December 18, 2017 | Policy Brief

House Bill Elevates Civilian Cybersecurity Agency

The House passed the Cybersecurity Infrastructure Security Agency Act last week in order to establish a primary agency responsible for leading the coordination of cyber security information-sharing efforts between federal, non-federal, and private sector stakeholders. The bill renames the Department of Homeland Security’s National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA) and streamlines the agency’s operations by enhancing its director’s ability to reallocate agency resources in response to an ever-changing landscape of cyber threats.

As Chairman of the House Committee on Homeland Security Michael McCaul (R-TX) noted, CISA will be an operational agency at the intersection of cyber security and critical infrastructure. Being an “operational agency” denotes that CISA will be a more externally engaged enterprise than its predecessor. Reflecting the legislation’s bipartisan support, McCaul’s co-chair on the Congressional Cybersecurity Caucus, Rep. Jim Langevin (D-RI), commented that the bill made “overdue” changes to DHS and cemented the department as a leading government agency for “domestic cybersecurity in peacetime.”

In office for only one week since her confirmation, new Secretary of Homeland Security Kirstjen Nielsen praised the bill, calling it a priority for the Trump administration and urging the Senate to take up the legislation. Nielsen’s background in cyber security positions her well to lead the reorganization within a department in which “cyber is an operational mission,” as she noted during her confirmation hearing.

By reorganizing and changing the name of the NPPD, the bill establishes CISA as a leading agency in domestic cyber security rather than merely a supportive facilitator for DHS. Additionally, while the NPPD already acts as an information-sharing hub for cyber incident response (similar to the way that FEMA acts in response to a natural disaster), it will leverage CISA’s better name recognition to lead the cooperative effort to protect U.S. critical infrastructure from future cyber threats. Nielsen stated that changing the NPPD’s name would eliminate confusion about what exactly the agency does. NPPD senior official Christopher Krebs echoed this sentiment, arguing that the current name hinders the directorate’s ability to perform its core missions.

The bill’s passage also coincides with the elevation of U.S. Cyber Command to a full unified combatant command, whereas until now it has been subordinate to U.S. Strategic Command. The creation of CISA will complement Cyber Command’s ongoing mission to protect national security web domains (.gov and .mil) and reflects the need for greater federal government coordination with both the private sector and nonfederal agencies, both of which sustain regular attempted cyber attacks.

This latest bill and the elevation of Cyber Command better position the U.S. government to respond to cyber incidents. The reorganization of the NPPD into CISA will likely assist better dissemination of cyber security information and coordination of cyber incident responses. The real test, however, will be whether these changes help combat cyber-enabled economic warfare attacks by state and sub-state actors on U.S. economic assets and bring increased recognition that the ongoing cyber threats facing the private sector are in fact one of the most significant threats to U.S. national security.

Annie Fixler is a policy analyst at FDD’s Center on Sanctions and Illicit Finance, where Trevor Logan is a cyber research assistant. Follow them on Twitter @afixler and @TrevorLoganFDD.

Follow the the Foundation for Defense of Democracies on Twitter @FDD.