The U.S. Department of Homeland Security’s (DHS) main cybersecurity unit has gotten the nod from the U.S. Senate as the first federal agency dedicated to combating hackers hitting the country’s critical infrastructure and private industry.
The bipartisan Cybersecurity and Infrastructure Security Agency Act, which easily passed the House last December but took several months in the Senate to gain approval, spins off the cybersecurity subdivision into a fully operational agency. It also establishes the DHS as the go-to agency for all things cybersecurity.
In addition, it rebrands the former nondescript National Protection and Programs Directorate (NPPD) into the more appropriate Cybersecurity and Infrastructure Protection Agency. The NPPD, which has been handling federal network security and safeguarding critical infrastructure from threats, has recently spread out to help states protect their electronic voting systems from hackers.
Understanding DHS and U.S. Cybersecurity Responsibilities
Why is the legislation important? For one, it solidifies the DHS as the official federal agency overseeing the nation’s cybersecurity. And, it could help move the feds closer to establishing a formal national cybersecurity policy. Critics have correctly derided lawmakers and President Trump for a slow national response to the growing threat of both domestic and foreign sponsored cyber attacks. Senators Ron Johnson (R-WI) and Claire McCaskill (D-MO), who lead the Senate Homeland Security Committee, successfully shepherded the legislation through the Senate on Wednesday, The Hill reported.
Under the bill, Christopher Krebs, the NPPD's top cyber official, would become the new agency's director. He was appointed Under Secretary of the NPPD last June, filling a role that had previously been vacant. “Thank you to @SenRonJohnson, @clairecmc and the rest of the Senate for voting to create the first cybersecurity agency in the fed gov’t. Perfect timing as Oct. is #CyberMonth2018. This will go a long way in our ability to defend the nation against #cyber threats,” Krebs wrote in a Twitter post.
Rep. John Ratcliffe (R-TX), head of the House Homeland's Cybersecurity and Infrastructure Protection subcommittee, had nice things to say about the bill's passage. “As the culmination of years of rigorous oversight by the House Homeland Security’s cybersecurity subcommittee, CISA will define our nation’s leading cybersecurity agency as a standalone operational organization clearly tasked with deploying DHS’ cybersecurity and infrastructure security missions," Ratcliffe said, as The Hill reported.
Cybersecurity Policies: Individual States Take Action
Some states have moved well ahead of the federal government to establish firm cybersecurity policies and laws to protect consumers. For example, a new California law mandating Internet of Things manufacturers to affix unique passwords onto their connected devices has cleared the state’s legislature and is awaiting the governor’s signature.
Still winding its way through Congress is the federal Internet of Things Cybersecurity Improvement Act of 2017, which, should it ever pass Congress, would require government suppliers of devices to adhere to various industry security standards. It would also bar vendors from supplying IoT devices that have unchangeable passwords or known security vulnerabilities. The catch is it’s not for consumers nor is it wide-sweeping enough to call it a national policy.