Congress codified the role of Department of Homeland Security cybersecurity professionals designated for hunting for and responding to cybersecurity threats as part of a larger spending bill that passed the Senate Dec. 19.
The bills were passed by the House earlier in the week and is expected to be signed by President Donald Trump with just one day to spare before government funding runs dry.
Tucked inside the domestic spending minibus is the “DHS Cyber Hunt and Incident Response Teams Act of 2019,” legislation that some members of Congress have been trying to push through for years. Under the legislation, DHS’s National Cybersecurity and Communications Integration Center, or NCCIC (pronounced N-Kick), must maintain cyber hunt and incident response teams to assist both public and private sector entities with their cybersecurity upon request.
The teams must provide technical assistance to help federal and non-federal organizations that request aid regain operations after a cyberincident. The law also requires the teams to provide mitigation strategies prevent and fend off cyberattacks to entities that request it, as well as other recommendations to reduce cybersecurity risk at their organization. The bill also allows DHS to bring in private-sector cybersecurity experts to help the teams.
Greg Touhill, former director of the NCCIC and the first-ever federal chief information security officer, said that he and former colleagues lobbied for this legislation back when they held top positions in DHS in 2014. He said that the hunt teams are very important roles, combing through logs and searching through certain points in networks looking for indicators of bad actors.
“You’re looking for the unusual just like a beat cop would be doing,” said Touhill, currently president of Cyxtera Federal. “There’s lots of different tactics, techniques and procedures that you would do. You would do scans, you would be looking for unusual behavior and you would be looking to see who outside of the ‘dot gov’ domain is coming in.”
If the teams are signed into law by President Trump, DHS would have to produce an annual report to the congressional homeland security committees for the next four years that includes the number of incident requests and the number of response actions taken.
Congress is beginning to grapple with cybersecurity issues as ransomware attacks devastate school districts, small businesses and hospitals in the states they represent. Sen. Maggie Hassan, D-N.H., said in a statement that she was “very pleased” with the inclusion of the bill in the massive spending package. Earlier this month, the director of the Cybersecurity and Infrastructure Security Agency at DHS gave a classified briefing to senators about ransomware threats throughout the United States.
“From local officials working to protect New Hampshire communities to federal agencies tasked with shoring up cybersecurity, it’s clear that there is more we need to do to strengthen cybersecurity at every level," Hassan said in a news release. “This bipartisan legislation takes an important step forward in these efforts, equipping public and private-sector entities with the expertise that they need to strengthen their cyber defenses and respond to threats.”
Sen. Rob Portman, R-Ohio, who introduced the Senate version of the bill with Hassan earlier this year, praised the work that hunt teams do now.
“Our cyber hunt and incident response teams play an important role in protecting against cyberthreats, reducing cybersecurity risks, and helping to get our cyber infrastructure back up and running after an attack occurs,” Sen. Rob Portman, R-Ohio, said.
The appropriations bill, however, doesn’t include any additional funding to carry out the mandates in the legislation. Touhill said that the decision not to appropriate additional funds “puts the department into a pickle.”
“Unfunded mandates out of the Congress were unwelcome when I was in the military and unwelcome when I was in civilian government," said Touhill, a retired Air Force general. “We need to see the executive and the legislative branches do a better job coordinating these types of legislation to prevent these kinds of unfunded mandates.”
Andrew Eversden covered all things defense technology for C4ISRNET. Beforehand, he reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.