Export Compliance Daily is a Warren News publication.
Landrieu Concerned on Concentration

Senate Committee Clears DHS Cybersecurity Hiring Bill

The Senate Homeland Security Committee approved the Department of Homeland Security Cybersecurity Workforce Recruitment and Retention Act Wednesday. Introduced Tuesday by committee Chairman Tom Carper, D-Del. (http://1.usa.gov/1sVoqq6), S-2354 would give the DHS secretary authority that to hire cybersecurity professionals with the same speed and set salary pay scales at the same levels allowed in the Department of Defense and NSA. Larry Zelvin, director of the DHS National Cybersecurity & Communications Integration Center (NCCIC), said at a separate House Homeland Security Committee hearing that DHS needs additional clarification on its legal role in cybersecurity matters to better implement some of its programs.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

S-2354 will “create a level playing field for hiring and retaining top talent,” Carper said during the committee markup. Committee ranking member Tom Coburn, R-Okla., strongly supported the bill, saying “the necessity of this cannot really be questioned” given that compared with DOD and NSA, DHS is “at a disadvantage” with hiring cybersecurity professionals. S-2354 would require DHS to submit a plan to Congress within 120 days of the bill’s passage outlining how it would use the hiring authority, and report to Congress annually over the next four years on the program. Sen. Mary Landrieu, D-La., voted “present.” Landrieu said she supports the bill’s goals, but argued that the measure would raise salaries only for jobs located within the Washington metropolitan area.

Raising salaries for jobs in that geographic market will only perpetuate an “arms race” among DHS, DOD and other agencies for the limited pool of qualified cybersecurity professionals, Landrieu said. “In the long term, our country has to think about building the cyber workforce and not just building it inside the blast zone” around Washington, she said.

S-2354 passed with an attached amendment from Sen. Rob Portman (R-Ohio), which Landrieu later co-sponsored, that would require DHS begin implementing the National Cybersecurity Workforce Framework. The framework, which DHS developed with the National Institute of Standards and Technology and the Office of Personnel Management, would standardize categorization of cybersecurity certifications, degrees, jobs and training.

Carper, Coburn and others said DHS’s performance has begun to improve under the leadership of DHS Secretary Jeh Johnson. DHS is “not there yet” on cybersecurity, but under Johnson and Phyllis Schneck, deputy undersecretary-cybersecurity, the agency has “every intention to get there,” Coburn said.

DHS’s implementation of its Einstein 3 Accelerated program for advanced cyber intrusion detection and prevention has been “significantly delayed” by DHS’s lack of clear authority on cybersecurity matters, Zelvin told two House Homeland Security subcommittees. DHS receives 150-200 incidents daily through the Einstein system, part of the National Cybersecurity Protection System, Zelvin said. Schneck told Senate Homeland Security earlier this month that DHS’s work to fix the Heartbleed bug, an issue NCCIC also worked on, took days longer than necessary because of DHS’s lack of clarity on its legal authority on cybersecurity (CD May 8 p15).

Cyberthreats to the U.S. are continuing to grow, Zelvin and other federal officials testified. “The frequency and impact of cyber attacks on our nation’s private sector and government networks have increased dramatically in the past decade and are expected to continue to grow,” said Joseph Demarest, FBI’s assistant director-Cyber Division. NCCIC received more than 31,500 incident reports during the first seven months of FY 2014, Zelvin said. NCCIC detected more than 28,000 vulnerabilities and released more than 4,000 cybersecurity alerts, he said.

The FBI is prioritizing “high-level intrusions,” such as coordination with law enforcement in 19 countries to arrest 90 people associated with the creation of the Blackshades Remote Access Tool (RAT) malware announced Monday (http://1.usa.gov/1kpK599), Demarest said. Counterterrorism and Intelligence Subcommittee Chairman Peter King, R-N.Y., is encouraged by the FBI’s work on the Blackshades arrests and DOJ’s announcement Monday it has indicted five Chinese military officials on cyberespionage charges, he said. “I hope it is a signal of more aggressive U.S. actions to address the cyberthreat as we move forward.”