Representatives Introduce Bill to Increase Authority of DHS's Top Cyber Security Officer
September 13, 2004. Rep. Mac Thornberry (R-TX) and Rep. Zoe Lofgren (D-CA) introduced HR 5068, the "Department of Homeland Security Cybersecurity Enhancement Act of 2004". It would increase the rank and responsibilities of the top cybersecurity officer in the Department of Homeland Security (DHS). It would also define "cybersecurity" to include protection of "wire communication".
This bill would amend the Homeland Security Act of 2002 (HSA), which is codified at 6 U.S.C. § 121 et seq. This bill was HR 5005 in the 107th Congress. It is now Public Law No. 107-296.
Title II of the HSA creates a Directorate for Information Analysis and Infrastructure Protection, headed by an Under Secretary. This directorate has primary responsibility for information sharing and cyber security matters. Title II also creates the positions of Assistant Secretary for Infrastructure Protection and Assistant Secretary for Information Analysis. See, Section 201(b) of the HSA.
Currently, the top cybersecurity officer at the DHS is Amit Yoran. On November 15, 2003, Yoran (at right) was named Director of the National Cyber Security Division (NCSD) of the Information Analysis and Infrastructure Protection Directorate (IAIP) at the DHS. See, story titled "Amit Yoran Named Head of Cyber Security Division" in TLJ Daily E-Mail Alert No. 740, September 16, 2003.
This places him several levels below the Secretary in the DHS hierarchy. Yoran works for Bob Liscouski, the Assistant Secretary for Infrastructure Protection in the IAIP. Liscouski works for Frank Libutti, the Under Secretary for Information Analysis and Infrastructure Protection. Libutti works for Tom Ridge, the Secretary of Homeland Security.
Neither Ridge nor Libutti have backgrounds in technology. Ridge is a politician -- a former two term Governor of Pennsylvania, and a former Congressman from Pennsylvania. Libutti is an ex-Marine General. Only Liscouski has a background in technology.
Some technology companies, and groups that represent them in Washington DC, have argued that the top cybersecurity officer at the DHS should hold a higher rank and more authority.
In addition, on January 16, 2004, the Democrats on the House Homeland Security Committee released a report [18 pages in PDF] titled "America At Risk: The State of Homeland Security: Initial Findings". It criticized the Bush administration for not making Yoran's position more important. The report states that "The top cybersecurity position in the government is now the Director of the National Cyber Security Division, buried deep within DHS. There is no longer a Presidential advisor or senior official with the authority to direct all the agencies responsible for cybersecurity should a cyber-crisis occur."
Rep. Lofgren (at left) stated in a release that "During the past year and a half, the subcommittee has heard from numerous experts about the need to address the increasing threats and vulnerabilities facing our nation's computer networks and systems. Our legislation will strengthen the Department's cybersecurity efforts and make sure the appropriate person within DHS has the authority and direction to get the job done."
Rep. Thornberry is chairman of the House Homeland Security Committee's Subcommittee on Cybersecurity, Science, and Research and Development. Rep. Lofgren is the ranking Democrat on this Subcommittee.
This bill would amend the HSA to create a new position of Assistant Secretary for Cybersecurity. It would also provide a definition of the term "cybersecurity".
The bill defines cybersecurity broadly, to encompass not only computers and computer networks, but also communications, including "wire communication".
The bill provides that "cybersecurity" means "the prevention of damage to, the protection of, and the restoration of computers, electronic communications systems, electronic communication services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation."
It also provides that "wire communications" has the same meaning as in 18 U.S.C. § 2510. This section provides that ''wire communication'' means "any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception (including the use of such connection in a switching station) furnished or operated by any person engaged in providing or operating such facilities for the transmission of interstate or foreign communications or communications affecting interstate or foreign commerce". (Parentheses in original.)
This would appear to give the new Assistant Secretary for Cybersecurity, and the DHS, authority regarding the security of telecommunications. Individuals associated with the Federal Communications Commission (FCC), the Network Reliability and Interoperability Council (NRIC), the House Commerce Committee (HCC), and telecommunications carriers might take note of this definition of cybersecurity.
The bill would increase the rank of the top cybersecurity officer at the DHS, and define and expand the responsibilities of this officer. However, this increase in position would come at the expense of other government officers and offices. There is nothing in the bill that would increase governmental authority over the private sector.
This bill has been referred to the House Homeland Security Committee.