US Homeland Security Could Get Its Own Cyber Defense Agency

A key House panel on Wednesday voted to create a new Homeland Security Department agency that reflects the primacy of cyber protection among DHS’ protective responsibilities.

A bill introduced yesterday by the Homeland Security Committee – approved by a voice vote – would turn an existing DHS bureaucracy, the National Protection and Programs Directorate, or NPPD, into an "operational" agency, like the Transportation Security Administration.

The directorate would be renamed the Cybersecurity and Infrastructure Protection Agency. It is expected the overhaul would take effect under the next White House administration in 2017. 

A 2015 bill bestowed DHS with new private sector cyber duties, “and we want to ensure that we elevate the cybersecurity mission so it can effectively carry out those authorities,” a House committee staffer, who spoke on background, told Nextgov.

This measure "realigns and streamlines the department's cybersecurity and infrastructure protection missions to more effectively protect the American public against cyberattacks that could cripple the nation," committee Chairman Michael McCaul, R-Texas, said.

"Every day, cyber criminals and nation states are looking for vulnerabilities to exploit in companies like Target and Sony, our critical infrastructure sectors and the federal government," he continued. "And while the complexities of these assaults grows, the steps taken today are crucial towards ensuring our homeland remains ready to defend against these attacks."

The Cybersecurity Act of 2015 enacted a controversial program that encourages companies to share hack data—including private citizens' information—with the federal government. 

In February, DHS officials also had proposed a realignment of the directorate, but their plan would have merged cyber operations with other NPPD activities.

“While we agree and acknowledge that in some areas, cyber and physical cascade into each other, we don’t want to completely upend an entire agency to integrate everything, when in some circumstances cyber needs to have its own expertise,” the aide said.

The House plan keeps intact divisions between cybersecurity, the protection of critical infrastructure like the power grid, emergency communications and the existing Federal Protective Service.

The agency’s units would coordinate through working groups and integrated risk assessments, under the committee’s legislation.

In March, current NPPD Undersecretary Suzanne Spaulding characterized the administration’s proposed merger as a recognition that our digital lives and personal safety are now intertwined.  

Spaulding, at the time, told Nextgov that DHS is "uniquely restricted" in its ability to reorganize, as compared to most federal agencies; Congress must pass a law to authorize office name and structural changes. 

In addition to rechristening NPPD as CIPA, the House bill would shuffle management duties. 

The directorate's leader, now Spaulding, would be renamed the "director" of the agency. The head of the current cyber division, presently Deputy Undersecretary Phyllis Schneck, would become an assistant secretary-level position, like the role currently held by Andy Ozment. Essentially, there would be a single cyber lead, who would be called the “principal deputy director” for cybersecurity.

A separate agency “assistant director” would oversee the information-sharing program, which is run out of the 24-7 DHS National Cybersecurity and Communications Integration Center.

House committee leaders are collaborating with their counterparts on the Senate Homeland Security and Governmental Affairs Committee to craft an agreement, the House staffer said.

After Tuesday’s vote, a Senate panel aide told Nextgov in an email the “committee is looking at the House legislation and the department’s proposal to determine a path forward.”

The House plan also differs from the administration’s agenda on its approach to biometric identification operations.

Today, a free-standing unit inside NPPD, called the Office of Biometric Identity Management, or OBIM, runs a database with foreigners' fingerprints, faces and, in some cases, irises. The White House wants the office to sit inside Customs and Border Protection because CBP uses biometrics to screen U.S. visitors.

The new legislation, however, would place the office inside the DHS Management Directorate, a component that serves CBP, TSA and every other agency. 

“Our view is that CBP is not the only user," the House aide said. "We want to make sure all components have access to the OBIM capabilities."