[Senate Report 116-27]
[From the U.S. Government Publishing Office]
Calendar No. 62
116th Congress } { Report
SENATE
1st Session } { 116-27
_______________________________________________________________________
DHS CYBER HUNT AND INCIDENT RESPONSE TEAMS ACT OF 2019
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 315
TO AUTHORIZE CYBER HUNT AND INCIDENT RESPONSE TEAMS
AT THE DEPARTMENT OF HOMELAND SECURITY, AND FOR OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
April 8, 2019.--Ordered to be printed
______
U.S. GOVERNMENT PUBLISHING OFFICE
89-010 WASHINGTON : 2019
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio GARY C. PETERS, Michigan
RAND PAUL, Kentucky THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah KAMALA D. HARRIS, California
RICK SCOTT, Florida KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri
Gabrielle D'Adamo Singer, Staff Director
Joseph C. Folio, III, Chief Counsel
Colleen E. Berny, Professional Staff Member
David M. Weinberg, Minority Staff Director
Zachary I. Schram, Minority Chief Counsel
Alexa E. Noruk, Minority Director of Homeland Security
Laura W. Kilbride, Chief Clerk
Calendar No. 62
116th Congress } { Report
SENATE
1st Session } { 116-27
======================================================================
DHS CYBER HUNT AND INCIDENT RESPONSE TEAMS
ACT OF 2019
_______
April 8, 2019.--Ordered to be printed
_______
Mr. Johnson, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 315]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 315) to authorize
cyber hunt incident response teams at the Department of
Homeland Security, and for other purposes, having considered
the same, reports favorably thereon with an amendment (in the
nature of a substitute) and recommends that the bill, as
amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................4
IV. Section-by-Section Analysis......................................4
V. Evaluation of Regulatory Impact..................................5
VI. Congressional Budget Office Cost Estimate........................5
VII. Changes in Existing Law Made by the Bill, as Reported............6
I. Purpose and Summary
The purpose of S. 315, the Department of Homeland Security
Cyber Hunt and Incident Response Teams Act of 2019, is to
authorize the Department of Homeland Security (DHS, or the
Department) to maintain cyber hunt and incident response teams
(teams), codify an existing program within the Department, and
foster public-private cooperation. The legislation instructs
the Department to ensure that the teams assist in protecting
infrastructure from cyber threats and help restore the
functionality of private or public infrastructure following a
cyberattack. The teams must also identify cybersecurity risks,
develop mitigation strategies, and provide guidance to
infrastructure owners.
The bill helps build public-private partnerships by
authorizing the Department to include private cybersecurity
specialists on the teams. To help inform the Congress about the
extent to which the teams are effective in accomplishing their
mission and whether the Department was effectively mitigating
cybersecurity risk, the Department must maintain metrics that
are quantifiable, actionable, can make the teams more
effective, and provide reports to the appropriate Congressional
committees.\1\
---------------------------------------------------------------------------
\1\On September 26, 2018, the Committee approved S. 3309, DHS Cyber
Incident Response Teams Act of 2018. That bill is substantially similar
to S. 315. Accordingly, this committee report is in large part a
reproduction of Chairman Johnson's committee report for S. 3309, S.
Rep. No. 115-412.
---------------------------------------------------------------------------
II. Background and Need For the Legislation
In 2009, the Department created the National Cybersecurity
and Communications Integration Center (NCCIC) to coordinate and
streamline the nation's response to cyber threats.\2\ The
National Cybersecurity Protection Act of 2014 and the amendment
by the Cybersecurity Act of 2015 authorized the NCCIC to
``receive, analyze, and disseminate information about
cybersecurity risks and incidents and to provide guidance,
assessments, incident response support, and other technical
assistance upon request.''\3\
---------------------------------------------------------------------------
\2\Press Release, Dep't of Homeland Sec., Secretary Napolitano
Opens New National Cybersecurity and Communications Integration Center
(Oct. 30, 2009), available at https://www.dhs.gov/news/2009/10/30/new-
national-cybersecurity-center-opened.
\3\Dep't of Homeland Sec., U.S. Department of Homeland Security
Cybersecurity Strategy (May 15, 2018), available at https://
www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-
Strategy_0.pdf.
---------------------------------------------------------------------------
In an effort to advance these responsibilities, the NCCIC
combined the incident response capabilities within the United
States Computer Emergency Readiness Team and the Industrial
Control Systems Computer Emergency Response Team, to form the
Hunt and Incident Response Team (HIRT).\4\ The goal of HIRT is
to provide ``onsite incident response, free of charge, to
organizations that require immediate investigation and
resolution of cyber-attacks.''\5\ According to the NCCIC:
---------------------------------------------------------------------------
\4\See Dep't of Homeland Sec., Nat'l Cybersecurity & Commc'ns
Integration Ctr., NCCIC Fact Sheet (last accessed Mar. 12, 2019),
available at https://ics-cert.us-cert.gov/sites/default/files/
FactSheets/NCCIC%20ICS_FactSheet_NCCIC%20ICS_S508C.pdf.
\5\Id.
Upon notification of a cyber incident, HIRT will
perform a preliminary diagnosis to determine the extent
of the compromise. At the customer's request, HIRT can
deploy a team to meet with the affected organization to
review network topology, identify infected systems,
image drives for analysis, and collect other data as
needed to perform thorough follow on analysis. HIRT is
able to provide mitigation strategies and assist asset
owners/operators in restoring service and provide
recommendations for improving overall network and
control systems security.\6\
---------------------------------------------------------------------------
\6\Id.
During the 115th Congress, the Committee held hearings
regarding cyber threats facing the United States and the need
to mitigate the nation's cybersecurity risk. In May 2017, Mr.
Stephen Chabinsky, a former official with the Federal Bureau of
Investigation and a cybersecurity expert, testified before the
Committee and described the cybersecurity landscape in stark
---------------------------------------------------------------------------
terms:
The cyber threat is real and growing. Our
vulnerabilities are real and growing. Our reliance on
technology is real and growing. The harm from cyber-
attacks is real and growing. Government agency cyber
risk is real and growing. The risk to our national
security is real and growing. The amount of time,
money, and talent that our country is diverting from
other issues and devoting to cybersecurity is real and
growing. All of these problems are real and growing,
and they are getting worse.\7\
---------------------------------------------------------------------------
\7\Cyber Threats Facing America: An Overview of the Cybersecurity
Threat Landscape: Hearing before S. Comm. on Homeland Sec. &
Governmental Affairs 115th Cong. (2017) (statement of Steven Chabinsky,
Global Chair of Data, Privacy, and Cyber Security, White & Case LLP),
https://www.hsgac.senate.gov/imo/media/doc/Testimony-Chabinsky-2017-05-
10-REVISED.pdf.
The Committee also heard testimony about the role that the
Department of Homeland Security plays in addressing national
cybersecurity risk. In April 2018, Jeanette Manfra, Assistant
Secretary, Office of Cybersecurity and Communications, with the
former National Protection and Programs Directorate (NPPD), now
the Cybersecurity and Infrastructure Security Agency, testified
---------------------------------------------------------------------------
about their role:
We endeavor to enhance cyber threat information-
sharing across the globe to stop cyber incidents before
they start and help businesses and government agencies
to protect their cyber systems and quickly recover
should such an attack occur.\8\
---------------------------------------------------------------------------
\8\Mitigating America's Cybersecurity Risk: Hearing before S. Comm.
on Homeland Sec. & Governmental Affairs 115th Cong. (2018) (statement
of Jeanette Manfra, Assistant Sec., Office of Cybersecurity &
Communications, Nat'l Programs & Prot. Directorate, U.S. Dep't of
Homeland Sec.), available at https://www.hsgac.senate.gov/imo/media/
doc/Testimony-Manfra-2018-04-24.pdf.
Gregory Wilshusen, Director of Information Security Issues
at the Government Accountability Office, testified about the
Department's need to ``enhance efforts to improve and promote
the security of federal and private sector networks.''\9\ Mr.
Wilshusen described opportunities for the NCCIC to enhance its
work to support national cybersecurity:
---------------------------------------------------------------------------
\9\Id. (statement of Gregor Wilshusen, Director of Information
Security Issues, U.S. Gov't Accountability Office), available at
https://www.hsgac.senate.gov/imo/media/doc/Testimony-Wilshusen-2018-04-
24.pdf.
[T]he extent to which the [NCCIC] had performed its
required functions in accordance with statutorily
defined implementing principles was unclear, in part,
because the [NCCIC] had not established metrics and
methods by which to evaluate its performance against
the principles. Further, in its role as the lead
federal agency for collaborating with eight critical
infrastructure sectors including the communications and
dams sectors, DHS had not developed metrics to measure
and report on the effectiveness of its cyber risk
mitigation activities or on the cybersecurity posture
of the eight sectors.\10\
---------------------------------------------------------------------------
\10\Id.
S. 315 codifies the Department's cyber hunt and incident
response teams and requires the NCCIC to assess the cyber
incident response teams and their operations. The legislation
also requires the NCCIC to define the teams' goals and
outcomes, and develop appropriate metrics. These metrics must
be quantifiable, actionable, and improve the overall
effectiveness and accountability of the teams. A report to the
appropriate congressional committees on the metrics and
additional data on the teams' performance is required for each
of the first four fiscal years after date of enactment. The
combinations of these metrics and reporting will help Congress
better understand the team's and NCCIC's ability to mitigate
national cybersecurity risk.
III. Legislative History
Senators Margaret Wood Hassan (D-NH) and Rob Portman (R-OH)
introduced S. 315 on January 31, 2019. The bill was referred to
the Committee on Homeland Security and Governmental Affairs.
The Committee considered S. 315 at a business meeting on
February 13, 2019. Senator Hassan offered a substitute
amendment that made technical changes, required the Department
to define the teams' goals and desired outcomes, and further
clarified the evaluation metrics, including requiring the
Department to develop appropriate metrics that are quantifiable
and actionable. The Committee adopted the substitute amendment
and ordered the bill, as amended, reported favorably by voice
vote en bloc. Senators present for both the vote on the
substitute amendment and the vote on the bill as amended were:
Johnson, Portman, Paul, Lankford, Romney, Scott, Enzi, Hawley,
Peters, Carper, Hassan, Harris, Sinema, and Rosen.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title
This section provides the bill's short title, the ``DHS
Cyber Hunt and Incident Response Teams Act of 2019.''
Section 2. Department of Homeland Security cyber hunt incident response
teams
Subsection (a) amends the Homeland Security Act to allow
DHS to include private sector cybersecurity specialists in the
composition of entities and persons at the NCCIC, as well as
members of cyber hunt and incident response teams.
The subsection further authorizes the NCCIC to maintain
cyber hunt and incident response teams to provide assistance
upon request for specific purposes. The legislation authorizes
the teams to provide cybersecurity response and technical
assistance, upon request, to Federal and non-Federal entities.
The types of assistance can include, ``restoring services
following a cyber incident''; ``identification of cybersecurity
risk and unauthorized cyber activity''; ``mitigation strategies
to prevent, deter, and protect against cybersecurity risks'';
and ``recommendations to asset owners and operators for
improving overall network and control systems security to lower
cybersecurity risks''.
This subsection also requires the NCCIC to define the goals
and outcomes for the teams and develop metrics. The metrics are
required to be quantifiable, actionable, and be used to improve
the teams' overall effectiveness and accountability. The
subsection also states that the Secretary may include private
sector cybersecurity specialists on the teams after providing
notice to a requesting entity, and with their approval.
Subsection (b) requires a yearly report to the appropriate
Congressional Committees evaluating the teams, including
incident data and interagency staffing information.
Subsection (c) states that no additional funds are
authorized by the legislation.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Congressional Budget Office Cost Estimate
U.S. Congress,
Congressional Budget Office,
Washington, DC, February 19, 2019.
Hon. Ron Johnson, Chairman,
Committee on Homeland Security and Governmental Affairs,
U.S. Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 315, the DHS Cyber
Hunt and Incident Response Teams Act of 2019.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Aldo
Prosperi.
Sincerely,
Keith Hall,
Director.
Enclosure.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
S. 315 would codify the role and responsibilities of
existing hunt and incident response teams (HIRTs) under the
authority of the National Cybersecurity and Communications
Integration Center (NCCIC) in the Department of Homeland
Security (DHS). Under the bill, HIRTs would continue to provide
assistance to federal and nonfederal entities affected by
malicious cyber activity.
S. 315 also would require the NCCIC to report to the
Congress on HIRT operations at the end of each of the first
four fiscal years following the bill's enactment. On the basis
of information from DHS and considering information about
similar reporting requirements, CBO estimates that enacting S.
315 would cost less than $500,000 over the 2019-2024 period;
such spending would be subject to the availability of
appropriated funds.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Leo Lex, Deputy Assistant Director
for Budget Analysis.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
S. 315 as reported are shown as follows (existing law proposed
to be omitted is enclosed in brackets, new matter is printed in
italic, and existing law in which no change is proposed is
shown in roman):
HOMELAND SECURITY ACT OF 2002
* * * * * * *
TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION
* * * * * * *
Subtitle B--Critical Infrastructure Information
* * * * * * *
SEC. 227. NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER.
* * * * * * *
(a) * * *
* * * * * * *
(d) Composition.--
(1) In general.--The Center shall be composed of--
(A) * * *
(B) appropriate representatives of non-
Federal entities, such as--
(i) State, local, and tribal
governments;
(ii) information sharing and analysis
organizations, including information
sharing and analysis centers;
(iii) owners and operators of
critical information systems; and
(iv) private entities, including
cybersecurity specialists;
* * * * * * *
(e) * * *
(f) Cyber Hunt and Incident Response Teams.--
(1) In general.--The Center shall maintain cyber hunt
and incident response teams for the purpose of leading
Federal asset response activities and providing timely
technical assistance to Federal and non-Federal
entities, including across all critical infrastructure
sectors, regarding actual or potential security
incidents, as appropriate and upon request, including--
(A) assistance to asset owners and operators
in restoring services following a cyber
incident;
(B) identification and analysis of
cybersecurity risk and unauthorized cyber
activity;
(C) mitigation strategies to prevent, deter,
and protect against cybersecurity risks;
(D) recommendations to asset owners and
operators for improving overall network and
control systems security to lower cybersecurity
risks, and other recommendations, as
appropriate; and
(E) such other capabilities as the Secretary
determines appropriate.
(2) Associated metrics.--The Center shall--
(A) define the goals and desired outcomes for
each cyber hunt and incident response team; and
(B) develop metrics--
(i) to measure the effectiveness and
efficiency of each cyber hunt and
incident response team in achieving the
goals and desired outcomes defined
under subparagraph (A); and
(ii) that--
(I) are quantifiable and
actionable; and
(II) the Center shall use to
improve the effectiveness and
accountability of, and service
delivery by, cyber hunt and
incident response teams.
(3) Cybersecurity specialists.--After notice to, and
with the approval of, the entity requesting action by
or technical assistance from the Center, the Secretary
may include cybersecurity specialists from the private
sector on a cyber hunt and incident response team.
[f](g) No Right or Benefit.--
(1) In general.--The provision of assistance or
information to, and inclusion in the Center, or any
team or activity of the Center, of, governmental or
private entities under this section shall be at the
sole and unreviewable discretion of the Under Secretary
appointed under section 103(a)(1)(H).
(2) Certain assistance or information.--The provision
of certain assistance or information to, or inclusion
in the Center, or any team or activity of the Center,
of, one governmental or private entity pursuant to this
section shall not create a right or benefit,
substantive or procedural, to similar assistance or
information for any other governmental or private
entity.
[g](h) Automated Information Sharing.--
* * * * * * *
[h](i) Voluntary Information Sharing Procedures.--
* * * * * * *
[i](j) Direct Reporting.--* * *
[j](k) Reports on International Cooperation.--* * *
[k](l) Outreach.--* * *
* * * * * * *
[l](m) Cybersecurity Outreach.--
* * * * * * *
[m](n) Coordinated Vulnerability Disclosure.--* * *
* * * * * * *
[all]