[Senate Report 117-271]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 670
117th Congress    }                                     {       Report
                                 SENATE
 2d Session       }                                     {      117-271
_______________________________________________________________________

                                     


          DEFENSE OF UNITED STATES INFRASTRUCTURE ACT OF 2021

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 2491

             TO AMEND THE HOMELAND SECURITY ACT OF 2002 TO
           ESTABLISH THE NATIONAL CYBER RESILIENCE ASSISTANCE
              FUND, TO IMPROVE THE ABILITY OF THE FEDERAL
               GOVERNMENT TO ASSIST IN ENHANCING CRITICAL
          INFRASTRUCTURE CYBER RESILIENCE TO IMPROVE SECURITY
              IN THE NATIONAL CYBER ECOSYSTEM, TO ADDRESS
            SYSTEMICALLY IMPORTANT CRITICAL INFRASTRUCTURE,
                         AND FOR OTHER PURPOSES











[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]









               December 19, 2022.--Ordered to be printed 
               
                             _________
                              
                 U.S. GOVERNMENT PUBLISHING OFFICE
                 
39-010                   WASHINGTON : 2023
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
         Christopher J. Mulkins, Director of Homeland Security
         Jeffrey D. Rothblum, Senior Professional Staff Member
                Pamela Thiessen, Minority Staff Director
            Sam J. Mulopulos, Minority Deputy Staff Director
              William H.W. McKenna, Minority Chief Counsel
                     Laura W. Kilbride, Chief Clerk 



















                                                      Calendar No. 670
117th Congress    }                                     {       Report
                                 SENATE
 2d Session       }                                     {      117-271

======================================================================



 
                DEFENSE OF UNITED STATES INFRASTRUCTURE 
                              ACT OF 2021

                                _______
                                

               December 19, 2022.--Ordered to be printed

                                _______
                                

 Mr. Peters, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 2491]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 2491), to amend the 
Homeland Security Act of 2002 to establish the National Cyber 
Resilience Assistance Fund, to improve the ability of the 
Federal Government to assist in enhancing critical 
infrastructure cyber resilience, to improve security in the 
national cyber ecosystem, to address Systemically Important 
Critical Infrastructure, and for other purposes, having 
considered the same, reports favorably thereon with an 
amendment, in the nature of a substitute and recommends that 
the bill, as amended, do pass.

                                CONTENTS

                                                                     Page
  I. Purpose and Summary..............................................  1
 II. Background and Need for the Legislation..........................  2
III. Legislative History..............................................  4
 IV. Section-by-Section Analysis of the Bill, as Reported.............  4
  V. Evaluation of Regulatory Impact..................................  6
 VI. Congressional Budget Office Cost Estimate........................  6
VII. Changes in Existing Law Made by the Bill, as Reported............  7

                         I. Purpose and Summary

    S. 2491, the Defense of United States Infrastructure Act of 
2021, would amend the Homeland Security Act of 2002 to 
strengthen the authorities of government cybersecurity 
officials, improve information sharing, and enhance the 
security of software and internet protocols. S. 2491 is based 
on the recommendations of the U.S. Cyberspace Solarium 
Commission (the Commission)--a congressionally mandated 
commission comprised of legislators, federal officials, and 
private sector stakeholders. The Commission's work included 
interviewing numerous cybersecurity experts in academia, 
nonprofit, industry, and government sectors, and its report 
offered over 50 legislative recommendations to improve the U.S. 
cybersecurity posture. S. 2491 includes a number of the 
Commission's recommendations.\1\
---------------------------------------------------------------------------
    \1\United States Cyberspace Solarium Commission, Final Report (Mar. 
2020) (https://www.solarium.gov/report).
---------------------------------------------------------------------------

              II. Background and Need for the Legislation

    The Commission identified a need to bolster federal 
cybersecurity leaders' positions in order to improve the 
government's ability to respond to cybersecurity threats 
against both the government and private sector entities. One 
such recommendation was to strengthen the Director of the 
Cybersecurity and Infrastructure Security Agency (CISA) by 
setting a fixed term limit for the role. The Director of CISA 
is currently a Senate confirmed political appointee without a 
specific term limit, like most other political appointees.\2\ 
The Commission recommended that the Director be given a five-
year term limit, which would be half of the length of the 
Federal Bureau of Investigation (FBI) Director's term of 10 
years and the same term length of the Transportation Security 
Agency (TSA) Administrator.\3\ This would allow greater 
continuity and empower the Director to develop and implement 
multi-year strategies for CISA.\4\
---------------------------------------------------------------------------
    \2\Homeland Security Act of 2002, as amended, Pub. L. 107-296, Sec. 
103.
    \3\Pub. L. No. 94-503 (1976) and 49 U.S.C. Sec. 114.
    \4\United States Cyberspace Solarium Commission, Final Report (Mar. 
2020) (https://www.solarium.gov/report).
---------------------------------------------------------------------------
    The Commission also recommended that Congress create the 
National Cyber Director (NCD) to be the President's primary 
cybersecurity advisor, and Congress established the position in 
the National Defense Authorization Act for Fiscal Year 2021.\5\ 
However, the NCD is currently unable to offer excepted services 
positions, which may hinder the NCD's ability to hire and 
retain staff who are offered competitive compensation to the 
private sector. This legislation would require the NCD create 
an implementation plan to hire excepted service employees.
---------------------------------------------------------------------------
    \5\Pub. L. No. 116-283 (2021).
---------------------------------------------------------------------------
    The Commission found barriers to sharing cyber threat 
intelligence among agencies and with private sector partners. 
While the federal government has a number of programs that 
collect information on cybersecurity threats, ``the data or 
information is not routinely shared or cross-correlated at the 
speed and scale necessary for rapid detection and 
identification.''\6\ Without data that can be queried and 
analyzed in real-time, the federal government has a fragmented 
picture of the threat landscape, which can cause ``confusion'' 
and add ``burdens'' to the private sector, limiting the 
effectiveness of the government and private sector to respond 
to cyber threats.\7\
---------------------------------------------------------------------------
    \6\United States Cyberspace Solarium Commission, Final Report (Mar. 
2020) (https://www.solarium.gov/report).
    \7\Id.
---------------------------------------------------------------------------
    Additionally, the Commission's report discussed the need to 
improve the ``cyber ecosystem,'' including improving the 
security of Border Gateway Protocol (BGP) and the Domain Name 
System (DNS), key components of the internet which have been 
exploited by malicious actors.\8\ BGP was not designed to be 
secure and is vulnerable to cyber-attacks; the National 
Institute of Standards and Technology (NIST) found that the 
exploitation of such vulnerabilities could have far-reaching 
effects. NIST Special Publication 800-54, Border Gateway 
Protocol Security, states that ``[b]ecause of the volume of 
commercial transactions conducted over the Internet, plus 
increasing use of the Internet for voice communications (voice 
over IP [VOIP]), such an outage could have a significant impact 
on the economy, and possibly interrupt critical functions such 
as emergency services communications.''\9\ One report found 
that in the first five months of 2020, 23% of all incidents 
affecting the functionality of the BGP were caused by cyber 
attacks.\10\
---------------------------------------------------------------------------
    \8\There have been numerous instances of cybersecurity attacks on 
both BGP and DNS by malicious actors. E.g., Russian telco hijacks 
internet traffic for Google, AWS, Cloudflare, and others, ZDNET (Apr. 
5, 2020) (https://www.zdnet.com/article/russian-telco-hijacks-internet-
traffic-for-google-aws-cloudflare-and-others) and Mandiant, Global DNS 
Hijacking Campaign: DNS Record Manipulation at Scale (Jan. 9, 2019) 
(https://www.mandiant.com/resources/blog/global-dns-hijacking-campaign-
dns-record-manipulation-at-scale)
    \9\National Institute of Standards and Technology, Border Gateway 
Protocol Security, (NIST Special Publication 800-54), at 3-1 (https://
nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-54.pdf).
    \10\Atlantic Council, The Politics of Internet Security: Private 
Industry and the Future of the Web, (Oct. 5, 2020); (https://
www.atlanticcouncil.org/in-depth-research-reports/report/the-politics-
of-internet-security-private-industry-and-the-future-of-the-web/
#routing).
---------------------------------------------------------------------------
    DNS is the system by which a domain name is translated into 
an Internet Protocol (IP) address, thereby directing the end-
user to the appropriate source without the user having to know 
the series of numbers contained in the IP address.\11\ Because 
DNS was not designed to be secure, attackers have been able to 
exploit characteristics of the system to ``to direct users to 
fake websites designed to steal login credentials and other 
sensitive information.''\12\ The legislation would require the 
Department of Commerce to consult with relevant federal 
agencies and private-sector stakeholders to develop a strategy 
to better secure BGP and DNS.
---------------------------------------------------------------------------
    \11\National Institute of Standards and Technology, Secure Domain 
Name System (DNS) Deployment Guide, (NIST Special Publication 800-81-2) 
(https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-
2.pdf).
    \12\Cloudflare, The global DNS hijacking threat (https://
www.cloudflare.com/learning/security/global-dns-hijacking-threat) 
(accessed Dec. 6, 2022).
---------------------------------------------------------------------------
    Cybersecurity experts and the Commission have called for a 
``cyber energy green star'' or ``cyber nutrition label'' to 
inform consumers and businesses of the software that is 
contained in their applications or devices.\13\ S. 2491 would 
require the NCD to provide a report to Congress on current 
federal efforts to develop such security certifications and 
labels for information technology and operational technology 
products and services.
---------------------------------------------------------------------------
    \13\United States Cyberspace Solarium Commission, Final Report 
(Mar. 2020) (https://www.solarium.gov/report); Public Knowledge, 
Creating a Cybersecurity ``Energy Star,'' (Jul. 20, 2018) https://
publicknowledge.org/creating-a-cybersecurity-energy-star/; Symantec 
Enterprise Blogs, Why we need a Security and Privacy ``Nutrition 
Label'' for IoT Devices, (Feb. 19 2019) (https://symantec-enterprise-
blogs.security.com/blogs/expert-perspectives/why-we-need-security-and-
privacy-nutrition-label-iot-devices).
---------------------------------------------------------------------------

                        III. Legislative History

    Senators King (I-ME), Rounds (R-SD), and Sasse (R-NE) 
introduced S. 2491, the Defense of United States Infrastructure 
Act of 2021, on July 27, 2021. The bill was referred to the 
Senate Committee on Homeland Security and Governmental Affairs. 
Senator Rosen (D-NV) joined as a cosponsor on August 3, 2021; 
Senator Hassan (D-NH) joined as a cosponsor on October 19, 
2021; and Senator Ossoff (D-GA) joined as a cosponsor on 
November 4, 2021.
    The Committee considered S. 2491 at a business meeting on 
November 3, 2021. During the business meeting, Senators Rosen 
and Hassan offered a substitute amendment to make technical 
amendments and strike several sections of the introduced bill, 
which was adopted by unanimous consent. The Committee ordered 
the bill, as amended, reported favorably by voice vote with 
Senators Johnson, Scott, and Hawley recorded as voting ``no.'' 
Senators present for the vote were: Peters, Hassan, Sinema, 
Rosen, Padilla, Ossoff, Portman, Johnson, Lankford, Romney, 
Scott, and Hawley.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    This section designates the short title of the bill as the 
``Defense of United States Infrastructure Act of 2021'' and 
lists a table of contents.

Section 2. Definitions

    This section defines ``critical infrastructure,'' 
``cybersecurity risk,'' ``Department,'' and ``Secretary.''

 TITLE I--IMPROVING THE ABILITY OF THE FEDERAL GOVERNMENT TO ASSIST IN 
              ENHANCING CRITICAL INFRASTRUCTURE RESILIENCE

Section 101. Institute a 5-year term for the Director of the 
        Cybersecurity and Infrastructure Security Agency

    Subsection (a) amends the Homeland Security Act of 2002 to 
create a five-year term for the Director of CISA.
    Subsection (b) creates a transition rule such that the 
five-year term will take effect on the first appointment of the 
CISA Director made on or after the date of enactment of this 
Act.

Section 102. Pilot program on cyber threat information collaboration 
        environment

    Subsection (a) defines ``critical infrastructure 
information,'' ``cyber threat indicator,'' ``cybersecurity 
threat,'' ``environment,'' ``information sharing and analysis 
organization,'' and ``non-federal entity.''
    Subsection (b) requires the Secretary of the Department of 
Homeland Security (DHS), in consultation with the Secretary of 
Defense, the Director of National Intelligence, the Director of 
the National Security Agency, and the Attorney General to 
create a pilot program to develop an information collaboration 
environment and associated analytic tools that enable federal 
and non-federal entities to identify, mitigate, and prevent 
malicious cyber activity.
    Subsection (c) requires the Secretary of DHS to coordinate 
with Secretary of Defense, the Director of National 
Intelligence, the Director of the National Security Agency, and 
the Attorney General to identify, inventory, and evaluate 
existing federal sources of classified and unclassified 
information; evaluate current programs, applications, or 
platforms intended to detect, identify, analyze, and monitor 
cybersecurity risks and cybersecurity threats; consult with 
public and private sector critical infrastructure entities to 
identify public and private critical infrastructure cyber 
threat capabilities, needs, and gaps; and identify existing 
tools, capabilities, and systems that may be adapted to achieve 
the purposes of the environment to maximize return on 
investment and minimize cost. This subsection also requires the 
Secretary of DHS to begin implementing the environment no later 
than one year after completing the evaluation. This subsection 
provides requirements that the environment must abide by. No 
later than a year after the enactment of this bill and every 
year thereafter until the date that is one year after the pilot 
program terminates, the Secretary of DHS shall submit to 
Congress a report on federal government participation in the 
environment; non-federal entity participation in the 
environment; the impact on positive security outcomes; barriers 
to fully realizing the benefit of the environment; and any 
additional authorities or resources to execute the environment.
    Subsection (d) requires the Secretary of DHS to coordinate 
with Secretary of Defense, the Director of National 
Intelligence, the Director of the National Security Agency, and 
the Attorney General to establish data standards and 
requirements for non-Federal entities to participate in the 
environment.
    Subsection (e) requires the pilot to sunset after five 
years after the date of the enactment of this Act.

      TITLE II--IMPROVING SECURITY IN THE NATIONAL CYBER ECOSYSTEM

Section 201. Report on cybersecurity certifications and labeling

    This section requires the NCD, in consultation with the 
Director of the NIST and the Director of CISA to identify and 
assesses existing efforts by the federal government to create, 
administer, or otherwise support the use of certifications or 
labels to communicate the security or security characteristics 
of information technology or operational technology products 
and services; and assesses the viability of and need for a new 
program at DHS to harmonize information technology and 
operational technology product and service security 
certification and labeling efforts across the federal 
government and between the federal government and the private 
sector.

Section 202. Secure foundational internet protocols

    Subsection (a) defines ``border gateway protocol,'' 
``domain name system,'' and ``information and communications 
technology infrastructure providers.''
    Subsection (b) requires the Assistant Secretary for 
Communications and Information of the Department of Commerce, 
in coordination with the Director of NIST and the Director of 
CISA to establish a working group of appropriate stakeholders 
to submit to Congress a strategy to encourage implementation of 
measures to secure the border gateway protocol and the domain 
name system.

            TITLE III--ENABLING THE NATIONAL CYBER DIRECTOR

Section 301. Establishment of hiring authorities for the Office of the 
        National Cyber Director

    Subsection (a) defines ``director,'' ``excepted service,'' 
``office,'' and ``qualified position.''
    Subsection (b) requires the NCD to craft an implementation 
plan for positions in the excepted service in the Office of the 
NCD, propose rates of basic pay for qualified positions, and 
detail proposals to provide employees in qualified positions 
compensation.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. Congressional Budget Office Cost Estimate

                                     U.S. Congress,
                               Congressional Budget Office,
                                  Washington, DC, January 11, 2022.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 2491, the Defense of 
United States Infrastructure Act of 2021.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Aldo 
Prosperi.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

    S. 2491 would require the Department of Homeland Security 
(DHS) to carry out a five-year program to share information 
about cybersecurity threats and vulnerabilities with the owners 
of critical infrastructure (such as power generation and water 
treatment plants). The bill also would require DHS to report on 
other federal cybersecurity efforts, such as providing safety 
labels for cybersecurity products and mitigating malicious 
Internet traffic.
    Using information from other agencies that share 
information about cyber threats--including the Department of 
Defense and the Office of the Director of National 
Intelligence--CBO anticipates that DHS would need ten full-time 
employees to create and manage the pilot program required under 
S. 2491. For this estimate, CBO assumes that the bill will be 
enacted in fiscal year 2022 and that DHS would begin to operate 
the pilot program in 2023. CBO estimates that staff salaries 
and software development costs to share cyber alerts would cost 
$4 million annually and total $16 million over the 2022-2026 
period; such spending would be subject to the availability of 
appropriated funds.
    The CBO staff contact for this estimate is Aldo Prosperi. 
The estimate was reviewed by Leo Lex, Deputy Director of Budget 
Analysis.

       VII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
the bill, as reported, are shown as follows: (existing law 
proposed to be omitted is enclosed in brackets, new matter is 
printed in italic, and existing law in which no change is 
proposed is shown in roman):

UNITED STATES CODE

           *       *       *       *       *       *       *


TITLE 6--DOMESTIC SECURITY

           *       *       *       *       *       *       *


CHAPTER 1--HOMELAND SECURITY ORGANIZATION

           *       *       *       *       *       *       *



   Subchapter XVIII--Cybersecurity and Infrastructure Security Agency


PART A--CYBERSECURITY AND INFRASTRUCTURE SECURITY

           *       *       *       *       *       *       *


SEC. 652. CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

    (a) * * *
    (b) Director.--
          (1) In general.--The Agency shall be headed by a 
        Director of Cybersecurity and Infrastructure Security 
        (in this part referred to as the ``Director''), who 
        shall report to the Secretary. The term of office of an 
        individual serving as Director shall be 5 years.

           *       *       *       *       *       *       *


                                  [all]