December 14, 2019

December 13, 2019

Subscribe to Latest Legal News and Analysis

December 12, 2019

Subscribe to Latest Legal News and Analysis

December 11, 2019

Subscribe to Latest Legal News and Analysis

DHS Cybersecurity Legislation Advances Through Capitol Hill

Earlier this week, both chambers on Capitol Hill took steps that would increase the Department of Homeland Security’s (DHS) role in the area of cybersecurity.  On the Senate side, the Senate Homeland Security and Governmental Affairs Committee approved a DHS reauthorization bill that included amendments to rename and reorganize the DHS National Protection and Programs Directorate (NPPD), to increase protections for certain personally identifiable information (PII), and to emphasize the need for cybersecurity research.  On the House side, the House Homeland Security Committee approved the Cyber Incident Response Teams Act, which would establish teams within DHS devoted to cyber incident response.

Department of Homeland Security Reauthorization Bill

On March 7, the Senate Homeland Security and Governmental Affairs Committee approved H.R. 2825, which, if enacted into law, would be the first reauthorization of DHS since it was created in response to the September 11 attacks.  The Senate version of the bill added a number of cybersecurity related amendments.  Under one amendment, the NPPD would be renamed and reorganized as the Cybersecurity and Infrastructure Security Agency.  Among its enumerated responsibilities, this Agency would “lead cybersecurity and critical infrastructure security programs, operations, and associated policy for the Agency, including national cybersecurity asset response activities” and carry out its “cybersecurity and critical infrastructure activities” in coordination with Federal and private entities.  On the Senate Committee’s website, Senator Ron Johnson (R-WI), Chairman of the Committee, is quoted as stating, “Establishing an agency within DHS to focus on cyber and infrastructure security will help DHS achieve its missions.” A second amendment would require U.S. Customs and Border Protection (CBP) to remove personally identifiable information, including social security numbers, passport numbers, and residential addresses, from any manifest signed and transmitted to the CBP before it is disclosed to the public.  Finally, a third amendment, requires the Under Secretary for Science and Technology to support “research, development, testing, evaluation, and transition of new cybersecurity technologies” and to coordinate those activities with other Federal agencies, industry, and academia.  To help spur this development, the bill also extends DHS’ authority to  award other transaction authority agreements consistent with the Department of Defense’s recent push for quicker and more flexible agreements with non-traditional contractors.

Two proposed amendments were not included in the bill but it is possible that these amendments could still find their way into the final bill.  The first amendment would have increased DHS’ role in assisting states with monitoring and addressing cybersecurity threats and vulnerabilities during their elections.  The second amendment would have clarified liability protections for cybersecurity technology developers under the SAFETY Act.  Currently, the SAFETY Act offers liability protection to sellers and users of approved anti-terrorism technologies in the event of litigation stemming from acts of terrorism.  This amendment would have extended the SAFETY Act program to cybersecurity technologies and services by granting liability protections to industry for a terrorist act or a “declared cyber incident” that is caused by malicious cyber actors.  A date has yet to be set for the full Senate to vote on the DHS reauthorization bill.  The House passed its version of the bill last July.

Cyber Incident Response Teams Act

Also on March 7, the House Homeland Security Committee unanimously approved H.R. 5074, the Cyber Incident Response Teams Act.  This Act would authorize the National Cybersecurity and Communications Integration Center within DHS to establish “cyber hunt and incident response teams.”  Such teams would be responsible for assisting “asset owners and operators in restoring services following a cyber incident,” identifying any “cybersecurity risk and unauthorized cyber activity,” and offering both “mitigation strategies to prevent, deter, and protect against cybersecurity risks” and “recommendations to asset owners and operators for improving overall network and control systems security to lower cybersecurity risks.”  Some members of the House Committee on Homeland Security have suggested that the Cyber Incident Response Teams’ scope of assistance would also include recommendations regarding the cybersecurity of election infrastructure.

The composition of these Cyber Incident Response Teams would not be limited to just governmental employees.  Rather, the Act expressly authorizes the inclusion of “cybersecurity specialists from the private sector,” enabling DHS to rely on specialist expertise outside of the government when addressing threats and attacks.  Although the assistance is “upon request,” private companies may be reluctant to permit private sector specialists access to very sensitive information about their networks and/or a potential breach.  The Act also would require the National Cybersecurity and Communications Integration Center report every four years to the House Committee on Homeland Security and the Senate Homeland Security and Governmental Affairs Committee.  Their report will include the “total number of incident response requests received,” the “number of incident response tickets opened,” and “all interagency staffing of incident response teams,” as well as provide information regarding “interagency collaborations established to support incident response teams.”  A date has yet to be set for the full House to vote on the Cyber Incident Response Teams Act.

© 2019 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Raymond B. Biagini, Covington Burling, Litigation attorney
Partner

A distinguished counselor and litigator, Raymond Biagini has risen to national prominence in a number of high-profile tort cases, defending commercial and government contractors in:

  • "Contractor on the Battlefield" tort litigation;
  • the Exxon Valdez litigation;
  • the Cell Phone Radiation Hazards lawsuits;
  • the "Fen-Phen" litigation;
  • the nationwide Repetitive Stress Injury suits;
  • claims arising out of "friendly fire" accidents during Operation Desert Storm; and
  • "war crimes" allegations filed against...
202 662 5120
Susan B. Cassidy, Government Contracts Attorney, Covington Burling, Law Firm
Partner

Susan Cassidy advises clients on the complex rules and regulations imposed on government contractors, with a special emphasis on the defense and intelligence sectors. She combines a sophisticated knowledge of the FAR and DFARS with the practical insight gained from senior in-house positions at both dedicated defense and commercial item contractors.

Ms. Cassidy conducts internal investigations for clients on wide array of government contracts and national security compliance issues. She regularly advises on FAR mandatory disclosure obligations and represents clients with regard to these investigations before the agency, DOJ, and the relevant Suspension and Debarring Official. Ms. Cassidy spends considerable time advising on contractor cybersecurity requirements, including assessing contractual requirements and investigating and assisting clients with cyber breach incidents involving government information.

202-662-5348
Calvin Cohen, Covington Burling, Data privacy lawyer
Associate

Calvin Cohen is an associate in the Government Contracts and Data Privacy and Cyber Security practice groups.

While in law school, Mr. Cohen successfully represented an indigent plaintiff before the Sixth Circuit on a matter of first impression concerning computer monitoring software and the federal Wiretap Act.

202-662-5788