DHS reauthorization remains a heavy lift in Senate

A Senate hearing on reauthorizing the Department of Homeland Security made some headway, but long-running jurisdictional disputes threatened to once again derail the process.

Image: Casimiro PT / Shutterstock

A Senate hearing on reauthorizing the Department of Homeland Security made some headway in resolving lingering questions around cybersecurity and oversight requests, but it ended on an uncertain note as long-running jurisdictional disputes threatened to once again derail the process.

While the Senate Homeland Security Committee is primarily responsible for authorizing DHS, big chunks of oversight and authority for the department are dispersed across multiple committees. This fractured jurisdiction has long been a roadblock to reauthorization, and several committee members, including Chairman Ron Johnson (R-Wis.) and Ranking Member Claire McCaskill (D-Mo.), expressed frustration that the issue had yet to be resolved.

“We are literally putting our nation’s security at risk by having DHS so scattered and answering the same questions from different committees,” Johnson said.

Sen. Maggie Hassan (D-N.H) pushed committee leaders to be more aggressive in asserting its jurisdiction over the department.

“Let’s quit pretending that 15 years of dispersed jurisdiction here is acceptable and that we have to wait longer,” Hassan said. “We’ve got to get this problem fixed.”

Access to information was another recurring point of contention, with several senators using the reauthorization hearing to demand updates or records related to pending requests.

McCaskill expressed alarm that agency officials were citing pending litigation to deny the committee’s requests for information related to the travel ban implemented by the Trump administration last year. The department used the same justification recently to deny records requests from the House Science Committee related to its governmentwide ban of Kaspersky Lab products. McCaskill worried the moves set a bad precedent.

“I don’t understand it; government is sued all the time. We can’t use litigation as an excuse to stop information to the inspectors general [and Congress],” she said. “I’m going to need more explanation about this because this could be a trend. All of a sudden our oversight is done.”

Sen. Rob Portman (R-Ohio) laid out three investigations the committee was currently working on for which it had not received adequate cooperation from DHS: two related to immigration and another dealing with mismanagement by the agency CIO.

“I’m not going to get into details because we don’t make these investigations public typically until we report, but we need that information,” Portman said. “We’ve been given a minimal amount of documents, most of which are not at all responsive to the request.”

DHS Deputy Secretary Elaine Duke responded that she was not aware that those requests had not been adequately addressed and committed to providing substantive updates on all three matters.

Senators spent significant portions of the hearing questioning DHS officials on cybersecurity and critical infrastructure. In particular, they asked for more details about the Cybersecurity and Infrastructure Security Agency Act, which would reorganize and rename the National Programs and Protection Directorate. The bill has already passed the House but remains pending in the Senate.

Some senators expressed confusion about what the House bill actually does and how it improves cybersecurity operations within DHS.

Publicly, department officials have often focused on highlighting the morale boost that would come with changing the name of their cyber shop from the National Protection and Programs Directorate to the Cybersecurity and Infrastructure Security Agency. That left some members of the committee, like Hassan, scratching their heads about how big an impact that would really make.

“It’s hard to think how a name change for NPPD would raise morale, raise the profile of cyber,” Hassan said. Beyond simply changing the name, she called on the committee “to hold hearings and specifically consider the possibility of creating a separate cybersecurity component at DHS.”

Behind the scenes, DHS officials have articulated more substantive authorities. In December 2017, an NPPD official told FCW that by reclassifying the directorate from a headquarters component to an operational one, the bill could also empower the DHS secretary to more freely make changes around procurement, human resources and organizational structure.

At the hearing, Duke and acting NPPD Under Secretary Christopher Krebs largely confirmed that interpretation publicly for the first time, with Duke telling Hassan the bill “isn’t just a name change” and that it does provide the department with additional authorities.

“So, it is being elevated to an operating component, and that’s essential in the distinction -- that it will have everything it needs to operate,” Duke said. “It will have its own CIO, its own procurement and it will be now our eighth operating agency. That is important because it carries authorities and mission support along with it.”

Senators also questioned whether it made sense to combine the department’s cyber and critical infrastructure missions and whether that would water down the focus on cybersecurity.

Krebs stressed the importance of merging the two missions, noting that in the private sector physical and cybersecurity risk management are inextricably linked. This is particularly true in the context of internet-of-things devices, industrial control systems and SCADA systems.

“The importance of the linkage of the two, physical and cybersecurity, is that’s how it’s going in industry. They’re inextricably linked,” said Krebs, who served as Microsoft’s director for cybersecurity policy before joining DHS in 2017. “When you look at how organizations manage risk, they have to look across an entire enterprise and say, 'What is our physical risk, what is our cybersecurity risk?' And they’re merging.”

He also argued that merging of cyber and physical infrastructure missions would enhance the agency’s cybersecurity posture, not reduce it.

“There is no greater risk to our country. [Cybersecurity] is the thing I think about when I go to bed and the first thing I think about when I wake up in the morning,” Krebs said. “It is not going to be subordinated to any other element, that I can assure you.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.