Cybersecurity

DHS cyber shakeup faces new hurdles

An effort in Congress to reorganize the Department of Homeland Security’s cybersecurity efforts is finally gaining steam, but faces an uncertain fate as lawmakers leave for the August recess.

The prospect for reorganizing the National Protection and Programs Directorate (NPPD) took a big step this week. A key House committee advanced legislation that would rename the DHS office and spin it out into its own operational agency—giving lawmakers pushing for changes new optimism.

Former officials say that elevating the department’s cyber wing will add more muscle to DHS’s cybersecurity efforts, giving it more credibility to handle the security of civilian federal government networks and critical infrastructure.

{mosads}

But while they are encouraged by the action on the issue, some warn lawmakers need to act more quickly and worry about additional obstacles ahead.

“I think Congress needs to have a greater sense of urgency about this,” said Suzanne Spaulding, who served as NPPD undersecretary during the Obama administration. “Our adversaries are not slowing down. If anything, the pace of innovation … among the bad guys is increasing.”

“It’s unfortunate that it’s taking so much time and DHS is only going to be as good as its credibility,” said James Norton, a former official at the department during the George W. Bush administration. “It’s time to get this done.”

Focus on DHS’s cyber duties has increased as a result of Russian interference in the 2016 presidential election, which involved the targeting of state and local election-related systems. NPPD took the lead on offering cybersecurity help to states as they looked to shore up their systems ahead of the election. 

NPPD is also responsible for engaging with and sharing information with the private sector and responding to threats against critical infrastructure as well as federal facilities and networks.

The issue of reorganizing NPPD has been a priority of House Homeland Security Chairman Michael McCaul (R-Texas) since the last Congress. His latest bill to establish the Cybersecurity and Infrastructure Security Agency in place of NPPD advanced his committee with broad bipartisan support on Wednesday.

Officials at DHS called for reorganizing their cyber and infrastructure protection duties during the Obama administration. However, the issue was a source of tension between the executive branch and Congress last year, as lawmakers grew frustrated over an internal reorganization proposal leaked to the media that suggested DHS was moving forward without involving Congress.

This time around, McCaul and other committee members have been engaging with the Trump administration and senior officials at DHS to get feedback on the latest legislative effort, which has been underway since at least March.

Rep. John Ratcliffe (R-Texas), who leads the subcommittee with oversight of DHS’s cybersecurity and infrastructure protection efforts, said that he recently met with White House officials, including President Trump’s homeland security adviser Tom Bossert and cybersecurity coordinator Rob Joyce, to discuss cybersecurity. Ratcliffe said he received positive feedback on the legislation.

“We’re engaging on all levels and really had a lot of good feedback and input from the White House for instance with respect to this NPPD reorganization,” Ratcliffe said.

This week, McCaul finally formally introduced the bill, which would create an agency with three distinct divisions focused on cybersecurity, infrastructure security and emergency communications.

“This realignment of NPPD’s structure will allow it to become more streamlined and effective in carrying out existing authorities while achieving the department’s goal of creating a stand-alone operational organization focusing on and elevating the vital cybersecurity and infrastructure security missions,” McCaul said at a markup.

Obama-era officials cheered the legislative push. Spaulding described the current legislation as an improvement over what was floated in the previous Congress. She said the new version removes provisions limiting the secretary’s ability to organize the new operational agency and keeps cybersecurity and critical infrastructure duties closely tied together.

“You’re looking at an agency that can really take this to the next level, they just need this legislation to do it,” said Phyllis Schneck, the former deputy undersecretary for cybersecurity and communications at NPPD, of McCaul’s bill.

“An ‘agency’ or DHS operational component like FEMA or TSA, in my opinion, has a little more credibility on the outside than a ‘Directorate’ –maybe a lot more.”

But despite bipartisan support in the House, the bill has many hurdles ahead before reaching Trump’s desk. The legislation will need to be reviewed by other House committees with jurisdiction over cyber issues before getting a full vote on the floor.

The GOP-controlled House left Washington on Friday for a month-long August recess, after the Senate failed to pass an ObamaCare repeal bill in a stunning defeat.

The House is likely to focus on bigger-ticket items, like tax reform, when lawmakers return in September.

Currently, there is no companion legislation being offered in the Senate—though McCaul said in May that a counterpart bill “will be moved.”

DHS also has a credibility issue with some, and that could mean an uphill battle for the legislation in the Senate. It’s a relatively new department, when compared with the Defense Department and intelligence agencies.

Congress designated DHS as the authority over civilian federal networks and critical infrastructure cybersecurity with 2015 legislation.

“It’s going to take some work,” Sen. Sheldon Whitehouse (D-R.I.) said at an event in May. “There is, I’ll just be perfectly candid here, a very strong lingering distaste for, lack of confidence in the Department of Homeland Security.”

The senator added that DHS has “upped its game” on cyber in recent years.

Support from the administration could help propel the legislation through Congress more quickly.

But as Homeland Security secretary, John Kelly was more focused on issues like border security and vetting travelers to the U.S. Complicating matters, Trump named Kelly his new chief of staff on Friday, after dismissing Reince Priebus.

The new administration has also yet to nominate an undersecretary to lead NPPD.

“DHS at this point and the secretary need to put their weight behind the reorganization like they put their weight behind other issues,” Norton said, noting that the reorganization should be aligned with the budget for the next fiscal year.

“It would be a huge miss if they can’t get these things lined up together,” Norton said.

For now, Ratcliffe is remaining optimistic. The Republican lawmaker said that the bipartisan nature of the legislation makes it all the more likely that it will get to the floor and be approved. The question is when this will happen.

“Obviously, I hope that it comes to the floor quickly here in the House,” Ratcliffe said. “I’m optimistic that, if we can move it through the floors of both [chambers], it will be well received by the president.”