Senate turf wars are stalling DHS cyber re-org, lawmaker says

Sen. Ron Johnson (R-Wis.), chairman of the Senate Homeland Security and Government Affairs Committee, said legislation to rename and reorganize the cybersecurity organization at the Department of Homeland Security is meeting resistance from other senators and committees.

The committee was holding an April 25 confirmation hearing for Christopher Krebs, acting undersecretary at the National Protection and Programs Directorate at DHS. Krebs was nominated to fill the position on a permanent basis by the Trump administration in February 2018.

While discussing the Cybersecurity and Infrastructure Security Agency Act, Johnson said "turf wars" in the Senate are holding up the bill's passage. A version of the legislation already passed the House in December 2017.

"There's a reason we didn't get the name change in the omnibus. There's objection to that," said Johnson. "So we need to be honest about that, the reality is that there's conflict here."

Johnson followed up by saying he had talked with Sen. Richard Burr (R-N.C.), chairman of the Senate Intelligence Committee, the day before about jurisdictional issues and made a public offer to "work this out."

However, after the hearing Johnson told reporters that he didn't know which senator or committee may have objections, only saying it was "obvious" there was an issue or it would have been passed through the omnibus spending bill Congress pushed through last month.

A DHS source told FCW that the cyber legislation was pulled from the omnibus with no explanation hours before it passed.

Johnson alluded to the unsettled role of U.S. Cyber Command in the cyber hierarchy as well as larger questions about policy jurisdiction when asked what was holding up the bill's passage, saying he wants to work with other committees and departments to "try to get this ironed out moving forward."

"Again, this whole issue of where Cyber Command should be," said Johnson. "I mean it's obvious: you've got the Department of Defense, NSA, the intel community. There's just kind of a natural desire to hold on to as much of that as possible and then you've got your civilian agency here, so I think it's kind of obvious we have not worked that out."

As for the nominee, Krebs exited the hearing receiving praise from Johnson as well as Democratic senators like Claire McCaskill (D-Mo.) and Heidi Heitkamp (D-N.D.). Johnson said he hoped to hold a committee vote that moves Krebs' nomination to the full Senate shortly after Congress returns from recess. Earlier in the day, House Homeland Security chairman John Ratcliffe (R-Texas) signaled his endorsement of Krebs in a statement, saying Krebs is the right man to lead NPPD through its re-organization.

"Chris Krebs possesses the extensive cybersecurity experience necessary to diligently serve our country as NPPPD undersecretary at DHS," said Ratcliffe.

Krebs told lawmakers that after consulting with internal ethics lawyers, he will be recusing himself from any matters dealing with Microsoft or the National Cybersecurity Alliance over the next 11 months. A DHS spokesperson later clarified through email that the end of recusal timeline Krebs provided would mark a full two years since he last worked at Microsoft and chaired the National Cybersecurity Alliance in March 2017.

One particular point of contention came around the familiar topic of election security, where members of Congress have pressed DHS to do more with its mandate since designating election systems as critical infrastructure in 2017. Krebs told lawmakers that NPPD had between 10 and 15 full-time staff dedicated to coordinating with state and local election officials to share threat information, conduct vulnerability assessments and process security clearances.

McCaskill said that number wasn't nearly high enough and promised she would do everything in her power to get more federal personnel dedicated to the issue.

"I'm sure you agree with me that 10 to 15 people to cover election security in this entire country with all the various elections that exist is woefully inadequate," said McCaskill.