Senior officials from the Departments of Defense (DoD) and Homeland Security (DHS) told House members on Wednesday that they are busy working out details of a recently finalized cybersecurity coordination agreement focused on improving Federal government cyber defenses generally, and specifically the cyber defenses of critical infrastructure components on which DoD facilities rely, among other areas.
While the agency officials spoke at length today about aspects of the agreement, full details of the pact remained scarce because it has not yet been released publicly–or even to House members who were at Wednesday’s joint hearing of House Armed Services and House Homeland Security subcommittees to question the officials about agency cooperation on cybersecurity.
The general idea of cybersecurity cooperation between the two agencies is not a new one; they agreed in 2010 to cooperate on cybersecurity strategic planning, capabilities development, and synchronization of operational mission activities.
Late last month, Ed Wilson, deputy assistant secretary of Defense for cyber policy, said DoD had signed onto a “memo of understanding” regarding roles for the agency to play in cooperation with DHS to maintain security of the midterm elections, and said DoD recognized the need to partner with DHS and other agencies that protect critical infrastructure.
Wednesday’s hearing was followed by a closed-door session of the two subcommittees during which the witnesses pledged to speak more freely about the agreement.
Agency officials testifying on Wednesday noted the election security coordination between the two agencies, but made it clear that cooperative efforts would continue now that the elections were over.
Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at DHS, said the new agreement with DoD “clarifies roles and responsibilities” to enhance government cyber defenses, and provides “coordinated lines of effort” between the two agencies. The agreement prioritizes critical infrastructure that is most important to DoD, she said, adding that the agencies will “forge a joint understanding of threats” based on that prioritization.
DHS’s knowledge of domestic cyber threats and critical infrastructure will “inform” DoD, while the Pentagon “will help us understand threats” and provide threat data to DHS, she said. DHS intends to remain “the central axis” for domestic cybersecurity, Manfra said.
She said that agency cooperation, and information sharing in particular, needed to be undertaken within “appropriate legal frameworks,” and that the agencies were “getting the leaders and lawyers together to make sure we do that.”
Kenneth Rapuano, assistant secretary of Defense for Homeland Defense and Global Security and principal cyber advisor at DoD, said agency cooperation in the midterm elections marked “a sea change in our partnership.” He said that DoD’s “Defend Forward” strategy to mitigate threats before they arrive in the United States complements DHS strategy, and that together “they form a natural mutually supporting strategy for defense in depth.”
He said the coordination effort was being worked out through a steering committee, and that DoD and DHS are in the process of coordinating a “joint plan for future cyber incident response” that identifies the responsibilities of each agency.
Rapuano said that protecting critical infrastructure remained DHS’ mission, and that DoD’s role would be to provide support to “civil authority” where needs may exceed DHS’ capabilities. And he said DoD was focused on defining “critical national functions” and “looking at all of our dependencies” on critical infrastructure “so we can ensure their resilience.”
Air Force Lt. Gen. Bradford Shwedo, director for Command, Control, Communications and Computers/Cyber, and CIO for the Joint Chiefs of Staff, said the new DoD-DHS pact provides for “bidirectional” intelligence sharing aimed at reducing the timeline to receive actionable intelligence.
He also said DoD was engaged in setting up “pathfinder” efforts with DHS and other sector-specific Federal agencies that also work to protect U.S. critical infrastructure. He promised to tell lawmakers more about them during the closed portion of the hearing.
Questions and comments from subcommittee members at Wednesday’s hearing reflected support for the DoD-DHS agreement, but also included some notes of caution.
Rep. James Langevin, D-R.I., said he was “happy” that the agencies are collaborating, and said DHS and DoD had worked well together on security for the midterm elections. Despite that effort, he said, “We cannot let success blind us to the tremendous challenges ahead” against determined nation-state adversaries. “Frankly, more work needs to be done,” he added.
Langevin said he wanted to know how DoD planned to prioritize assistance it can lend to DHS while still taking care of defense priorities, and he wanted to hear more about “capability building” and how collaboration on a policy level will lead its way down to agency operating levels.
“Cybersecurity is national security, so it is imperative that DHS and DoD work hand in glove” to provide assistance to critical infrastructure partners, said Rep. John Ratcliffe, R-Texas, chairman of the House Cybersecurity and Infrastructure Protection Subcommittee. He said it was “imperative that DHS continues to take the lead” in the civilian realm, but that “the most effective way” to protect U.S. cybersecurity was for the two agencies to cooperate. “We cannot have a disjointed front line” against adversaries, he said.
Ratcliffe pointed to provisions of the FY 2019 National Defense Authorization Act (NDAA) that allow for DoD to provide assistance to DHS, and said it was used in the lead-up to the midterm elections and also in regard to “pathfinder” projects between the two.
“I have faith that both departments can and will work together through any growing pains that might be encountered,” he said.
Rep. Cedric Richmond, D-La., ranking member of the Cybersecurity subcommittee, acknowledged that the two agencies had signed a coordination agreement, but said he had yet to see the agreement and asked that it be sent to the House Homeland Security Committee “as soon as possible.”
The ultimate success of the coordination agreement, he said, rests on reaching agreement both on policy and operational levels, and then “socializing” details of the pact on agency operating levels.
He also noted that DoD receives roughly eight times the cybersecurity-related funding that DHS gets, and said if DHS was expected to become DoD’s equivalent on cybersecurity then “we have to fund it that way.”
Rapuano replied that annual funding for U.S. Cyber Command was in the $300 million to $500 million range. He said the often-used figure of about $8 billion for annual DoD cyber funding mostly funds development of weapons systems that would support cybersecurity missions.
On the funding issue, Richmond pressed Manfra on whether DHS had enough money to protect critical infrastructure, to which she replied, “We can do more with more.”
Rep. Elise Stefanik, R-N.Y., chair of the Emerging Threats and Capabilities subcommittee, told the witnesses to guard against “mission creep,” and asked what they were doing to make sure that each agency focuses on its “lanes of responsibilities.”
Manfra replied that the agencies were focusing on “real work areas where we need to share information,” and working with critical infrastructure operators to make sure they get the right threat data. “We feel very comfortable that this is the right approach,” she said.