By Zaid Shoorbajee
The House passed two bills Tuesday that aim to bolster the Department of Homeland Security’s cybersecurity efforts as they relate to securing the agency’s own vendor supply chain as well as securing other federal agencies’ networks.
Both bills now head to the Senate. One of them, the Securing the Homeland Security Supply Chain Act of 2018, would give the secretary of Homeland Security authority to block IT vendors deemed to pose a supply chain risk from contracting with the agency.
“There is no question that nation-states and criminal actors are constantly trying to exploit U.S. government and private sector systems to steal information or insert potentially harmful hardware or software,” said the bill’s sponsor, Rep. Peter King, R-N.Y., on the House floor before a voice vote.
King cited recent and ongoing U.S. government scrutiny of Russian cybersecurity company Kaspersky Lab and Chinese telecommunications companies Huawei and ZTE as justification for giving DHS this new authority. Those efforts “underscore the threats posed to the federal supply chain and the urgency in developing stronger mechanisms to secure it,” King said.
The bill as passed would only allow DHS to make these decisions for its own contracts.
“I am hopeful, this bill moves through the process, that we will also have an opportunity to consider legislation that provides similar authority to ensure national security vetting is incorporated into the wider government procurement process,” King said.
The other bill, the Advancing Cybersecurity Diagnostics and Mitigation Act, would codify into law DHS’s existing Continuous Diagnostics and Mitigation (CDM) program, which provides other federal agencies with monitoring and threat detection on their networks.
“We need to know what we have before we can try to defend it,” said Rep. John Ratcliffe, R-Texas, who introduced the bill. “[CDM] not only allows the ability to combat our enemies in cyberspace, but also to help federal CIOs manage information technology.”
DHS has been awarding billions of dollars worth of contracts to keep CDM’s various phases going. The bill passed Tuesday would make the program statutorily part of DHS.
Rep. Jim Langevin, D-R.I., also spoke in support of the CDM bill on the House floor, but expressed concern that the bill does not incentivize agencies to actually take advantage of the DHS program.
“This is a good bill, and I urge my colleagues to support its passage. However, I must take this opportunity to mention this bill’s major omission. It does not address the incentive structure at other agencies to actually adopt CDM offerings,” Langevin said.
Langevin lamented that CDM full potential is being hindered by the fact that there are many congressional committees and federal agencies that compete over jurisdiction of cybersecurity issues.
“During hearings and roundtables on the program, we often heard from government stakeholders that internal dynamics at DHS’s sister agencies were actually the biggest obstacle to the program’s success,” Langevin said. “I urge my colleagues to consider the wisdom of having so many committees involved with cybersecurity jurisdiction often to the detriment of making real progress.”