Despite the steady increase of cyber crime, the public recognition of the threat and a steady clamoring for legislation addressing the threat, Washington has yet to meaningfully respond. Not surprising, given the increasing levels of partisanship and heated fights over even mundane issues. In this environment, the House Homeland Security Committee’s (“HSC”) October 29, 2013 approval of two bills, H.R. 3107 and H.R. 2952, falls into the category of “be thankful for small miracles.” While not the comprehensive or even meaningful action sought, the bills are a step in the right direction—a step that will hopefully lead to bigger and bolder action in the future.
Contrary to its current title, “Homeland Security Cybersecurity Boots-on-the Ground Act.”, H.R. 3107 does not directly address cybersecurity or put additional “boots-on-the-ground.” Rather, the bill directs the Department of Homeland Security (“DHS”) to develop uniform job titles, long-term hiring strategies, and training regiments commensurate with the cybersecurity threat. Specifically, H.R. 3107 directs the Secretary of Homeland Security to develop:
- occupation classifications for individuals performing activities in furtherance of the cybersecurity mission of DHS and to ensure that the such classifications may be used throughout DHS and are made available to other federal agencies;
- a workforce strategy that enhances the readiness, capacity, training, recruitment, and retention of the DHS cybersecurity workforce, including a multi-phased recruitment plan and a 10-year projection of federal workforce needs; and
- a process to verify that employees of independent contractors who serve in DHS cybersecurity positions receive initial and recurrent information security and role-based security training commensurate with assigned responsibilities.
The bill also requires the DHS Chief Human Capital Officer and Chief Information Officer to assess the readiness and capacity of DHS to meet such mission; and the Secretary to provide Congress with annual updates regarding such strategies, assessments, and training. At first glance, H.R. 3107 will be of greater interest to human resource officers than chief information security officers.
H.R. 2952, dubbed the Critical Infrastructure Research and Development Advancement Act, comes closer to addressing current needs by focusing the Homeland Security Act of 2002 on critical infrastructure. Unfortunately, this bill also addresses long-term planning and process more than it address immediate needs. On the positive side, the bill does directly require the Science and Technology Directorate to develop within 180 days, a strategic plan to guide “the overall federal physical security and cybersecurity technology research and development efforts for protecting critical infrastructure.” Providing some insight into the thinking in Congress, the bill requires the strategic plan include specific elements such as:
- An identification of critical infrastructure security risks and the associated security technology gaps.
- A set of critical infrastructure security technology needs that is prioritized based on risk and gaps identified under paragraph.
- An identification of laboratories, facilities, modeling, and simulation capabilities that will be required to support the research, development, demonstration, testing, evaluation, and acquisition of the security technologies.
Like its sister bill, H.R. 2952 has a reporting requirement directing the Secretary for Science and Technology to report to Congress on DHS utilization of “public-private research and development consortiums for accelerating technology development for critical infrastructure protection.”
While not the comprehensive solution so many are seeking, these two bills prove some in Congress are willing to address this important issue. Hopefully the bills portent a new level of cooperation in Washington that is built on the need to address the growing cybersecurity threat.