Bipartisan Infrastructure Package: DHS and CISA

The “Infrastructure Investment and Jobs Act” (H.R.3684), and the bill is now in the House. Yesterday, the House Rules Committee met to consider the legislative procedure for floor consideration and has scheduled another meeting for today on the same along with the FY 2022 budget resolution (S. Con. Res. 14) that will allow Democrats to proceed with the $3.5 trillion package to enact the White House’s Build Back Better agenda and the “John R. Lewis Voting Rights Advancement Act of 2021” (H.R.4).

However, the path to House passage of H.R.3684 has been complicated by the insistence of 10 moderate House Democrats that Congress pass this bill before turning to the $3.5 trillion plan. Under normal circumstances, House Democrats can lose no more than three Democrats if no Republicans vote for a bill. House Speaker Nancy Pelosi (D-CA) has long been saying the House will not pass the infrastructure package before passing the larger bill through budget reconciliation. In part, Pelosi’s position is informed by the opposition of liberals in her caucus of passing the infrastructure package first, allowing moderate Democrats to then possibly vote against the $3.5 trillion bill replete with policies that liberals tend to support more than moderates. House Democratic Leadership was trying to round up votes yesterday but apparently fell short as a vote on the three measures was pushed into today.

H.R. 3684 is teeming with technology funding and policy, the likes of which could alter United States (U.S.) policy in a number of realms for years to come. We looked at the broadband provisions (see here) and drinking water and electric grid provisions (see here) and today, we will examine the provisions and funding related to cybersecurity broadly speaking and any loose ends in the bill.

The Senate has opted to add funding for the newly established Office of the National Cyber Director (NCD) in the White House. There would be $21 million for the NCD, which may be in addition to what Congress may appropriate through the annual funding process. Alternatively, considering this is a bit more than one chamber has proposed for the NCD, Congress may not choose to appropriate any more funding to stand up and staff up this office.

In its FY 2022 budget request, the Biden Administration asked Congress for $15 million and 25 Full-Time Equivalents (FTE) to stand up the Office of the NCD. However, the CSC in making the recommendation that Congress create such a position called for at least 50 FTE in this office. Congress may appropriate funds and direct the creation of a larger office than the administration apparently wants. On 29 July, the House passed the “Financial Services and General Government Appropriations Act, 2022” (H.R.4502) that would make available $18.750 million for the NCD.

Additionally, last month, the Senate passed a bill, S.2382, “that would help ensure the newly created Office of the NCD will be able to quickly secure qualified personnel to support its important cybersecurity mission” according to the sponsors’ press release. However, in late July, the House postponed floor proceedings to pass the bill under an expedited process until some later point in the future. It is possible if the House proposes its own package, this provision is added.

The Cybersecurity and Infrastructure Security Agency (CISA) would be given an additional $35 million “for risk management operations and stakeholder engagement and requirements.”

The Department of Homeland Security’s (DHS) Science and Technology Directorate (S&T) would be given $157.5 million “for critical infrastructure security and resilience research, development, test, and evaluation: Provided, That the funds made available under this heading in this Act may be used for

• special event risk assessments rating planning tools;
• electromagnetic pulse and geo-magnetic disturbance resilience capabilities;
• positioning, navigation, and timing capabilities;
• public safety and violence prevention to evaluate soft target security, including countering improvised explosive device events and protection of U.S. critical infrastructure; and
• research supporting security testing capabilities relating to telecommunications equipment, industrial control systems, and open source software

DHS would need to submit to Congress a detailed spending plan before these funds can be used.

H.R.3684 contains two discrete cybersecurity bills advanced in the last few months to counter the growing use of ransomware and penetration of federal networks.

The “State and Local Cybersecurity Improvement Act” (H.R.3138) would establish and fund with $1 billion a new grant program at DHS. The committee report for this House Homeland Security Committee bill explained:

H.R. 3138, the ‘‘State and Local Cybersecurity Act,’’ seeks to foster stronger partnerships between the Federal government and State and local governments to defend State and local networks against cyber attacks from sophisticated foreign adversaries or cyber criminals. It does so by authorizing a new Department of Homeland Security (DHS) grant program to address cybersecurity vulnerabilities on State and local government networks.

This bill would amend the section of the “Homeland Security Act of 2002” that established CISA (i.e. 6 U.S.C. 651, et. seq.) and establish the State and Local Cybersecurity Grant Program to help state and Tribal governments “to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, State, local, or Tribal governments.” However, CISA will not administer the grant program; rather the Federal Emergency Management Agency (FEMA) will do so given its experience with other longstanding grant programs to state and Tribal governments.

State and Tribal governments that receive a grant “shall use the grant to—

• implement the Cybersecurity Plan of the eligible entity;
• develop or revise the Cybersecurity Plan of the eligible entity;
• pay expenses directly relating to the administration of the grant, which shall not exceed 5 percent of the amount of the grant;
• assist with activities that address imminent cybersecurity threats, as confirmed by the Secretary, acting through the Director, to the information systems owned or operated by, or on behalf of, the eligible entity or a local government within the jurisdiction of the eligible entity; or
• fund any other appropriate activity determined by the Secretary, acting through the Director.

Broadly speaking, recipient governments could fund Cybersecurity Plans or address imminent threats to their systems or those of local governments in their jurisdiction. These governments could also pull down 5% to administer the program and other appropriate activities CISA designates.

The Cybersecurity Plans would generally require governments to plan for cyber incidents and how they plan on recovering from them, including a continuous process of searching for and mitigating threats and vulnerabilities. These plans would also require the adoption and use of best practices. There is to be a risk-based approach with the greatest emphasis on the highest value systems and assets. In short, the sponsors of the legislation are hoping to use the power of Congress to condition the use of federal funds to drive better cybersecurity throughout the governments in the U.S.

Each eligible entity that wants to receive a grant must “establish a cybersecurity planning committee to—

• assist with the development, implementation, and revision of the Cybersecurity Plan of the eligible entity;
• approve the Cybersecurity Plan of the eligible entity; and
• assist with the determination of effective funding priorities for a grant

Moreover, DHS “may award grants under this section to a multi-entity group to support multi-entity efforts to address cybersecurity risks and cybersecurity threats to information systems within the jurisdictions of the eligible entities that comprise the multi-entity group.” Multi-entity groups are those made up of two or more state or Tribal governments.

The bill appropriates $1 billion for this program in these allotments;

• for fiscal year 2022, $200,000,000;
• for fiscal year 2023, $400,000,000;
• for fiscal year 2024, $300,000,000; and
• for fiscal year 2025, $100,000,000.

The other bill folded into H.R. 3684, the “Cyber Response and Recovery Act of 2021” (S.1316), is legislation the sponsors claimed when it was introduced in April “would help improve the federal response to cyber breaches, such as recent and serious attacks by foreign adversaries including the Chinese and Russian governments that penetrated both federal networks and private companies’ servers.”

 The first section of this bill explains its reason for being:

• the purpose of this subtitle is to authorize the Secretary to declare that a significant incident has occurred and to establish the authorities that are provided under the declaration to respond to and recover from the significant incident; and
• the authorities established under this subtitle are intended to enable the Secretary to provide voluntary assistance to non-Federal entities impacted by a significant incident.

The “Cyber Response and Recovery Act” adds a new term to the federal lexicon of cybersecurity: “significant incident,” which is defined to be:

• an incident or a group of related incidents that results, or is likely to result, in demonstrable harm to—
  • the national security interests, foreign relations, or economy of the United States; or
  • the public confidence, civil liberties, or public health and safety of the people of the United States; and
• does not include an incident or a portion of a group of related incidents that occurs on
  • a national security system (as defined in section 3552 of title 44, United States Code)[i.e. generally Department of Defense and Intelligence Community systems]; or
  • an information system described in paragraph (2) or (3) of section 3553(e) of title 44, United States Code[1].

Congress has opted to define this term instead of delegating this responsibility to DHS and CISA as it sometimes does.

Under this bill, the definition for a mere “incident” is the one currently in the U.S. Code: “an occurrence that-

• actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or
• constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

Clearly, significant incidents are those with much wider potential or actual repercussions than incidents.

DHS, in consultation with the NCD, “may make a declaration of a significant incident in accordance with this section for the purpose of enabling the activities described in this subtitle [more on this below] if the Secretary [of Homeland Security] determines that—

• a specific significant incident—
  • has occurred; or
  • is likely to occur imminently; and
• otherwise available resources, other than the Fund [more on this below], are likely insufficient to respond effectively to, or to mitigate effectively, the specific significant incident

Moreover, the Secretary of Homeland Security may not delegate this responsibility to any other official. And so, this legislation contemplates that a Senate confirmed member of the Cabinet is the only official that may make the determination a significant incident has occurred. This was likely decided upon to keep decisions like this at the top of the U.S. government and made by an official who directly answers to both the President and Congress. Nonetheless, the NCD Chris Inglis, CISA Director Jen Easterly, and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, and others would play significant roles in the making of such a determination.

Significant incident declarations would last either 120 days or when the Secretary determines the declaration is no longer necessary, whichever comes first. The Secretary could extend the declaration if necessary. The Secretary must immediately alert the NCD and certain Congressional committees of a significant incident declaration, and this notification must estimate the expected duration, the reasons why the declaration was issued, the expected impact on federal and non-federal entities and on federal operations, the culprit (if known), the scope of those entities effected, justification for the resources to be used, and a description of the proposed coordination activities. Six months after a declaration or renewal, DHS must report to Congress on the actions taken, the funds expended, and the results.

And DHS must publish the declaration or a renewal of a declaration in the Federal Register within 72 hours of being made. However, any such declaration cannot include the name of any effected individual or company, which is a bit strange since any major incident will undoubtedly be widely reported upon.

After the Secretary has made this determination, DHS may must coordinate “asset response activities” which are defined as:

• an activity to support an entity impacted by an incident with the response to, remediation of, or recovery from, the incident, including—
  • furnishing technical and advisory assistance to the entity to protect the assets of the entity, mitigate vulnerabilities, and reduce the related impacts;
  • assessing potential risks to the critical infrastructure sector or geographic region impacted by the incident, including potential cascading effects of the incident on other critical infrastructure sectors or geographic regions;
  • developing courses of action to mitigate the risks assessed…;
  • facilitating information sharing and operational coordination with entities performing threat response activities; and
  • providing guidance on how best to use Federal resources and capabilities in a timely, effective manner to speed recovery from the incident.

In the aftermath of a significant incident declaration, DHS would coordinate the asset response activities of all federal agencies with a jurisdictional claim to the incident. DHS could also coordinate with public and private sector entities and state and local governments and law enforcement agencies as well.

Moreover, DHS need not wait for a significant incident declaration before acting. The agency may seek and obtain resources for asset response activities and technical assistance.

The bill establishes a Cyber Response and Recovery Fund (Fund) that shall, in part, finance the activities described in this section. DHS may also use the resources of CISA in responding to significant incidents. Money from the Fund could be provided to a range of effected entities on a reimbursable or non-reimbursable basis. CISA may also make “grants for, or cooperative agreements with, Federal, State, local, and Tribal public and private entities to respond to, and recover from, the specific significant incident associated with a declaration, such as—

• hardware or software to replace, update, improve, harden, or enhance the functionality of existing hardware, software, or systems; and
• technical contract personnel support;

Appropriations and reimbursements from other federal agencies would provide money for the Fund. $20 million is appropriated for this new program for each of the next five fiscal years, with the funding for two more fiscal years authorized. This program would end seven years after enactment unless Congress extends it.

There are finally transportation cybersecurity provisions. Within two years, the Federal Highway Administration (FHWA) “shall develop a tool to assist transportation authorities in identifying, detecting, protecting against, responding to, and recovering from cyber incidents.” Transportation authorities include state highway departments and other transportation agencies, manufacturers of products related to transportation (a very broad term), and offices of the FHWA. The tool would need to use the National Institute of Standards and Technology’s (NIST) cybersecurity framework, “establish a structured cybersecurity assessment and development program,” be established in coordination with the Transportation Security Administration (TSA) and the Cybersecurity and Infrastructure Security Administration (CISA), and be implemented only after consultation from stakeholders and a public comment period. The agency would also need “designate an office as a ‘‘cyber coordinator’’, which shall be responsible for monitoring, alerting, and advising transportation authorities of cyber incidents.”

And for those skeptical of the effect of Government Accountability Office (GAO) reports and the like, the Department of Transportation (DOT) has three years to implement the GAO’s recommendations from its report titled “Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges.” Specifically, the DOT must comply

• by developing a cybersecurity risk management strategy for the systems and information of the Department;
• by updating policies to address an organization-wide risk assessment; and
• by updating the processes for coordination between cybersecurity risk management functions and enterprise risk management functions.

The DOT would also need to implement recommendations made in a different GAO report “Cybersecurity Workforce: Agencies Need to Accurately Categorize Positions to Effectively Identify Critical Staffing Needs” by

• reviewing positions in the Department; and
• assigning appropriate work roles in accordance with the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework.

The GAO would then need to study and report on the DOT’s “cybersecurity for the systems and information of the Department.”

---

[1] (e) Department of Defense and Intelligence Community Systems.—

(2) The systems described in this paragraph are systems that are operated by the Department of Defense, a contractor of the Department of Defense, or another entity on behalf of the Department of Defense that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Department of Defense.

(3) The systems described in this paragraph are systems that are operated by an element of the intelligence community, a contractor of an element of the intelligence community, or another entity on behalf of an element of the intelligence community that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of an element of the intelligence community.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Taylor Beach on Unsplash

Photo by Markus Spiske on Unsplash