[House Report 116-89]
[From the U.S. Government Publishing Office]
116th Congress } { Report
HOUSE OF REPRESENTATIVES
1st Session } { 116-89
======================================================================
DHS CYBER INCIDENT RESPONSE TEAMS ACT OF 2019
_______
May 30, 2019.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. Thompson of Mississippi, from the Committee on Homeland Security,
submitted the following
R E P O R T
[To accompany H.R. 1158]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security, to whom was referred
the bill (H.R. 1158) to authorize cyber incident response teams
at the Department of Homeland Security, and for other purposes,
having considered the same, report favorably thereon without
amendment and recommend that the bill do pass.
CONTENTS
Page
Purpose and Summary.............................................. 1
Background and Need for Legislation.............................. 2
Hearings......................................................... 2
Committee Consideration.......................................... 3
Committee Votes.................................................. 3
Committee Oversight Findings..................................... 3
C.B.O. Estimate, New Budget Authority, Entitlement Authority, and
Tax Expenditures............................................... 3
Federal Mandates Statement....................................... 4
Statement of General Performance Goals and Objectives............ 5
Duplicative Federal Programs..................................... 5
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits....................................................... 5
Advisory Committee Statement.....................................
Applicability to Legislative Branch..............................
Section-by-Section Analysis of the Legislation................... 5
Changes in Existing Law Made by the Bill, as Reported............ 6
Purpose and Summary
H.R. 1158, THE ``DHS CYBER INCIDENT RESPONSE TEAMS ACT OF 2019''
The purpose of H.R. 1158, the Cyber Incident Response Teams
Act of 2019, is to authorize cyber incident response teams at
the Department of Homeland Security. H.R. 1158 codifies the
cyber incident response teams at the Department of Homeland
Security's (DHS) Cybersecurity and Infrastructure Security
Agency (CISA). Located within the National Cybersecurity and
Communications Integration Center (NCCIC), the cyber incident
response teams will provide--upon request--assistance to asset
owners and operators following a cyber incident. H.R. 1158
authorizes DHS to leverage private sector cybersecurity
resources to build capacity. H.R. 1158 further directs the
NCCIC to continually assess and evaluate the cyber incident
response teams and their operations and to periodically provide
to Congress the collected information on the metrics used for
evaluation and assessment of the cyber response teams and
operations.
Background and Need for Legislation
DHS's NCCIC currently utilizes cyber incident response
expertise in several ways. The United States Computer Emergency
Readiness Team (US-CERT), operated within the NCCIC, brings
advanced network and digital media analysis expertise to bear
on malicious activity targeting our nation's networks. USCERT
develops timely and actionable information for distribution to
Federal departments and agencies, state and local governments,
private sector organizations, and international partners. The
critical mission activities of US-CERT's include: providing
cybersecurity protection to Federal civilian executive branch
agencies; responding to incidents and analyzing data about
emerging cyber threats; and collaborating with foreign
governments and international entities to enhance the nation's
cybersecurity posture.
The NCCIC's cyber incident teams, known as Hunt and
Incident Response Teams (HIRT), provide onsite incident
response, free of charge, to organizations that require
immediate investigation and resolution of cyber-attacks. These
teams provide DHS's front-line response for cyber incidents and
proactively hunting for malicious cyber activity. Upon
notification of a cyber incident, HIRT will perform a
preliminary diagnosis to determine the extent of the
compromise. When requested, HIRT can deploy a team to meet with
the affected organization to review network topology, identify
infected systems and collect other data as needed to perform
thorough follow on analysis. They also can provide mitigation
strategies and assist asset owners and operators in restoring
service and provide recommendations for improving overall
network and control systems security. If enacted, H.R. 1158
would codify the work of US-CERT and the HIRT while providing
DHS flexibility to also call upon outside expertise.
Hearings
The Committee did not hold any hearings on H.R. 1158,
however the following hearings informed the Committee on this
legislation.
The Subcommittee on Cybersecurity, Infrastructure
Protection, and Innovation on April 30, 2019 entitled
``Resourcing DHS' Cybersecurity and Innovation Missions: A
Review of the Fiscal Year 2020 Budget Request for the
Cybersecurity and Infrastructure Security Agency and the
Science and Technology Directorate.'' The Honorable Christopher
Krebs, Director, Cybersecurity and Infrastructure Security
Agency, U.S. Department of Homeland Security and testified
about CISA's ability to provide cybersecurity services.
During the 115th Congress, the Subcommittee on
Cybersecurity and Infrastructure Protection held a joint
hearing with the Subcommittee on Emerging Threats and
Capabilities of the Committee on Armed Services on November 14,
2018, entitled ``Interagency Cyber Cooperation: Roles,
Responsibilities and Authorities of the Department of Defense &
the Department of Homeland Security.'' Testimony was heard from
Ms. Jeanette Manfra, Assistant Secretary for the Office of
Cybersecurity and Communications, National Protection and
Programs Directorate, U.S. Department of Homeland Security, The
Honorable Kenneth P. Rapuano, Assistant Secretary of Defense
for Homeland Defense and Global Security, U.S. Department of
Defense, Lieutenant General Bradford J. Shwedo, USAF, Director
for Command, Control, Communications and Computers/Cyber, Chief
Information Officer, U.S. Department of Defense.
The Subcommittee on Cybersecurity and Infrastructure
Protection held a hearing on July 25, 2018, entitled
``Assessing the State of Federal Cybersecurity Risk
Determination.'' Testimony was heard from Mr. Ken Durbin,
Senior Strategist, Global Government Affairs, Symantec, Ms.
Summer C. Fowler, Technical Director, Cybersecurity Risk and
Resilience, Software Engineering Institute CERT, Carnegie
Mellon University, Mr. Ari Schwartz, Managing Director of
Cybersecurity Services, Cybersecurity Risk Management Group,
Venable LLP--Testifying on behalf of the Cybersecurity
Coalition and Center for Cybersecurity Policy and Law.
Committee Consideration
The Committee met on May 15, 2019, with a quorum being
present, to consider H.R. 1158 and ordered the measure to be
reported to the House with a favorable recommendation, without
amendment, by unanimous consent.
Committee Votes
Clause 3(b) of rule XIII of the Rules of the House of
Representatives requires the Committee to list the recorded
votes on the motion to report legislation and amendments
thereto.
No recorded votes were requested during consideration of
H.R. 1158.
Committee Oversight Findings
In compliance with clause 3(c)(1) of rule XIII of the Rules
of the House of Representatives, the Committee advises that the
findings and recommendations of the Committee, based on
oversight activities under clause 2(b)(1) of rule X of the
Rules of the House of Representatives, are incorporated in the
descriptive portions of this report.
Congressional Budget Office Estimate New Budget Authority, Entitlement
Authority, and Tax Expenditures
With respect to the requirements of clause 3(c)(2) of rule
XIII of the Rules of the House of Representatives and section
308(a) of the Congressional Budget Act of 1974 and with respect
to requirements of clause (3)(c)(3) of rule XIII of the Rules
of the House of Representatives and section 402 of the
Congressional Budget Act of 1974, the Committee adopts as its
own the estimate of the estimate of new budget authority,
entitlement authority, or tax expenditures or revenues
contained in the cost estimate prepared by the Director of the
Congressional Budget Office.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
H.R. 1158 would codify the establishment of hunt and
incident response teams (HIRTs) under the authority of the
National Cybersecurity and Communications Integration Center
(NCCIC) in the Department of Homeland Security (DHS). Under the
bill, HIRTs would continue to provide assistance to federal and
nonfederal entities affected by malicious cyber activity. The
bill also would require the NCCIC to report to the Congress on
HIRT operations at the end of each of the first four fiscal
years following the bill's enactment.
On the basis of information from DHS and considering
information about similar reporting requirements, CBO estimates
that enacting H.R. 1158 would cost less than $500,000 over the
2019-2024 period; such spending would be subject to the
availability of appropriated funds.
On February 19, 2019, CBO transmitted a cost estimate for
S. 315, the DHS Cyber Hunt and Incident Response Teams Act of
2019 as ordered reported by the Senate Committee on Homeland
Security and Governmental Affairs. The two bills are similar
and CBO's estimates of their costs are the same.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Leo Lex, Deputy Assistant Director
for Budget Analysis.
Federal Mandates Statement
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
Duplicative Federal Programs
Pursuant to clause 3(c) of rule XIII, the Committee finds
that H.R. 1158 does not contain any provision that establishes
or reauthorizes a program known to be duplicative of another
Federal program.
Performance Goals and Objectives
The Committee states that pursuant to clause 3(c)(4) of
rule XIII of the Rules of the House of Representatives, H.R.
1158 would require authorize the Department of Homeland
Security to fulfill its cybersecurity mission by providing
support for Federal agencies and owners and operators of
critical infrastructure affected by cybersecurity incidents.
Advisory on Earmarks
In compliance with rule XXI of the Rules of the House of
Representatives, this bill, as reported, contains no
congressional earmarks, limited tax benefits, or limited tariff
benefits as defined in clause 9(d), 9(e), or 9(f) of the rule
XXI.
Section-by-Section Analysis of the Legislation
Section 1. Short title
This section provides that this bill may be cited as the
``DHS Cyber Incident Response Teams Act of 2019''.
Sec. 2. Department of Homeland Security cyber incident response teams
This section amends the section 2209 of the Homeland
Security Act of 2002 to formally codify the NCCIC's cyber
incident response teams. These teams can provide, as
appropriate and upon request, assistance to owners and
operators following a cyber-incident; identification of cyber
risk and unauthorized cyber activity; risk management and
mitigation strategies for private sector entities; overall
recommendations for network and system controls; and other
capabilities that may be deemed appropriate. The authorization
measure reflects the Committee's continued support for the work
of these important teams.
This section also authorizes the DHS Secretary to utilize
private sector cybersecurity specialists on the cyber hunt and
incident response teams. The Committee intends for the cyber
hunt and incident response teams to work hand-in-hand with
private sector cybersecurity specialists, when appropriate. The
Committee intends for this provision to increase the talent
pool from which DHS can draw to continue to accomplish the
Department's cybersecurity mission. This section requires the
NCCIC to continually assess and assign metrics to the cyber
incident response team's operations.
This section requires the Center to submit to the Committee
on Homeland Security of the House and Committee on Homeland
Security and Governmental Affairs of the Senate, for the first
four years after the enactment of this bill, information on the
activities of these teams. The NCCIC is required to provide
information on metrics, the total number of incident response
requests received, the number of incident response tickets
opened, all interagency staffing of incident response teams,
and the interagency collaborations established to support
incident response teams. No additional funds are authorized to
carry out the requirements of this Act.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, and existing law in which no
change is proposed is shown in roman):
HOMELAND SECURITY ACT OF 2002
* * * * * * *
TITLE XXII--CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
Subtitle A--Cybersecurity and Infrastructure Security
* * * * * * *
SEC. 2209. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION
CENTER.
(a) Definitions.--In this section--
(1) the term ``cybersecurity risk''--
(A) means threats to and vulnerabilities of
information or information systems and any
related consequences caused by or resulting
from unauthorized access, use, disclosure,
degradation, disruption, modification, or
destruction of such information or information
systems, including such related consequences
caused by an act of terrorism; and
(B) does not include any action that solely
involves a violation of a consumer term of
service or a consumer licensing agreement;
(2) the terms ``cyber threat indicator'' and
``defensive measure'' have the meanings given those
terms in section 102 of the Cybersecurity Act of 2015;
(3) the term ``incident'' means an occurrence that
actually or imminently jeopardizes, without lawful
authority, the integrity, confidentiality, or
availability of information on an information system,
or actually or imminently jeopardizes, without lawful
authority, an information system;
(4) the term ``information sharing and analysis
organization'' has the meaning given that term in
section 2222(5);
(5) the term ``information system'' has the meaning
given that term in section 3502(8) of title 44, United
States Code; and
(6) the term ``sharing'' (including all conjugations
thereof) means providing, receiving, and disseminating
(including all conjugations of each of such terms).
(b) Center.--There is in the Department a national
cybersecurity and communications integration center (referred
to in this section as the ``Center'') to carry out certain
responsibilities of the Director. The Center shall be located
in the Cybersecurity and Infrastructure Security Agency. The
head of the Center shall report to the Assistant Director for
Cybersecurity.
(c) Functions.--The cybersecurity functions of the Center
shall include--
(1) being a Federal civilian interface for the multi-
directional and cross-sector sharing of information
related to cyber threat indicators, defensive measures,
cybersecurity risks, incidents, analysis, and warnings
for Federal and non-Federal entities, including the
implementation of title I of the Cyber security Act of
2015;
(2) providing shared situational awareness to enable
real-time, integrated, and operational actions across
the Federal Government and non-Federal entities to
address cybersecurity risks and incidents to Federal
and non-Federal entities;
(3) coordinating the sharing of information related
to cyber threat indicators, defensive measures,
cybersecurity risks, and incidents across the Federal
Government;
(4) facilitating cross-sector coordination to address
cybersecurity risks and incidents, including
cybersecurity risks and incidents that may be related
or could have consequential impacts across multiple
sectors;
(5)(A) conducting integration and analysis, including
cross-sector integration and analysis, of cyber threat
indicators, defensive measures, cybersecurity risks,
and incidents; and
(B) sharing the analysis conducted under subparagraph
(A) with Federal and non-Federal entities;
(6) upon request, providing timely technical
assistance, risk management support, and incident
response capabilities to Federal and non-Federal
entities with respect to cyber threat indicators,
defensive measures, cyber security risks, and
incidents, which may include attribution, mitigation,
and remediation;
(7) providing information and recommendations on
security and resilience measures to Federal and non-
Federal entities, including information and
recommendations to--
(A) facilitate information security;
(B) strengthen information systems against
cybersecurity risks and incidents; and
(C) sharing cyber threat indicators and
defensive measures;
(8) engaging with international partners, in
consultation with other appropriate agencies, to--
(A) collaborate on cyber threat indicators,
defensive measures, and information related to
cybersecurity risks and incidents; and
(B) enhance the security and resilience of
global cybersecurity;
(9) sharing cyber threat indicators, defensive
measures, and other information related to
cybersecurity risks and incidents with Federal and non-
Federal entities, including across sectors of critical
infrastructure and with State and major urban area
fusion centers, as appropriate;
(10) participating, as appropriate, in national
exercises run by the Department; and
(11) in coordination with the Emergency
Communications Division of the Department, assessing
and evaluating consequence, vulnerability, and threat
information regarding cyber incidents to public safety
communications to help facilitate continuous
improvements to the security and resiliency of such
communications.
(d) Composition.--
(1) In general.--The Center shall be composed of--
(A) appropriate representatives of Federal
entities, such as--
(i) sector-specific agencies;
(ii) civilian and law enforcement
agencies; and
(iii) elements of the intelligence
community, as that term is defined
under section 3(4) of the National
Security Act of 1947 (50 U.S.C.
3003(4));
(B) appropriate representatives of non-
Federal entities, such as--
(i) State, local, and tribal
governments;
(ii) information sharing and analysis
organizations, including information
sharing and analysis centers;
(iii) owners and operators of
critical information systems; and
(iv) private entities, including
cybersecurity specialists;
(C) components within the Center that carry
out cybersecurity and communications
activities;
(D) a designated Federal official for
operational coordination with and across each
sector;
(E) an entity that collaborates with State
and local governments on cybersecurity risks
and incidents, and has entered into a voluntary
information sharing relationship with the
Center; and
(F) other appropriate representatives or
entities, as determined by the Secretary.
(2) Incidents.--In the event of an incident, during
exigent circumstances the Secretary may grant a Federal
or non-Federal entity immediate temporary access to the
Center.
(f) Cyber Incident Response Teams.--
(1) In general.--The Center shall maintain cyber hunt
and incident response teams for the purpose of
providing, as appropriate and upon request, assistance,
including the following:
(A) Assistance to asset owners and operators
in restoring services following a cyber
incident.
(B) The identification of cybersecurity risk
and unauthorized cyber activity.
(C) Mitigation strategies to prevent, deter,
and protect against cybersecurity risks.
(D) Recommendations to asset owners and
operators for improving overall network and
control systems security to lower cybersecurity
risks, and other recommendations, as
appropriate.
(E) Such other capabilities as the Under
Secretary appointed under section 103(a)(1)(H)
determines appropriate.
(2) Cybersecurity specialists.--The Secretary may
include cybersecurity specialists from the private
sector on cyber hunt and incident response teams.
(3) Associated metrics.--The Center shall continually
assess and evaluate the cyber incident response teams
and their operations using robust metrics.
(4) Submittal of information to congress.--Upon the
conclusion of each of the first four fiscal years
ending after the date of the enactment of this
subsection, the Center shall submit to the Committee on
Homeland Security of the House of Representatives and
the Homeland Security and Governmental Affairs
Committee of the Senate, information on the metrics
used for evaluation and assessment of the cyber
incident response teams and operations pursuant to
paragraph (3), including the resources and staffing of
such cyber incident response teams. Such information
shall include each of the following for the period
covered by the report:
(A) The total number of incident response
requests received.
(B) The number of incident response tickets
opened.
(C) All interagency staffing of incident
response teams.
(D) The interagency collaborations
established to support incident response teams.
(e) Principles.--In carrying out the functions under
subsection (c), the Center shall ensure--
(1) to the extent practicable, that--
(A) timely, actionable, and relevant cyber
threat indicators, defensive measures, and
information related to cybersecurity risks,
incidents, and analysis is shared;
(B) when appropriate, cyber threat
indicators, defensive measures, and information
related to cybersecurity risks, incidents, and
analysis is integrated with other relevant
information and tailored to the specific
characteristics of a sector;
(C) activities are prioritized and conducted
based on the level of risk;
(D) industry sector-specific, academic, and
national laboratory expertise is sought and
receives appropriate consideration;
(E) continuous, collaborative, and inclusive
coordination occurs--
(i) across sectors; and
(ii) with--
(I) sector coordinating
councils;
(II) information sharing and
analysis organizations; and
(III) other appropriate non-
Federal partners;
(F) as appropriate, the Center works to
develop and use mechanisms for sharing
information related to cyber threat indicators,
defensive measures, cybersecurity risks, and
incidents that are technology-neutral,
interoperable, real-time, cost-effective, and
resilient;
(G) the Center works with other agencies to
reduce unnecessarily duplicative sharing of
information related to cyber threat indicators,
defensive measures, cybersecurity risks, and
incidents; and;
(H) the Center designates an agency contact
for non-Federal entities;
(2) that information related to cyber threat
indicators, defensive measures, cybersecurity risks,
and incidents is appropriately safeguarded against
unauthorized access or disclosure; and
(3) that activities conducted by the Center comply
with all policies, regulations, and laws that protect
the privacy and civil liberties of United States
persons, including by working with the Privacy Officer
appointed under section 222 to ensure that the Center
follows the policies and procedures specified in
subsections (b) and (d)(5)(C) of section 105 of the
Cybersecurity Act of 2015.
[(f)] (g) No Right or Benefit.--
(1) In general.--The provision of assistance or
information to, and inclusion in the Center, or any
team or activity of the Center, of, governmental or
private entities under this section shall be at the
sole and unreviewable discretion of the Director.
(2) Certain assistance or information.--The provision
of certain assistance or information to, or inclusion
in the Center, or any team or activity of the Center,
of, one governmental or private entity pursuant to this
section shall not create a right or benefit,
substantive or procedural, to similar assistance or
information for any other governmental or private
entity.
[(g)] (h) Automated Information Sharing.--
(1) In general.--The Director, in coordination with
industry and other stakeholders, shall develop
capabilities making use of existing information
technology industry standards and best practices, as
appropriate, that support and rapidly advance the
development, adoption, and implementation of automated
mechanisms for the sharing of cyber threat indicators
and defensive measures in accordance with title I of
the Cybersecurity Act of 2015.
(2) Annual report.--The Director shall submit to the
Committee on Homeland Security and Governmental Affairs
of the Senate and the Committee on Homeland Security of
the House of Representatives an annual report on the
status and progress of the development of the
capabilities described in paragraph (1). Such reports
shall be required until such capabilities are fully
implemented.
[(h)] (i) Voluntary Information Sharing Procedures.--
(1) Procedures.--
(A) In general.--The Center may enter into a
voluntary information sharing relationship with
any consenting non-Federal entity for the
sharing of cyber threat indicators and
defensive measures for cybersecurity purposes
in accordance with this section. Nothing in
this subsection may be construed to require any
non-Federal entity to enter into any such
information sharing relationship with the
Center or any other entity. The Center may
terminate a voluntary information sharing
relationship under this subsection, at the sole
and unreviewable discretion of the Secretary,
acting through the Director, for any reason,
including if the Center determines that the
non-Federal entity with which the Center has
entered into such a relationship has violated
the terms of this subsection.
(B) National security.--The Secretary may
decline to enter into a voluntary information
sharing relationship under this subsection, at
the sole and unreviewable discretion of the
Secretary, acting through the Director, for any
reason, including if the Secretary determines
that such is appropriate for national security.
(2) Voluntary information sharing relationships.--A
voluntary information sharing relationship under this
subsection may be characterized as an agreement
described in this paragraph.
(A) Standard agreement.--For the use of a
non-Federal entity, the Center shall make
available a standard agreement, consistent with
this section, on the Department's website.
(B) Negotiated agreement.--At the request of
a non-Federal entity, and if determined
appropriate by the Center, at the sole and
unreviewable discretion of the Secretary,
acting through the Director, the Department
shall negotiate a non-standard agreement,
consistent with this section.
(C) Existing agreements.--An agreement
between the Center and a non-Federal entity
that is entered into before the date of
enactment of this subsection, or such an
agreement that is in effect before such date,
shall be deemed in compliance with the
requirements of this subsection,
notwithstanding any other provision or
requirement of this subsection. An agreement
under this subsection shall include the
relevant privacy protections as in effect under
the Cooperative Research and Development
Agreement for Cybersecurity Information Sharing
and Collaboration, as of December 31, 2014.
Nothing in this subsection may be construed to
require a non-Federal entity to enter into
either a standard or negotiated agreement to be
in compliance with this subsection.
[(i)] (j) Direct Reporting.--The Secretary shall develop
policies and procedures for direct reporting to the Secretary
by the Director of the Center regarding significant
cybersecurity risks and incidents.
[(j)] (k) Reports on International Cooperation.--Not later
than 180 days after the date of enactment of this subsection,
and periodically thereafter, the Secretary of Homeland Security
shall submit to the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on
Homeland Security of the House of Representatives a report on
the range of efforts underway to bolster cybersecurity
collaboration with relevant international partners in
accordance with subsection (c)(8).
[(k)] (l) Outreach.--Not later than 60 days after the date of
enactment of this subsection, the Secretary, acting through the
Director, shall--
(1) disseminate to the public information about how
to voluntarily share cyber threat indicators and
defensive measures with the Center; and
(2) enhance outreach to critical infrastructure
owners and operators for purposes of such sharing.
[(l)] (m) Cybersecurity Outreach.--
(1) In general.--The Secretary may leverage small
business development centers to provide assistance to
small business concerns by disseminating information on
cyber threat indicators, defense measures,
cybersecurity risks, incidents, analyses, and warnings
to help small business concerns in developing or
enhancing cybersecurity infrastructure, awareness of
cyber threat indicators, and cyber training programs
for employees.
(2) Definitions.--For purposes of this subsection,
the terms ``small business concern'' and ``small
business development center'' have the meaning given
such terms, respectively, under section 3 of the Small
Business Act.
[(m)] (n) Coordinated Vulnerability Disclosure.--The
Secretary, in coordination with industry and other
stakeholders, may develop and adhere to Department policies and
procedures for coordinating vulnerability disclosures.
* * * * * * *
[all]