A Senate hearing on reauthorizing the Department of Homeland Security made some headway, but long-running jurisdictional disputes threatened to once again derail the process.
A Senate hearing on reauthorizing the Department of Homeland Security made some headway in resolving lingering questions around cybersecurity and oversight requests, but it ended on an uncertain note as long-running jurisdictional disputes threatened to once again derail the process.
While the Senate Homeland Security Committee is primarily responsible for authorizing DHS, big chunks of oversight and authority for the department are dispersed across multiple committees. This fractured jurisdiction has long been a roadblock to reauthorization, and several committee members, including Chairman Ron Johnson (R-Wis.) and Ranking Member Claire McCaskill (D-Mo.), expressed frustration that the issue had yet to be resolved.
“We are literally putting our nation’s security at risk by having DHS so scattered and answering the same questions from different committees,” Johnson said.
Sen. Maggie Hassan (D-N.H) pushed committee leaders to be more aggressive in asserting its jurisdiction over the department.
“Let’s quit pretending that 15 years of dispersed jurisdiction here is acceptable and that we have to wait longer,” Hassan said. “We’ve got to get this problem fixed.”
Access to information was another recurring point of contention, with several senators using the reauthorization hearing to demand updates or records related to pending requests.
McCaskill expressed alarm that agency officials were citing pending litigation to deny the committee’s requests for information related to the travel ban implemented by the Trump administration last year. The department used the same justification recently to deny records requests from the House Science Committee related to its governmentwide ban of Kaspersky Lab products. McCaskill worried the moves set a bad precedent.
“I don’t understand it; government is sued all the time. We can’t use litigation as an excuse to stop information to the inspectors general [and Congress],” she said. “I’m going to need more explanation about this because this could be a trend. All of a sudden our oversight is done.”
Sen. Rob Portman (R-Ohio) laid out three investigations the committee was currently working on for which it had not received adequate cooperation from DHS: two related to immigration and another dealing with mismanagement by the agency CIO.
“I’m not going to get into details because we don’t make these investigations public typically until we report, but we need that information,” Portman said. “We’ve been given a minimal amount of documents, most of which are not at all responsive to the request.”
DHS Deputy Secretary Elaine Duke responded that she was not aware that those requests had not been adequately addressed and committed to providing substantive updates on all three matters.
Senators spent significant portions of the hearing questioning DHS officials on cybersecurity and critical infrastructure. In particular, they asked for more details about the Cybersecurity and Infrastructure Security Agency Act, which would reorganize and rename the National Programs and Protection Directorate. The bill has already passed the House but remains pending in the Senate.
Some senators expressed confusion about what the House bill actually does and how it improves cybersecurity operations within DHS.
Publicly, department officials have often focused on highlighting the morale boost that would come with changing the name of their cyber shop from the National Protection and Programs Directorate to the Cybersecurity and Infrastructure Security Agency. That left some members of the committee, like Hassan, scratching their heads about how big an impact that would really make.
“It’s hard to think how a name change for NPPD would raise morale, raise the profile of cyber,” Hassan said. Beyond simply changing the name, she called on the committee “to hold hearings and specifically consider the possibility of creating a separate cybersecurity component at DHS.”
Behind the scenes, DHS officials have articulated more substantive authorities. In December 2017, an NPPD official told FCW that by reclassifying the directorate from a headquarters component to an operational one, the bill could also empower the DHS secretary to more freely make changes around procurement, human resources and organizational structure.
At the hearing, Duke and acting NPPD Under Secretary Christopher Krebs largely confirmed that interpretation publicly for the first time, with Duke telling Hassan the bill “isn’t just a name change” and that it does provide the department with additional authorities.
“So, it is being elevated to an operating component, and that’s essential in the distinction -- that it will have everything it needs to operate,” Duke said. “It will have its own CIO, its own procurement and it will be now our eighth operating agency. That is important because it carries authorities and mission support along with it.”
Senators also questioned whether it made sense to combine the department’s cyber and critical infrastructure missions and whether that would water down the focus on cybersecurity.
Krebs stressed the importance of merging the two missions, noting that in the private sector physical and cybersecurity risk management are inextricably linked. This is particularly true in the context of internet-of-things devices, industrial control systems and SCADA systems.
“The importance of the linkage of the two, physical and cybersecurity, is that’s how it’s going in industry. They’re inextricably linked,” said Krebs, who served as Microsoft’s director for cybersecurity policy before joining DHS in 2017. “When you look at how organizations manage risk, they have to look across an entire enterprise and say, 'What is our physical risk, what is our cybersecurity risk?' And they’re merging.”
He also argued that merging of cyber and physical infrastructure missions would enhance the agency’s cybersecurity posture, not reduce it.
“There is no greater risk to our country. [Cybersecurity] is the thing I think about when I go to bed and the first thing I think about when I wake up in the morning,” Krebs said. “It is not going to be subordinated to any other element, that I can assure you.”
NEXT STORY: DHS lags in classifying cyber positions