust metrics 
obtained by DHS and the NCCIC.
    Subsection (b) states that no additional funds are 
authorized by the legislation.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. Congressional Budget Office Cost Estimate

                                     U.S. Congress,
                               Congressional Budget Office,
                                   Washington, DC, October 9, 2018.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental 
        Affairs, U.S. Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 3309, the DHS Cyber 
Incident Response Teams Act of 2018.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is William Ma.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

S. 3309--DHS Cyber Incident Response Teams Act of 2018

    S. 3309 would codify the establishment and responsibilities 
of hunt and incident response teams (HIRTs) under the authority 
of the National Cybersecurity and Communications Integration 
Center (NCCIC) in the Department of Homeland Security (DHS). 
Under the bill, HIRTs would continue to provide assistance to 
federal and nonfederal entities affected by malicious cyber 
activity.
    S. 3309 also would require the NCCIC to report to the 
Congress on HIRTs' activities at the end of each of the first 
four fiscal years following the bill's enactment. Using 
information from DHS and considering information about similar 
reporting requirements, CBO estimates that implementing S. 3309 
would cost less than $500,000 over the 2019-2023 period; such 
spending would be subject to the availability of appropriated 
funds.
    Enacting S. 3309 would not affect direct spending or 
revenues; therefore, pay-as-you-go procedures do not apply.
    CBO estimates that enacting S. 3309 would not increase net 
direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2029.
    S. 3309 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act.
    On March 15, 2018, CBO transmitted a cost estimate for H.R. 
5074, the DHS Cyber Incident Response Teams Act of 2018, as 
ordered reported by the House Committee on Homeland Security on 
March 7, 2018. The two pieces of legislation are similar and 
the estimated budgetary effects are the same.
    The CBO staff contact for this estimate is William Ma. The 
estimate was reviewed by Leo Lex, Deputy Assistant Director for 
Budget Analysis.

       VII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
S. 3309 as reported are shown as follows (existing law proposed 
to be omitted is enclosed in brackets, new matter is printed in 
italic, and existing law in which no change is proposed is 
shown in roman):

HOMELAND SECURITY ACT OF 2002

           *       *       *       *       *       *       *


TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION

           *       *       *       *       *       *       *



Subtitle B--Critical Infrastructure Information

           *       *       *       *       *       *       *



SEC. 227. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.

           *       *       *       *       *       *       *


    (a) * * *

           *       *       *       *       *       *       *

    (d) Composition.--
         (1) In general.--The Center shall be composed of--
                 (A) * * *
                 (B) appropriate representatives of non-Federal 
                entities, such as--
                         (i) State, local, and tribal 
                        governments;
                         (ii) information sharing and analysis 
                        organizations, including information 
                        sharing and analysis centers;
                         (iii) owners and operators of critical 
                        information systems; and
                         (iv) private entities, including 
                        cybersecurity specialists;

           *       *       *       *       *       *       *

    (e) * * *
    (f) Cyber Hunt and Incident Response Teams.--
          (1) In general.--The Center shall maintain cyber hunt 
        and incident response teams for the purpose of leading 
        Federal asset response activities and providing timely 
        technical assistance to Federal and non-Federal 
        entities, including across all critical infrastructure 
        sectors, regarding actual or potential security 
        incidents, as appropriate and upon request, including--
                  (A) assistance to asset owners and operators 
                in restoring services following a cyber 
                incident;
                  (B) identification and analysis of 
                cybersecurity risk and unauthorized cyber 
                activity;
                  (C) mitigation strategies to prevent, deter, 
                and protect against cybersecurity risks;
                  (D) recommendations to asset owners and 
                operators for improving overall network and 
                control systems security to lower cybersecurity 
                risks, and other recommendations, as 
                appropriate; and
                  (E) such other capabilities as the Secretary 
                determines appropriate.
          (2) Associated metrics.--The Center shall continually 
        assess and evaluate the cyber hunt and incident 
        response teams and the operations of those cyber hunt 
        and incident response teams using robust metrics.
          (3) Report.--At the conclusion of each of the first 4 
        fiscal years after the date of the enactment of the DHS 
        Cyber Incident Response Teams Act of 2018, the Center 
        shall submit to the Committee on Homeland Security and 
        Governmental Affairs of the Senate and the Committee on 
        Homeland Security of the House of Representatives a 
        report that includes--
                  (A) information relating to the metrics used 
                for evaluation and assessment of the cyber hunt 
                and incident response teams and operations 
                under paragraph (2), including the resources 
                and staffing of those cyber hunt and incident 
                response teams; and
                  (B) for the period covered by the report--
                          (i) the total number of incident 
                        response requests received;
                          (ii) the number of incident response 
                        tickets opened; and
                          (iii) a statement of--
                                  (I) all interagency staffing 
                                of cyber hunt and incident 
                                response teams; and
                                  (II) the interagency 
                                collaborations established to 
                                support cyber hunt and incident 
                                response teams.
          (4) Cybersecurity specialists.--After notice to, and 
        with the approval of, the entity requesting action by 
        or technical assistance from the Center, the Secretary 
        may include cybersecurity specialists from the private 
        sector on a cyber hunt and incident response team.
    [f](g) No Right or Benefit.--
          (1) In general.--The provision of assistance or 
        information to, and inclusion in the Center, or any 
        team or activity of the Center, of, governmental or 
        private entities under this section shall be at the 
        sole and unreviewable discretion of the Under Secretary 
        appointed under section 103(a)(1)(H).
          (2) Certain assistance or information.--The provision 
        of certain assistance or information to, or inclusion 
        in the Center, or any team or activity of the Center, 
        of, one governmental or private entity pursuant to this 
        section shall not create a right or benefit, 
        substantive or procedural, to similar assistance or 
        information for any other governmental or private 
        entity.
    [g](h) Automated Information Sharing.--

           *       *       *       *       *       *       *

    [h](i) Voluntary Information Sharing Procedures.--

           *       *       *       *       *       *       *

    [i](j) Direct Reporting.-- * * *
    [j](k) Reports on International Cooperation.--* * *
    [k](l) Outreach.-- * * *

           *       *       *       *       *       *       *

    [l](m) Cybersecurity Outreach.--

           *       *       *       *       *       *       *

    [m](n) Coordinated Vulnerability Disclosure.-- * * *

           *       *       *       *       *       *       *


                                  [all]