Written testimony of DHS Secretary Jeh Johnson for a House Committee on Homeland Security hearing titled “Worldwide Threats to the Homeland: ISIS and the New Wave of Terror”

Release Date: 
July 14, 2016

311 Cannon House Office Building

Chairman McCaul, Representative Thompson, and members of the Committee, thank you for holding this annual threats hearing with me, the FBI Director and the Director of NCTC. I believe this annual opportunity for Congress to hear from us, concerning threats to the homeland is important. I welcome the opportunity to be here again.


San Bernardino and Orlando are terrible reminders of the new threats we face to the homeland.

We have moved from a world of terrorist-directed attacks, to a world that also includes the threat of terrorist-inspired attacks – attacks by those who live among us in the homeland and self-radicalize, inspired by terrorist propaganda on the internet. By their nature, terrorist-inspired attacks are often difficult to detect by our intelligence and law enforcement communities, could occur with little or no notice, and in general, make for a more complex homeland security challenge.

This threat environment has required a whole new type of response.

As directed by President Obama, our government, along with our coalition partners, continues to take the fight militarily to terrorist organizations overseas. ISIL is the terrorist organization most prominent on the world stage. Since September 2014, air strikes and special operations have in fact led to the death of a number of ISIL’s leaders and those focused on plotting external attacks in the West. At the same time, ISIL has lost about 47% of the populated areas it once controlled in Iraq, and thousands of square miles of territory it once controlled in Syria. But as ISIL loses territory, it has increased its plotting on targets outside of Iraq and Syria, and continues to encourage attacks in the United States.

On the law enforcement side, the FBI continues to, in my judgment, do an excellent job of detecting, investigating, preventing, and prosecuting terrorist plots here in the homeland.

Following the attacks in Ottawa, Canada in 2014, and in reaction to terrorist groups’ public calls for attacks on government installations in the western world, I directed the Federal Protective Service to enhance its presence and security at various U.S. government buildings around the country.

The Department of Homeland Security has intensified our work with state and local law enforcement, and strengthened our information sharing efforts. Almost every day, we share intelligence and information with Joint Terrorism Task Forces, fusion centers, local police chiefs and sheriffs. And we are now able to instantly cross-reference suspects against law enforcement and counterterrorism databases and share information—often in almost real-time—with our domestic as well as international partners. We are also enhancing information sharing with organizations that represent businesses, college and professional sports, community and faith-based organizations, and critical infrastructure.

And, since 2013 we’ve spearheaded something called the “DHS Data Framework” initiative. We are improving our ability to use DHS information for our homeland security purposes, and to strengthen our ability to compare DHS data with other travel, immigration, and other information at the unclassified and classified level. We are doing this consistent with laws and policies that protect privacy and civil liberties.

We also provide grant assistance to state and local governments around the country, for things such as active shooter training exercises, overtime for police officers and firefighters, salaries for emergency managers, emergency vehicles, and communications and surveillance equipment. We helped to fund an active shooter training exercise that took place in the New York City subways last November, a series of these exercises earlier this year in Miami and Louisville, and just last month at Fenway Park in Boston. In February, and last month, we announced another two rounds of awards for FY 2016 that will fund similar activities over the next three years.

We are enhancing measures to detect and prevent travel to this country by foreign terrorist fighters.

We are strengthening the security of our Visa Waiver Program, which permits travelers from 38 different countries to come to the U.S. for a limited time period without a visa. In 2014, we began to collect more personal information in the Electronic System for Travel Authorization, or “ESTA” system, that travelers from Visa Waiver countries are required to use. ESTA information is screened against the same counterterrorism and law enforcement databases that travelers with traditional visas are screened, and must be approved prior to an individual boarding a plane to the United States. As a result of these enhancements, over 3,000 additional travelers were denied travel here through this program in FY 2015. In August 2015, we introduced further security enhancements to the Visa Waiver Program.

Through the passage in December of the Visa Waiver Program Improvement and Terrorist Travel Prevention Act of 2015, Congress has codified into law several of these security enhancements, and placed new restrictions on eligibility for travel to the U.S. without a visa. We began to enforce these restrictions on January 21, 2016. Waivers from these restrictions will only be granted on a case-by-case basis, when it is in the law enforcement or national security interests of the United States to do so. Those denied entry under the Visa Waiver Program as a result of the new law may still apply for a visa to travel to the U.S. In February, under the authority given me by the new law, I also added three countries – Libya, Yemen and Somalia – to a list that prohibits anyone who has visited these nations in the past five years from traveling to the U.S. without a visa. In April, DHS began enforcing the mandatory use of high security electronic passports for all Visa Waiver Program travelers. In both February and June, CBP enhanced the ESTA application with additional questions.

We are expanding the Department’s use of social media for various purposes. Today social media is used for over 30 different operational and investigative purposes within DHS. Beginning in 2014 we launched four pilot programs that involved consulting the social media of applicants for certain immigration benefits. USCIS now also reviews the social media of Syrian refugee applicants referred for enhanced vetting, and is extending this review to additional categories of refugee applicants. Based upon the recommendation of a Social Media Task Force within DHS, I have determined, consistent with relevant privacy and other laws, that we must expand the use of social media even further.

CBP is deploying personnel at various airports abroad, to pre-clear air travelers before they get on flights to the United States. At present, we have this pre-clearance capability at 15 airports overseas. And, last year, through pre-clearance, we denied boarding to over 10,700 travelers (or 29 per day) before they even got to the United States. As I said here last year, we want to build more of these. In May 2015, I announced 10 additional airports in nine countries that we’ve prioritized for preclearance. In May, CBP announced an “open season,” running through August 1, for foreign airports to express interest in participating in the next round of preclearance expansion. I urge Congress to pass legislation enabling preclearance operations in Canada, by providing legal clarity to CBP officials who are responsible for the day-to-day operation of preclearance facilities there.

For years Congress and others have urged us to develop a system for biometric exit – that is, to take the fingerprints or other biometric data of those who leave the country. CBP has begun testing technologies that can be deployed for this nationwide. With the passage of the FY 2016 Omnibus Appropriations Act, Congress authorized up to $1 billion in fee increases over a period of ten years to help pay for the implementation of biometric exit. In April, the Department delivered its Comprehensive Biometric Entry/Exit Plan to Congress, which details CBP’s plan for expanding implementation of a biometric entry/exit system using that funding. I have directed that CBP redouble its efforts to achieve a biometric entry/exit system, and to begin implementing biometric exit, starting at the highest volume airports, in 2018.

Last January I announced the schedule for the final two phases of implementation of the REAL ID Act, which go into effect in January 2018 and then October 2020. At present, 24 states are compliant with the law, 28 have extensions, and 4 states or territories are out of compliance without an extension. Now that the final timetable for implementation of the law is in place, we urge all states, for the good of their residents, to start issuing REAL ID- compliant drivers’ licenses as soon as possible.

In the current threat environment, there is a role for the public too. “If You See Something, Say Something”™ must be more than a slogan. We continue to stress this. DHS has now established partnerships with the NFL, Major League Baseball and NASCAR, to raise public awareness at sporting events. An informed and vigilant public contributes to national security.

In December we reformed “NTAS,” the National Terrorism Advisory System. In 2011, we replaced the color-coded alerts with NTAS. But, the problem with NTAS was we never used it, it consisted of just two types of Alerts: “Elevated” and “Imminent,” and depended on the presence of a known specific and credible threat. This does not work in the current environment, which includes the threat of homegrown, self-radicalized, terrorist-inspired attacks. So, in December we added a new form of advisory – the NTAS “Bulletin” – to augment the existing Alerts, and issued the first Bulletin providing the public with information on the current threat environment and how they can help. The December Bulletin expired last month, and we issued a new and updated Bulletin on June 15.

Given the nature of the evolving terrorist threat, building bridges to diverse communities is also a homeland security imperative. Well informed families and communities are the best defense against terrorist ideologies. Al Qaeda and ISIL are targeting Muslim communities in this country. We must respond. In my view, building bridges to our communities is as important as any of our other homeland security missions.

In 2015 we took these efforts to new levels. We created the DHS Office for Community Partnerships (OCP), which is now the central hub for the Department’s efforts to counter violent extremism in this country, and the lead for a new interagency Countering Violent Extremism (CVE) Task Force that includes DHS, the Department of Justice (DOJ), the FBI, the National Counter Terrorism Center (NCTC) and other agencies. We are focused on partnering with and empowering communities by providing them a wide range of resources to use in preventing violent extremist recruitment and radicalization. Specifically, we are providing access to federal grant opportunities for state and local leaders, and partnering with the private sector to find innovative, community-based approaches.

Ensuring that the Nation’s CVE efforts are sufficiently resourced has been an integral part of our overall efforts. Last week, on July 6, I announced the CVE Grant Program, with $10 million in available funds provided by Congress in the 2016 Omnibus Appropriations Act. The CVE Grant Program will be administered jointly by OCP and FEMA. This is the first time federal funding at this level will be provided, on a competitive basis, specifically to support local CVE efforts. The funding will be competitively awarded to state, tribal, and local governments, nonprofit organizations, and institutions of higher education to support new and existing community-based efforts to counter violent extremist recruitment and radicalization to violence.

Finally, given the nature of the current threat from homegrown violent extremists, homeland security must include sensible gun control laws. We cannot have the former without the latter. Consistent with the Second Amendment, and the right of responsible gun owners to possess firearms, we must make it harder for a terrorist to acquire a gun in this country. The events of San Bernardino and Orlando make this painfully clear.

Aviation Security

As we have seen from recent attacks in Egypt, Somalia, Brussels, and Istanbul, the threat to aviation is real. We are taking aggressive steps to improve aviation and airport security. In the face of increased travel volume, we will not compromise aviation security to reduce wait times at Transportation Security Administration (TSA) screening points. With the support of Congress we are surging resources and adding personnel to address the increased volume of travelers.

Since 2014 we have enhanced security at overseas last-point-of-departure airports, and a number of foreign governments have replicated those enhancements. Security at these last-point-of-departure airports remains a point of focus in light of recent attacks, including those in Brussels and Istanbul.

As you know, in May of last year a classified DHS Inspector General’s test of certain TSA screening at eight airports, reflecting a dismal fail rate, was leaked to the press. I directed a 10-point plan to fix the problems identified by the IG. Under the new leadership of Admiral Pete Neffenger over the last year, TSA has aggressively implemented this plan. This has included retraining the entire Transportation Security Officers (TSO) workforce, increased use of random explosive trace detectors, testing and re-evaluating the screening equipment that was the subject of the IG’s test, a rewrite of the standard operating procedures manual, increased manual screening, and less randomized inclusion in Pre-Check lanes. These measures were implemented on or ahead of schedule.

We are also focused on airport security. In April of last year TSA issued guidelines to domestic airports to reduce access to secure areas, to require that all airport and airline personnel pass through TSA screening if they intend to board a flight, to conduct more frequent physical screening of airport and airline personnel, and to conduct more frequent criminal background checks of airport and airline personnel. Since then employee access points have been reduced, and random screening of personnel within secure areas has increased four-fold. We are continuing these efforts in 2016. In February, TSA issued guidelines to further enhance the screening of aviation workers in the secure area of airports, and in May, TSA and airport operators completed detailed vulnerability assessments and mitigation plans for nearly 300 federalized airports.

We will continue to take appropriate precautionary measures, both seen and unseen, to respond to evolving aviation security threats and protect the traveling public.

Without short-cutting aviation security, we are also working aggressively to improve efficiency and minimize wait times at airport security check points in the face of increased air travel volumes. I thank Congress for approving our two reprogramming requests that have enabled us to expedite the hiring of over 1,300 new TSOs, pay additional overtime to the existing TSO workforce, and convert over 2,700 TSOs from part-time to full-time.

We have also brought on and moved canine teams to assist in the screening of passengers at checkpoints, solicited over 150 volunteers from among the TSO workforce to accept temporary reassignment from less busy to busier airports, deployed optimization teams to the Nation’s 20 busiest airports to improve operations, and stood up an Incident Command Center at TSA headquarters to monitor checkpoint trends in real time.

We continue to encourage the public to join TSA Pre✓®. The public is responding. While enrollments a year ago were at about 3,500 daily, now enrollments are exceeding 15,000 a day. For 90% of those who are enrolled and utilize TSA Pre✓®, wait times at TSA checkpoints are five minutes or less.

Airlines and airports are also assisting to address wait times. We appreciate that major airlines and airport operators have assigned personnel to certain non-security duties at TSA checkpoints, and are providing support in a number of other ways. Longer term, we are working with airlines and airports to invest in “Innovation lanes” and other technology to transform the screening of carry-on luggage and personal items.

Our efforts are showing results. Nationwide, the wait time for more than 99% of the traveling public is 30 minutes or less, and more than 90% of the traveling public is waiting 15 minutes or less. But we are not taking a victory lap. Over the Fourth of July holiday weekend, TSA screened 10.7 million travelers. June 30 and July 1 were the highest-volume travel days we have seen since 2007. During this period, however, the average wait time nationwide in standard security lines was less than ten minutes, while those in TSA Pre-check lines waited an average of less than five minutes.

We plan to do more. The summer travel season continues, followed by holiday travel in the fall and winter. We are accelerating the hiring of an additional 600 TSOs before the end of the fiscal year. And we will continue to work with Congress to ensure TSA has the resources it needs in the coming fiscal years.

As I have said many times, we will keep passengers moving, but we will also keep them safe.


Along with counterterrorism, cybersecurity remains a cornerstone of our Department’s mission. Making tangible improvements to our Nation’s cybersecurity is a top priority for President Obama and for me to accomplish before the end of the Administration.

On February 9th, the President announced his “Cybersecurity National Action Plan,” which is the culmination of seven years of effort by the Administration. The Plan includes a call for the creation of a Commission on Enhancing National Cybersecurity, additional investments in technology, federal cybersecurity, cyber education, new cyber talent in the federal workforce, and improved cyber incident response.

DHS has a role in almost every aspect of the President’s plan.

As reflected in the President’s 2017 budget request, we want to expand our cyber response teams from 10 to 48.

We are doubling the number of cybersecurity advisors to in effect make “house calls,” to assist private sector organizations with in-person, customized cybersecurity assessments and best practices.

Building on DHS’s “Stop. Think. Connect” campaign, we will help promote public awareness on multi-factor authentication.

We will collaborate with Underwriters Laboratory and others to develop a Cybersecurity Assurance Program to test and certify networked devices within the “Internet of Things” — such as your home alarm system, your refrigerator, or even your pacemaker.

I have also directed my team to focus urgently on improving our abilities to protect the Federal Government and private sector. Over the past year, the National Cybersecurity Communications Integration Center, or “NCCIC,” increased its distribution of information, the number of vulnerability assessments conducted, and the number of incident responses.

I have issued an aggressive timetable for improving federal civilian cybersecurity, principally through two DHS programs:

The first is called EINSTEIN. EINSTEIN 1 and 2 have the ability to detect and monitor cybersecurity threats attempting to access our federal systems, and these protections are now in place across nearly all federal civilian departments and agencies.

EINSTEIN 3A is the newest iteration of the system, and has the ability to automatically block potential cyber intrusions on our federal systems. Thus far E3A has actually blocked over a million potential cyber threats, and we are rapidly expanding this capability. About a year ago, E3A covered only about 20% of our federal civilian networks. In the wake of the malicious cyber intrusion at the Office of Personnel Management, in May of last year I directed our cybersecurity team to make at least some aspects of E3A available to all federal departments and agencies by the end of last year. They met that deadline. Now that the system is available to all civilian agencies, 50% of federal personnel are actually protected, including the Office of Personnel Management, and we are working to get all federal departments and agencies on board by the end of this year.

The second program, called Continuous Diagnostics and Mitigation, or CDM, helps agencies detect and prioritize vulnerabilities inside their networks. In 2015, we provided CDM sensors to 97% of the federal civilian government. Next year, DHS will provide the second phase of CDM to 100% of the federal civilian government.

I have also used my authorities granted by Congress to issue Binding Operational Directives and further drive improved cybersecurity across the federal government. In May 2015, I directed civilian agencies to promptly patch vulnerabilities on their Internet-facing devices. These vulnerabilities are accessible from the Internet, and thus present a significant risk if not quickly addressed. Agencies responded quickly and mitigated all of the vulnerabilities that existed when the directive was issued. Although new vulnerabilities are identified every day, agencies continue to fix these issues with greater urgency then before the directive.

Last month, I issued a second binding operational directive. This directive mandated that agencies participate in DHS-led assessments of their high value assets and implement specific recommendations to secure these important systems from our adversaries. We are working aggressively with the owners of those systems to increase their security.

In September 2015, DHS awarded a grant to the University of Texas at San Antonio to work with industry to identify a common set of best practices for the development of Information Sharing and Analysis Organizations, or “ISAOs.” The University of Texas at San Antonio recently released the first draft of these best practices. They will be released in final form later this year after public comment.

Finally, I thank Congress for passing the Cybersecurity Act of 2015. This new law is a huge assist to DHS and our cybersecurity mission. We are in the process of implementing that law now. As required by the law, our NCCIC has built a system to automate the receipt and distribution of cyber threat indicators at real-time speed. We built this in a way that also includes privacy protections.

In March, I announced that this system was operational. At the same time, we issued interim guidelines and procedures, required by this law, providing federal agencies and the private sector with a clear understanding of how to share cyber threat indicators with the NCCIC, and how the NCCIC will share and use that information. We have now issued the final guidelines and procedures consistent with the deadline set by the law.

I appreciate the additional authorities granted to us by Congress to carry out our mission. Today, we face increasing threats from cyber-attacks against infrastructure and I strongly believe that we need an agency focused on cyber security and infrastructure protection.

I have asked Congress to authorize the establishment of a new operational Component within DHS, the Cyber and Infrastructure Protection agency. We have submitted a plan which will streamline and strengthen existing functions within the Department to ensure we are prepared for the growing cyber threat and the potential for large scale or catastrophic physical consequences as a result of an attack. I urge Congress to take action so we are able to ensure DHS is best positioned to execute this vital mission.


I am pleased to provide the Committee with this overview of the progress we are making at DHS on countering threats. You have my commitment to work with each member of this Committee to build on our efforts to protect the American people.

I look forward to your questions.

Syndicated from the Department of Homeland Security

Read more

DHS Awards Initial Funding

Release Date: 
July 13, 2016

WASHINGTON—The Department of Homeland Security (DHS) has awarded the initial funding of the Domestic Nuclear Detection Office’s (DNDO) Securing the Cities program to Chicago, further building upon the Department’s ongoing efforts to increase the Nation’s capabilities to detect and protect against radiological and nuclear threats.

“The Domestic Nuclear Detection Office’s mission is to protect the Nation against the malicious use of nuclear and other radioactive materials,” said DNDO’s Acting Director Dr. Wayne Brasure. “Expanding the Securing the Cities program to Chicago will bring important capabilities to one more of our country’s largest metropolitan areas.”

The Securing the Cities program seeks to reduce the risk of a successful deployment of a radiological or nuclear weapon against major metropolitan areas in the United States. The program assists state and local partner agencies as they build regional capabilities to detect, analyze, and report nuclear and other radioactive materials.

As part of the Securing the Cities program, the Chicago region will receive up to $30 million over five years. The initial funding to Chicago provides $3.5 million to begin the region’s planning and analysis.  Future funding will allow DNDO to work with partners in the Chicago area to build a robust, regional nuclear detection capability for law enforcement and first responders. DNDO will also provide equipment and assist regional partners in conducting training and exercises to further their nuclear detection capabilities and coordinate with federal operations. Once funding concludes, DNDO will continue to provide subject matter expertise in the areas of training, exercises, and technical support to ensure the region maintains detection capability.

Initial work in Chicago will begin before the conclusion of the current fiscal year.  The program began in 2006 as a pilot project for the New York City/Jersey City/Newark region and expanded to the Los Angeles/Long Beach region in 2012, the National Capital Region in 2014, and the Houston region in 2015. The Department intends to expand the program to additional major metropolitan areas in the coming years.

Once fully implemented, the program’s capabilities will extend to protect nearly 100 million people in the country.


# # #

Syndicated from the Department of Homeland Security

Read more

DHS Awards Initial Funding of the Chicago Implementation of the Securing the Cities Program

Release Date: 
July 13, 2016

WASHINGTON—The Department of Homeland Security (DHS) has awarded the initial funding of the Domestic Nuclear Detection Office’s (DNDO) Securing the Cities program to Chicago, further building upon the Department’s ongoing efforts to increase the Nation’s capabilities to detect and protect against radiological and nuclear threats.

“The Domestic Nuclear Detection Office’s mission is to protect the Nation against the malicious use of nuclear and other radioactive materials,” said DNDO’s Acting Director Dr. Wayne Brasure. “Expanding the Securing the Cities program to Chicago will bring important capabilities to one more of our country’s largest metropolitan areas.”

The Securing the Cities program seeks to reduce the risk of a successful deployment of a radiological or nuclear weapon against major metropolitan areas in the United States. The program assists state and local partner agencies as they build regional capabilities to detect, analyze, and report nuclear and other radioactive materials.

As part of the Securing the Cities program, the Chicago region will receive up to $30 million over five years. The initial funding to Chicago provides $3.5 million to begin the region’s planning and analysis.  Future funding will allow DNDO to work with partners in the Chicago area to build a robust, regional nuclear detection capability for law enforcement and first responders. DNDO will also provide equipment and assist regional partners in conducting training and exercises to further their nuclear detection capabilities and coordinate with federal operations. Once funding concludes, DNDO will continue to provide subject matter expertise in the areas of training, exercises, and technical support to ensure the region maintains detection capability.

Initial work in Chicago will begin before the conclusion of the current fiscal year.  The program began in 2006 as a pilot project for the New York City/Jersey City/Newark region and expanded to the Los Angeles/Long Beach region in 2012, the National Capital Region in 2014, and the Houston region in 2015. The Department intends to expand the program to additional major metropolitan areas in the coming years.

Once fully implemented, the program’s capabilities will extend to protect nearly 100 million people in the country.


# # #

Syndicated from the Department of Homeland Security

Read more

Written testimony of I&A, USCG, and MGMT for a House Homeland Security Subcommittee on Counterterrorism and Intelligence hearing titled “Counterintelligence and Insider Threats: How Prepared is the Department of Homeland Security?”

Release Date: 
July 13, 2016

311 Cannon House Office Building

Chairman King, Ranking Member Higgins, and distinguished Members of the Committee, thank you for the opportunity to appear before you today to discuss the Department of Homeland Security’s (DHS) efforts to address Counterintelligence and Insider Threat. We look forward to providing our joint perspective on the full range of counterintelligence and insider threats we face as a Department.

Counterintelligence Threat

DHS continues to face a complex foreign intelligence threat environment. In recent decades, the U.S. Government has made extraordinary strides in adapting to the changing fiscal, technological, and threat environment. However, the challenges of keeping up with the threat have provided opportunities for foreign intelligence entities to expand their scope of collection and operations against the U.S. Government, including at DHS. There also continues to be significant damage done by insiders who engage in unauthorized disclosures.

In the 2016 National Counterintelligence Strategy, President Obama characterized the counterintelligence threat as “daunting” and one that “seeks to undermine our economic strength, steal our most sensitive information, and weaken our defenses.” On a daily basis, foreign intelligence entities, including non-traditional actors such as terrorist groups and transnational criminal organizations, use human and technical means, both openly and clandestinely, to steal U.S. national security information that is of vital importance to our security. The interconnectedness of systems and emerging technologies provide our adversaries with novel ways to steal valuable information from the U.S. Government, academic institutions, and businesses – oftentimes from the safety of a computer thousands of miles away. As the cyber-intrusions against the Office of Personnel Management (OPM) illustrated to millions of government employees, federal agencies continue to remain at significant risk of being targeted by foreign adversaries.

Director of National Intelligence (DNI) James Clapper assessed1 that the leading threat of intelligence collection on U.S. interests is and will continue to be Russia and China, based on their overt intent, capabilities, and broad operational scope. Other state actors in Asia and Latin America pose local and regional counterintelligence threats to U.S. interests. In addition, Iranian and Cuban intelligence and security services continue to view the United States as their top priority for intelligence collection. The DNI further assessed that penetrating and influencing the U.S. national decision-making apparatus and the Intelligence Community (IC) will remain primary objectives for foreign intelligence entities.

International terrorist groups and transnational organized crime organizations continue to operate and strengthen their intelligence capabilities utilizing human, technical, and cyber means. Similar to state actors, these non-state entities successfully recruit human sources and conduct physical and technical surveillance of their targets, with increasing sophistication, in order to evade detection and capture.

Finally, we continue to believe that unauthorized disclosures of sensitive U.S. Government information are and will remain a threat for the foreseeable future. The interconnectedness of information technology systems exacerbates this threat.

1 James Clapper, Statement for the Record, “Worldwide Threat Assessment of the US Intelligence Community,” February 9, 2016, http://www.intelligence.senate.gov/sites/default/files/wwt2016.pdf


Counterintelligence Strategy and Implementation

DHS is implementing the National Counterintelligence Strategy of the United States of America 2016. As a result of the broader intelligence transformation that the Office of Intelligence and Analysis has undertaken in the last year, I have made integrating counterintelligence into the broader DHS mission and our Components’ worldwide operations one of my top priorities. To emphasize the growing importance of counterintelligence activities, we realigned I&A Counterintelligence Division to directly report to the I&A front office to reflect its Department-wide responsibilities.

We continue to develop a holistic Counterintelligence Program across the Department, leveraging the Homeland Security Intelligence Council to drive integration of counterintelligence activities across the DHS Intelligence Enterprise. Our objectives are to:

  • Deepen our understanding of the threats posed by foreign intelligence entities and insider threats to DHS;
  • Detect, deter and disrupt these threats through proactive training and awareness campaigns and effective investigative efforts;
  • Safeguard sensitive information from exploitation by identifying the department’s most critical assets and implementing enhanced protective measures; and
  • Support Departmental efforts to protect our Nation’s networks from foreign intelligence efforts to disrupt, exploit, or steal sensitive information, including personally identifiable information.

To help coordinate this effort, we created a Counterintelligence and Security Board, co-chaired by the DHS Counterintelligence Director and the DHS Chief Security Officer to better integrate and align Component Counterintelligence and security programs. This Board helps synchronize the Department’s counterintelligence efforts, insider threat programs, foreign access and visitor management, and related counterintelligence and security activities.

As part of the effort to integrate counterintelligence into Component missions and operations, I&A Counterintelligence Division is embedding experienced Counterintelligence Officers in each of the Operational Components and highest risk headquarters offices. These Counterintelligence Officers perform myriad functions, including:

  • Assisting DHS Component Leadership with their efforts to protect DHS personnel, programs, and information from external and internal threats;
  • Conducting comprehensive foreign intelligence threat and awareness briefings, including foreign travel briefings and debriefings for DHS personnel traveling to high threat countries;
  • Assisting with periodic Counterintelligence Program Compliance Reviews; and
  • Creating a culture of CI awareness through training.

I&A’s Counterintelligence Division recently began Departmental counterintelligence capability assessments and program reviews to identify gaps requiring additional resources and prioritize existing resources. The assessments and reviews examine which DHS operations are most vulnerable to foreign intelligence entities, and provide the information necessary to make decisions on defensive counterintelligence operations to counter the foreign intelligence entity threat.

The Counterintelligence Division also produces all-source intelligence analysis of foreign intelligence threats to DHS personnel, operations, technology, and the broader Homeland Security Enterprise, including our State, Local, Tribal, Territorial, and Private Sector partners. I&A recently completed a classified counterintelligence threat assessment covering the last three years. This assessment, which serves as our baseline, will be updated annually to track trends and significant changes in the counterintelligence threat environment.

As a member of the Committee on Foreign Investment in the United States (CFIUS), DHS conducts analysis to support the ODNI-led National Security Threat Assessments. If a National Security Agreement or other risk mitigation agreement is put in place, DHS counterintelligence analysts assess the threat to support DHS CFIUS Compliance Monitoring—the process through which the U.S. Government continuously tracks, evaluates, and enforces CFIUS mitigation measures.

DHS counterintelligence also supports Team Telecom, comprised of the DHS, Department of Justice (DOJ), and Department of Defense (DoD). Team Telecom reviews applications to the Federal Communications Commission (FCC) when there is disclosable foreign ownership and the potential national security, law enforcement, and public interest concerns. Our threat assessment informs Team Telecom’s recommendations to the FCC.

We also recognize that much of the DHS workforce and the broader Homeland Security Enterprise does not handle classified information and is not always aware of foreign intelligence entity threats or the relevance of counterintelligence to their work. We work to educate the workforce on their counterintelligence responsibilities.

  • In July 2013, I&A’s Counterintelligence Division published an unclassified finished intelligence product for our federal, state, and local partners who host foreign delegations and tours on potential indicators of foreign collection techniques. The product highlighted “Topics of Concern” and “Behaviors of Concern” personnel should be aware of that might raise a red flag and encouraged them to report suspicious activity.
  • We have also conducted significant outreach following the breach of personnel information from the compromise of OPM databases and the potential threats stemming from that incident to educate the workforce and our stakeholders on how they might be targeted, and encouraged them to report suspicious activity.

To enhance and our counterintelligence program, we are forging strong partnerships within DHS and are partnering with counterintelligence elements across the U.S. Government.

U.S. Coast Guard Counterintelligence Service

The U.S. Coast Guard’s (USCG) Counterintelligence Service serves as a model for our Components. Established in 2004, the USCG Counterintelligence Service provides defensive counterintelligence support to USCG personnel and units hosting foreign visitors or traveling overseas. Given the USCG’s unique maritime mission and frequent international engagements, establishing this capability has proven crucial to protecting USCG personnel from foreign intelligence entity collection attempts and serves as the cornerstone for further development of the Counterintelligence Service’s capabilities.

The USCG Counterintelligence Service engages in counterintelligence operations and investigations with partner agencies, and provides its personnel with both online and in-person threat awareness training. The USCG also maintains an internal website that hosts insider threat reference material, as well as a portal employees can use to report insider threat concerns.

The USCG Counterintelligence Service has increased analytic production tailored to the current threat environment, specifically with products related to countering foreign intelligence entities and transnational organized crime collection efforts targeting the USCG.

Most recently, in support of the USCG’s Western Hemisphere Strategy and the DHS Southern Borders and Approaches Campaign, the USCG Counterintelligence Service initiated a pilot program to integrate Counterintelligence Service Agents with DoD Force Protection Detachments, supporting the increased USCG presence in foreign countries.

Insider Threat Program

With more than 115,000 federal employees who have access to classified national security information, implementing Executive Order (EO) 135872 and the President’s National Policy and Minimum Standards for Executive Branch Insider Threat Programs is the Department’s top information safeguarding priority. Established pursuant to EO 13587, the DHS Insider Threat Program is a department-wide effort to protect classified national security information from unauthorized disclosure. The purpose of the program is to identify, detect, deter, and mitigate the unauthorized disclosure of classified information. The DHS Chief Security Officer serves as the department’s Senior Official responsible for the day-to-day management and oversight of the Insider Threat Program.

We have made tremendous strides maturing our program to address insider threats to classified information and we expect to meet the Administration’s mandate to make our insider threat program fully operational by the end of the calendar year, including the deployment of monitoring technology on all of our classified computer networks. This includes the Secret-level Homeland Secure Data Network, which provides classified connectivity to our 23 federal agency subscribers and nearly all State and Local Fusion Centers.

Significantly, the USCG became the first Insider Threat Program in the Executive Branch to achieve “Full Operating Capability” status as assessed by the National Insider Threat Task Force. USCG has been addressing insider threats since 2008, and, in 2012, installed technologies designed to assist in addressing insider threats on classified computer systems. USCG’s technical detection capability – staffed by engineers and analysts – spans all classified USCG computers, fuses information from other organizations, and has constant oversight.

In addition to the deployment of monitoring technology to all of our classified networks, we have implemented the capability to collect, fuse, correlate, and analyze information from various data sources in order to identify suspected insider threats. This capability has constant oversight by our General Counsel, Privacy Officer, and Officer for Civil Rights and Civil Liberties in order to ensure the protection of privacy, civil rights, and civil liberties of all of our personnel.

We strongly believe that in order to prevent insider threats from materializing through early intervention, we must educate and train our workforce to “See Something, Say Something.” We are in the process of providing our workforce with comprehensive awareness training to better sensitize our workforce to identify and report anomalous behavior indicative of an insider threat. This training, which will serve as a force multiplier for our program, enables the detection of potential threats that cannot be discovered through any technological solution available today. Earlier detection will allow for earlier mitigation of potential threats and we believe this is a key component of our program.

The Insider Threat Program complements the Department’s counterintelligence and security missions. In recognition of this, the Department is currently considering expanding the scope of our program to include preventing, deterring, detecting, and mitigating other threats posed by insiders such as workplace violence, criminal activity, and misconduct.

2 EO 13587 “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information”



Chairman King, Ranking Member Higgins, and Members of the Committee, we thank you again for the opportunity to appear before you today to discuss these important matters. We look forward to answering your questions.

Syndicated from the Department of Homeland Security

Read more

Written testimony of NPPD for a House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies hearing titled “Value of DHS’ Vulnerability Assessments in Protecting our Nation’s Critical Infrastructure”

Release Date: 
July 12, 2016

311 Cannon House Office Building

Chairman Ratcliffe, Ranking Member Richmond, thank you for the opportunity to appear before you today to discuss the crucial role that Protective Security Advisors (PSAs) and Cybersecurity Advisors (CSAs) serve in furthering the U.S. Department of Homeland Security’s (DHS) mission to enhance the security and resilience of the nation’s critical infrastructure in an all-hazards environment. We appreciate Congress’ draft legislation that would stand up the National Protection and Programs Directorate (NPPD) as an operational component focused on cyber and infrastructure protection and further our holistic risk management approach.

PSAs and CSAs both support NPPD’s operational mission by assisting State, local, territorial, and tribal (SLTT) governments and private sector customers in understanding and mitigating threats, vulnerabilities, and consequences affecting the provision of essential functions, goods, and services. PSAs and CSAs achieve this end through information sharing, capacity building, and direct assistance. The risks that our stakeholders face are cyber and physical, natural and man-made. Some risks blur the distinction between cyber and physical, such as space weather or electromagnetic pulse, while others combine aspects of cyber and physical risk: cyber-attacks causing physical impacts, natural disasters impacting communication networks, or man-made attacks on lifeline critical infrastructure. The proposed realignment, which was included in NPPD’s draft reorganization proposal, will further the ability of our cybersecurity experts and physical security experts to work side-by-side, ensuring that risks to critical infrastructure are fully assessed and effectively mitigated and directly supporting our ability to address an emerging risk environment in which cyber and physical boundaries are increasingly meaningless.

Risk Management

DHS has an all-hazards mission for protecting the homeland. This means that we must plan for and prioritize a range of risks from natural disasters to terrorism to cyber-attacks. Our mission includes recurring, persistent, and relatively well understood hazards such as hurricanes and earthquakes, as well as threats and hazards such as solar storms where we must continue to understand the likelihood and consequences of a possible event. For this reason, DHS approaches threats and hazards based on an all-hazards analysis of risk and due caution in the face of inherent uncertainty. This risk-informed approach guides our planning efforts and the development of new or enhanced capabilities to address emerging hazards and threats.

Risk is comprised of three variables: threats that exploit vulnerabilities to cause undesirable consequences. In other words, risk is a function of threat, vulnerability, and consequence. DHS recognizes that risk cannot be eliminated and therefore must be managed through proven practices including timely information sharing. Risk management practices include risk acceptance as well as risk mitigation. Risk management can also include risk transfer, such as contractual provisions or insurance coverage. But ultimately, risk cannot be eliminated: there will be incidents, so we must also focus on the resiliency of our infrastructure under all conditions.

Threat landscape

NPPD is particularly focused on two threats that are particularly salient in the current risk environment: terrorism and cyber-attacks. Terrorist attacks such as those in France in 2015, Belgium in 2016, and the tragic attacks in Istanbul and Orlando just last month highlight the continuing threat. These attacks underscore the persistence of our adversaries and the vulnerability of public gathering sites.

Terrorist tactics and techniques have transitioned from a complicated attacks such as 9/11 to simple acts of violence using readily-available weapons such as a gun, knife, hatchet, or car. The threats we face today are thus more decentralized than a decade ago and reflect, as Secretary Johnson has said, a new phase of global terrorism. We have moved from a world of directed attacks to one of inspired attacks. Inspired attacks are harder for intelligence and law enforcement communities to detect, can occur with little or no notice, and create a more complex homeland security challenge.

The threat landscape in cyberspace is also changing. Threat actors in cyberspace have highly diverse motivations. Some seek to achieve a political or social aim. Others seek financial benefit and are developing new means to monetize cyber intrusions, as exemplified by the recent wave of “ransomware” attacks. Other adversaries attempt to use strong-arm tactics to advance a goal, such as destroying systems and data to convey a political message, or target sensitive government and private sector systems to steal critical information for espionage purposes.

Perhaps most importantly, the past year saw the use of a cyber attack to achieve a significant disruption of civilian critical infrastructure. In December, several Ukrainian power companies experienced a cyberattack that resulted in power outages lasting around 6 hours that impacted over 200,000 customers. The cyber attack was well-planned, well-coordinated, and used destructive malware to delay recovery efforts. This attack should be a warning to our Nation. Our adversaries have the cyber capabilities to harm our national security, economic security, public health, and safety. This threat environment requires DHS to place renewed focus on providing our customers with risk management tools, information, and support to protect against cyber attacks and mitigate the consequences when a compromise occurs.

Critical Infrastructure Security and Resilience

These trends in the threat landscape require NPPD, as directed by the National Infrastructure Protection Plan (NIPP), to approach risk management from both a top down and bottom up perspective. The majority of the nation’s critical infrastructure is owned and operated by the private sector or by State, local, tribal, and territorial (SLTT) governments. As a result, it is important that government and industry work together to mitigate threats, vulnerabilities, and consequences.

We use a top down approach as we work closely with and across critical infrastructure sectors to understand and address sector- and economy-wide risks. We use a bottom up approach to develop a trusted relationship with owners and operators of the nation’s critical infrastructure: for example, a single power plant. PSAs and CSAs are the core of our bottom up approach and serve as the focal point of support to individual critical infrastructure owners and operators. As our stakeholders make challenging decisions about how to manage their own risk, field-based PSAs and CSAs provide advice and connect operators to security capabilities offered across the U.S. Government.

Our PSAs and CSAs operate within a statutory, policy, and doctrinal framework of voluntary partnerships. They conduct vulnerability and consequence assessments, provide information on emerging threats and hazards, and offer tools and training to help critical infrastructure owners and operators and SLTT partners understand and address risks. Finally, they provide on-site critical infrastructure subject-matter expertise during special events and incident responses.

The PSAs have been valuable advisors to local law enforcement. During last year’s events in Baltimore, the local PSA received a request from Baltimore Gas and Electric (BGE) to facilitate National Guard Troops at their Spring Gardens facility, fearing that the private security at the main gate may not be able to prevent protestors from entering the plant. The Baltimore PSA advised the Baltimore Police Department Incident Commander of the request and subsequently, the Maryland Army National Guard provided troops near the main entrance, and no incidents took place. This direct, community based security support is precisely the public service that PSAs provide, as highlighted by the recent tragic attacks in Orlando, and the still unfolding events in Dallas last week.

PSA and CSA Value Proposition

The Department’s approach to critical infrastructure security and resilience is predicated on public-private partnerships. Such partnerships depend on the formation of trusted relationships between public and private sector partners. These trusted partnerships are most effectively formed through regular and meaningful interactions among Federal agencies, private sector owners and operators, and SLTT governments. In turn, such interactions are most effectively enabled by regionally-based Federal representatives. The PSAs and CSAs serve as these regional representatives to establish and mature the relationships with critical infrastructure owners and operators and SLTT governments that are foundational to our voluntary approach to risk management.

In existence since 2004, the PSA program is a mature initiative that presently fields 102 regionally-based personnel. The President’s FY2017 Budget requests further growth to 119 regionally-based PSAs to meet demand. As field-based representatives, the PSAs work closely with private sector companies and with State Homeland Security Advisers. SLTT stakeholders from every region served by the PSA programs have consistently identified PSAs as a highly valued source of support for their critical infrastructure protection responsibilities. While PSAs focus principally on physical security, they are beginning to provide customers with targeted information based on the existing NPPD portfolio of cybersecurity services to maximize the breadth of outreach for both cyber and physical risk management activities.

The CSA program is modeled after the PSA program, although it reflects several differences to account for its focus on cybersecurity. More nascent than the PSA program, there are currently five regionally-deployed CSAs. By the end of this fiscal year, we expect to deploy 13 total CSAs in the field. The President’s FY2017 Budget requests a total strength of 24 CSAs. CSAs provide NPPD’s most effective mechanism to reach small and medium businesses that may lack the resources to participate in other cybersecurity programs, offer cybersecurity risk assessments to our stakeholders, and provide the Department with invaluable insight into national risk trends that are applicable to the development of new capabilities. CSAs’ primary points of contact are private sector and SLTT government Chief Information Officers and Chief Information Security Officers.

PSA Program

The PSA program’s primary mission is to proactively engage with Federal and SLTT government mission partners and members of the private sector stakeholder community to protect critical infrastructure. The PSAs have five mission areas that directly support the protection of critical infrastructure:

  1. Conduct Assessments to Foster Risk Management Best Practices;
  2. Threat and Hazard Outreach;
  3. Incident Response;
  4. Support to National Special Security Events (NSSEs) and Special Event Activity Rating (SEAR) Events; and
  5. Coordinate and Support Risk Mitigation Training—particularly active shooter and bombing prevention training.

1. Conduct Assessments to Foster Risk Management Best Practices

One of the central ways that PSAs support critical infrastructure owners and operators is by planning, coordinating and conducting voluntary, non-regulatory security surveys and assessments on critical infrastructure assets and facilities within their respective regions, ranging from houses of worship to major league sports stadiums. Our PSAs offer a range of assessment capabilities including Infrastructure Survey Tool (IST) security surveys, Assist Visits, Infrastructure Visualization Platform imagery captures and broader assessments conducted through the Regional Resiliency Assessment Program (RRAP).

The resulting survey information is provided to owners and operators and highlights areas of potential concern, recommendations to mitigate identified vulnerabilities, and options to view the impact of potential enhancements to protection and resilience measures. Over 85 percent of the assessed facilities indicate that they will use the feedback from the PSA to guide their security or resilience enhancements.

The increasingly tight coupling and interconnection between cyber and physical systems has required PSA’s to begin to conducting joint assessments of cyber and physical security. A principal example of such joint assessment was an RRAP conducted on a Data Center Cluster in Ashburn, VA that assessed cyber and physical risks to a key information technology facility. PSAs serve as a conduit for accessing other DHS cybersecurity resources, and are able to connect stakeholders to resources for encouraging cyber hygiene and information assurance practices. When additional or local cyber expertise is needed, PSAs can connect partners to CSAs.

2. Information Sharing

In the past three years, the PSA program has conducted multiple outreach activities focusing on specific communities of interest and sectors such as faith based organizations, shopping malls, energy/electrical sector entities, sports leagues and venues, and K-12 schools. These engagements were intended to provide an overview of evolving threats, such as active shooter awareness, an understanding of available tools and resources, and best practices designed to enhance information sharing, physical security, and resilience. These efforts often led to customers requesting security/vulnerability assessments from the PSAs. PSAs also encourage businesses to “Connect, Plan, Train, and Report.” Applying these four steps in advance of an incident or attack can help better prepare businesses and their employees to proactively think about the role they play in the safety and security of their businesses and communities.

As an example, the Metcalf Electrical Substation, in San Jose, California, was subject to a breach by unknown actors in April 2013. The assailants were able to access the substation and caused significant damage to five transformers and fiber optic cables, which in turn affected telecommunications in Santa Clara County. As a result of this incident and others, the Department of Energy and DHS, in coordination with other Federal agencies and regulatory commissions, conducted an outreach program. The outreach was conducted in ten U.S. cities and two Canadian cities and addressed proactive security measures, threat detection and assessment technologies, and the creation of an incident response plan. Following the completion of the Electrical Substation Outreach, PSAs provided briefings for the ten most critical electrical substations and their stakeholders, and conducted IST security surveys. The data from the security surveys was used to analyze common protective and resilience measures, summarized in a report published April 2015.

An additional example followed the mass shooting at the Emanuel AME church in Charleston, SC on June 17, 2015. Our local PSA offered around 20 security briefings and conducted active shooter briefings for companies, schools, and churches. All briefings were well received and some recipients requested further training. On February 17, the PSA also supported holding a DHS Interfaith Town Hall in Charleston, South Carolina where we brought public and private sector partners together and discussed protective security resources for faith-based and non-profit community stakeholders.

3. Incident Response

In response to natural or man-made incidents, PSAs deploy to State and local Emergency Operations Centers and, when appropriate, Federal Emergency Management Agency (FEMA) Regional Response Coordination Centers. PSAs provide situational awareness and facilitate information sharing to support the response, recovery, and rapid reconstitution efforts of critical infrastructure. During major incidents and when designated by the Assistant Secretary of the Office of Infrastructure Protection, PSAs serve as Infrastructure Liaisons at Joint Field Offices or Unified Coordination Groups.

In 2015 and 2016, the National Preparedness System went through a “refresh” effort to update the National Preparedness Goal, the five mission area Frameworks and the Federal Interagency Operational Plans for Prevention, Protection, Response and Recovery. These foundational documents further define the role of the PSAs in ensuring that the connection between infrastructure stakeholders and partners across the nation are able to support and engage in national preparedness efforts.

4. Special Events

PSAs provide support to officials responsible for planning and leading special events. This includes providing expert knowledge of local critical infrastructure; participating in planning committees and exercises; conducting security surveys and assessments of event venues and supporting infrastructure; and coordinating the development and delivery of geospatial products. Examples of special events supported by the PSAs include:

  • Presidential Inauguration, State of the Union, Papal Visit and Republican and Democratic National Conventions;
  • Major sporting events such as the Super Bowl (The Houston PSA is the Deputy Federal Coordinator for Super Bowl 51), World Series, Stanley Cup, and Indianapolis 500;
  • Annual United Nations General Assembly; and
  • New Year’s Celebration at Times Square in New York City.

5. Risk Mitigation Training

To reduce risk to the Nation’s critical infrastructure, NPPD develops and delivers a diverse curriculum of training to build nationwide counter-improvised explosive device (IED) core capabilities and enhance awareness of terrorist threats. Coordinated by PSAs, the courses educate SLTT participants such as municipal officials and emergency managers, State and local law enforcement and other emergency services, critical infrastructure owners and operators, and security staff on strategies to prevent, protect against, respond to, and mitigate bombing incidents.

Annually, the PSAs provide active shooter briefings to a diverse audience. These briefings provide an overview and characteristics of an active shooter incident, personal response, and “Active Shooter – How to Respond” materials. PSAs also assist with the coordination of comprehensive Active Shooter Workshops that provide training and detailed information to assist facilities in developing emergency action plans to respond to active shooter threats.

CSA Program

NPPD modeled the CSA program after the PSA program, incorporating appropriate customization to focus on cybersecurity issues. CSAs promulgate best practices and conduct vulnerability assessments, connect stakeholders to information sharing resources, serve as a liaison between critical infrastructure owners and operators and the National Cybersecurity and Communications Integration Center (NCCIC) for incident response and support to special events CSAs function as a regionally-deployed source of subject matter expertise and provide expert consultation on cybersecurity best practices to improve our stakeholders’ cybersecurity risk management.

Conduct Assessments to Foster Risk Management Best Practices

Each CSA promotes and assists stakeholders in their implementation of the Cybersecurity Framework, which was jointly developed by the Government and private sector. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps critical infrastructure owners and operators manage their cybersecurity risk. CSAs also provide critical infrastructure owners and operators with tools, guidance, and individualized assistance to help entities use the Framework in a manner that supports their specific risk management needs. CSAs ensure that critical infrastructure stakeholders receive alerts, warnings, and bulletins on cybersecurity vulnerabilities, mitigations and best practices through the NCCIC. These alerts, warnings, and bulletins concern risks to general IT systems as well as specialized risks to industrial control systems—the types of systems used to control power plants, manufacturing assembly lines, and other physical devices.

CSAs also help our customers improve their cybersecurity risk management through voluntary vulnerability assessments. CSAs offer two primary types of assessments to supplement an organization’s existing activities. First, the Cyber Resilience Review (CRR) evaluates an organization’s operational resilience and cybersecurity practices across ten domains including risk management, incident management, and continuity. Second, the Cybersecurity Evaluation Tool (CSET) is a desktop software program that guides asset owners and operators through a step-by-step process to evaluate their industrial control system and information technology network security practices. Both the CRR and the CSET are now mapped to the Cybersecurity Framework and allow organizations to understand their relative maturity across the Framework’s functions. CSAs also offer more specialized risk assessments, such as assessments focused on supply chain risk management.

In addition, CSAs also link critical infrastructure owners and operators and technical penetration testing teams based in the NCCIC. For example, CSAs connect critical infrastructure partners with the National Cybersecurity and Assessment and Technical Services, which provides a variety of technical assessments to identify vulnerabilities in an organization’s enterprise, including phishing tests, wireless application assessments, and internal penetration testing.

Information Sharing

CSAs connect critical infrastructure entities with the NCCIC’s information sharing programs. Pursuant to the Cybersecurity Act of 2015 (Pub. L. 114-113, Division N), DHS serves as the U.S. Government’s primary portal for automated cyber threat indicator sharing. By participating in the Automated Indicator Sharing initiative, organizations receive machine-readable cyber threat indicators to immediately detect and block cybersecurity threats. CSAs are leveraging the relationships that they and the PSAs have built to encourage companies to sign up for Automated Indicator Sharing. Additionally, CSAs help stakeholders learn about and join the Cyber Information Sharing and Collaboration Program (CISCP), which provides a trusted forum where vetted partners share threat and incident information with the government and other private sector partners. CISCP also permits participating companies gain access to the NCCIC watch floor for operational collaboration.

Incident Response

Cybersecurity is about risk management, and no organization can eliminate all risk. Organizations that implement best practices and share information will increase the cost for adversaries and stop many threats. But ultimately, there exists no perfect cyber defense, and persistent adversaries will at times find ways to infiltrate networks in both government and the private sector. When an incident occurs, private sector and SLTT governments may work with CSAs to obtain incident response and coordination resources from the NCCIC as well as any additional information they need to respond effectively. CSAs provide valuable insight to help the NCCIC coordinate responses to incidents and to enhance senior leaders’ situational awareness.

Special Events

CSAs also provide support to officials responsible for planning and leading special events. This includes participating in planning committees and exercises and conducting security assessments of event venues and supporting infrastructure. Examples of special events supported by the CSAs include the Republican and Democratic National Conventions and major sporting events such as the Super Bowl and the Major League Baseball All-Star Game, where adversaries could potentially target the industrial control systems that enable the provision of lighting, crowd control, security measures, and other critical functions to the host venues.

The Way Forward

As with all of NPPD’s programs, we are continuously assessing progress and looking for opportunities to enhance our capability to most effectively serve our customers. As a result of such a continuous improvement effort, NPPD is further integrating the PSAs and CSAs. For example, CSAs frequently leverage the PSA program to identify and initiate stakeholder engagement where a PSA has previously partnered. In fiscal year 2015, more than 20 percent of CSA evaluations were initiated as a result of direct referrals from PSAs. CSAs and PSAs also conduct joint physical and cyber assessments of critical infrastructure entities and coordinate analytical resources and assessment methods. PSAs and CSAs often exchange information regarding interaction with shared partners and stakeholder groups.

In recognition of growing opportunities for joint cyber-physical stakeholder engagement, we asked Congress to authorize the establishment of a new operational component within DHS, the Cyber and Infrastructure Protection Agency. We submitted a plan that will better align the PSAs and CSAs and streamline and strengthen existing functions within the Department to ensure we are prepared for the growing cyber threat and the potential for physical consequences as a result of an attack. We urge Congress to take action so that DHS is best positioned to execute this vital mission.

Way Forward for the PSA Program

Three Year Strategic Plan

IP is working with the Office of Cyber and Infrastructure Analysis (OCIA) to develop a three-year Strategic Plan for PSA’s Assessments, as required by Congress, to determine how we can enhance the value and impact of its assessment portfolio for its stakeholders over the next three years. The strategic plan will:

  1. Clarify the strategic intent behind IP’s conduct of assessments;
  2. Expand the value derived from assessments for IP’s primary stakeholders;
  3. Articulate how assessments can better leverage, and be better leveraged by, related efforts from partners such as OCIA and FEMA; and
  4. Optimize how assessments are prioritized and measured.

Once completed, this project will guide how the PSA assessment portfolio supports stakeholders across the nation, contributes to a national understanding of risk, and supports national preparedness planning, as well as grants decision making. The CSA program will identify improvements by drawing upon the analysis in this plan and its lessons learned.


The owners and operators of critical infrastructure in the United States are not exclusively located in the Washington, DC area. In order to rebalance resources and meet our stakeholders where they operate, the PSA Program and other NPPD programs are regionally- and field-based. These regional programs are so integral to successful delivery of products and assessments to owners and operators that NPPD has begun the process of shifting headquarters-based staff into the field. NPPD will be placing additional staff from IP in each region to supplement the current PSAs. PSAs provide direct support of mission benefactors, tailored and adapted to meet regional, state and local needs, and this disciplined shift toward field based and regionalized operations is designed to optimize the way that PSAs support partners across the nation, both providing more locally tailored support, and managing expanding security challenges. The CSAs will operate in a similar manner and will be tied into this regional construct.

Way Forward for the CSA Program

NPPD is expanding the number of CSAs deployed across the Nation. The allocation of CSAs is based on a risk-informed set of criteria, including:

  • Public Sector Partners: The presence of public sector partners (e.g., SLTT governments) with strong cybersecurity programs that would benefit from a closer relationship with NPPD.
  • Private Sector Partners: High concentrations of companies in particular critical infrastructure sectors, particularly entities identified under Section 9(a) of Executive Order 13636 as especially critical.
  • PSA Activity: Regions with existing PSAs that will provide new CSAs with an existing network of critical infrastructure contacts.
  • FEMA Models: CSA expansion will also be informed by available FEMA models, such as those utilized in the context of the Urban Areas Security Initiative and Threat and Hazard Identification and Risk Assessment.


Protecting the Nation, its critical infrastructure, and each community is a shared responsibility. PSAs and CSAs provide an essential local point of connection between DHS and our critical infrastructure stakeholders. They are the primary “bottom up” capability to help individual companies better manage their risks, and consequentially they create trust relationships that can inform the development of top-down programs to manage risks across entire sectors. This local point of connection allows the Department to more effectively accomplish its mission and helps our stakeholders manage their all-hazards risk.

Thank you again for the opportunity to appear before you today. We look forward to your questions.

Syndicated from the Department of Homeland Security

Read more

Written testimony of USCG for a House Transportation and Infrastructure Subcommittee on Coast Guard and Maritime Transportation hearing titled “Coast Guard Arctic Implementation Capabilities”

Release Date: 
July 12, 2016

2167 Rayburn House Office Building

Good morning Mr. Chairman and distinguished Members of the Subcommittee. It is my pleasure to be here to discuss the U.S. Coast Guard’s expanding mission demands in the Arctic.

The Coast Guard is the world’s premier, multi-mission, maritime service responsible for the safety, security and stewardship of U.S. waters. At all times a military service and branch of the U.S. Armed Forces, a federal law enforcement agency, a regulatory body, a first responder, and a member of the U.S. Intelligence Community, the Coast Guard operates on all seven continents and throughout the homeland, serving a nation whose economic prosperity and national security are inextricably linked to vast maritime interests. We safeguard the nation’s maritime interests through our broad authorities, unique capabilities, and vast partnerships.

To ensure our service is aligned with national strategies and best positioned to address these complexities, we have developed a five-year Strategic Intent and continue to focus on our Western Hemisphere, Arctic, Energy and Cyber strategies. By using these strategies as guideposts, leveraging the intelligence community, and employing a risk-based approach to direct our resources where they are needed most, we are able to address maritime threats with greater precision and effect.

Indeed, the Coast Guard is fully engaged answering the call and balancing a multitude of dynamic maritime risks facing our nation. Guided by the National Strategy for the Arctic Region and our own Arctic Strategy, we are taking a proactive, but measured, approach to the increasing mission demands in the Polar Regions.

Increasingly Active Polar Regions

The United States is an Arctic nation, and the Coast Guard is responsible for safety, security and environmental stewardship where our sovereign rights extend in the Arctic region, including the resource rich seabed along our Extended Continental Shelf. These are not new requirements. The Coast Guard has been operating in Polar Regions since the United States purchased Alaska from Russia in 1867. Then, as now, our mission included protecting our sovereign rights, enforcing treaties and U.S. laws and regulations, conducting search and rescue and environmental response operations, assisting in scientific exploration, and fostering navigation safety. Yet, the Polar Regions are evolving as changing weather patterns and receding ice continue to introduce risks and opportunities in the Arctic. As ice melts, sea lanes and access to natural resources open, increasing the national interest in safe and responsible use of this vital region. Interest in the Polar Regions and the natural riches they contain, is on the rise, and requires us to plan for a more robust U.S. maritime presence commensurate with development of the region. Icebreakers that can assure access throughout the Arctic are a key element of that planning.

United States Security Interests in the Polar Regions

Consistent with the National Strategy for the Arctic Region, our highest priority is to protect the American people, our sovereign territory and rights, natural resources, and interests of the United States. To this end, the United States will identify, develop, and maintain the capacity and capabilities necessary to promote safety, security, and stability in the region through a combination of independent action, bilateral initiatives, and multilateral cooperation. As many nations across the world aspire to expand their role in the Arctic, the Coast Guard is collaboratively working through appropriate fora to address the emerging challenges and opportunities in the Arctic region, while we remain vigilant to protect the security interests of the United States and our allies.

The Polar Regions present unique opportunities and challenges to United States security interests. Relatively few countries in the world can claim sovereign rights to any portion of the Arctic, and few have the resources to operate consistently and effectively in these harsh and remote areas. U.S. security in the Arctic encompasses a broad spectrum of activities, ranging from those supporting safe commercial and scientific operations to national defense. To respond to this challenge, the United States will enable our vessels and aircraft to operate, consistent with international law, through, under, and over the airspace and waters of the Arctic, to support lawful commerce, achieve a greater awareness of activity in the region, and intelligently evolve our Arctic operations and capabilities, including ice-capable platforms as needed.

Meeting these challenges requires the United States to develop and maintain capacity for year-round access to greater expanses within Polar Regions. In the Arctic, highly capable icebreakers will ensure the United States can meet our national interests, protect and manage our natural resources, enable U.S. forces to uphold freedom of the seas consistent with international law, and strengthen our international, state, local, and tribal relationships. In the Antarctic, they can also provide capability to resupply our scientific outposts while also supporting treaty obligations.

Icebreaker Requirements

The 2010 High Latitude Mission Analysis Report (HL MAR) identified the need for three heavy and three medium icebreakers under the assumption that in the future Coast Guard would be required to perform nine of its eleven statutory mission year-round in the Arctic and support all icebreaking needs for the National Science Foundation in Antarctica. The primary differences between heavy and medium icebreakers are endurance and power. The Coast Guard considers a heavy icebreaker to be one that can operate year-round in the Arctic, with the necessary systems and endurance to protect its crew in the event it had to “winter-over” in substantial ice conditions. In addition to exceptional power, a heavy icebreaker must have a fully mission capable cutter endurance of 80 days underway without replenishment, be able to deploy helicopter detachments, and be able to perform the full suite of Coast Guard missions. As Coast Guard vessels are considered U.S. Warships under International Law, a heavy icebreaker must be fully interoperable with interagency and international stakeholders, including the Department of Defense, to carry out National Defense Operations.

Whereas a heavy icebreaker has the power and endurance to operate year-round in the changing ice conditions of the Polar Regions, medium icebreakers can only operate seasonally in the Arctic. The Coast Guard has chartered an Integrated Product Team to define an Operating Concept and requirements for a Medium Icebreaker. While medium icebreakers like the HEALY provide critical capability identified in the HL MAR, the age and condition of our only operational heavy icebreaker, POLAR STAR, makes recapitalizing this heavy icebreaking capability a higher priority.

Icebreaker Status

The current Coast Guard icebreaker capacity is one heavy polar icebreaker, CGC POLAR STAR – commissioned in 1976, and one medium icebreaker, CGC HEALY – commissioned in 2000. An additional heavy polar icebreaker, CGC POLAR SEA, is in a caretaker status and has not been operationally viable for nearly 10 years. When assessing our current inventory, it is helpful to understand the history that led us here.

The acquisition of our heavy polar icebreakers over 40 years ago introduced a shift in our operating regime from several less capable icebreakers that worked in tandem with supply convoys, to fewer more capable icebreakers capable of operating independently. The WIND Class icebreakers, a product of the U.S. naval build-up for World War II, were smaller and less capable ships that operated in groups of two or three. The POLAR Class requirements initially supported four heavy POLAR icebreakers to replace the seven aged WIND Class vessels, but other priorities ultimately led to a decision to build two: POLAR SEA and POLAR STAR. The harsh polar operating environment, coupled with the arduous nature of actually breaking ice, age these vessels more quickly than our normal surface assets. When both were operational, we maintained a self-rescue capability and were able to balance maintenance periods to better mitigate wear and tear caused by the unforgiving operating environment. Today, substantial annual maintenance and upkeep is required in order to maintain the minimum operating capability our current inventory represents.


In September 2015, the President directed the Coast Guard to accelerate construction of the first new heavy icebreaker and to begin planning for additional assets. Consistent with this commitment, the President’s FY 2017 Budget includes $150 million to accelerate the acquisition of a new heavy Polar Icebreaker. This investment reflects our interests as an Arctic Nation and affirms the Coast Guard’s role in assuring access to this region. Since the President announced this initiative last September, the Coast Guard has made progress toward recapitalizing our heavy icebreaker fleet and have worked closely with our federal partners throughout this process. Key stakeholders participated in the identification of operational requirements, and the Coast Guard completed the heavy icebreaker Operational Requirements Document (ORD) earlier this year.

We have also completed initial industry outreach efforts that included a highly successful industry day with over 200 stakeholders, and over 50 one-on-one discussions with vendors, shipyard representatives and other industry professionals in conjunction with the release of a technical package laying out the high-level design and performance requirements. Industry has shown an eagerness to participate in this process, and we welcome their input. Developing new icebreaking capability at best possible speed remains among the Service’s highest priorities..

The Coast Guard acquisition team is aggressively finalizing an acquisition strategy, and this year we plan to publish a draft specification for design. This will be followed by a statement of work and a draft Request for Proposal to provide additional opportunity for industry to review and submit comments before a final solicitation is released.


The Coast Guard also understands that we must maintain our existing heavy and medium icebreaking capability while proceeding with recapitalization. Maintenance of the POLAR STAR will be critical to sustaining U.S. heavy icebreaker capability until new heavy icebreakers are commissioned. To mitigate the risk of crippling failure, we have engaged in a yearly dry dock maintenance cycle to overhaul critical components and make repairs necessary to keep the POLAR STAR operational. While the maintenance cycle has ensured the POLAR STAR’s availability for the annual McMurdo break-out, it increases the POLAR STAR’s time away from homeport to roughly 300 days per year and this is not sustainable over the long term.

We are on track to complete the POLAR SEA materiel condition assessment and alternatives analysis to determine whether it is most prudent to decommission or reactivate this ship. These efforts will determine the scope of work and costs to reactivate POLAR SEA based on the vessel’s current condition. The latter part of this effort will also consider whether an additional service life extension on POLAR STAR would be the most prudent option for maintaining heavy icebreaker capability while the Coast Guard proceeds with a new acquisition.

Acknowledging that our only medium icebreaker is approaching 20 years of age, we are also taking initial steps to prepare for a mid-life maintenance availability on HEALY as was indicated in the President’s FY 2017 Budget which included $1.5 million for this purpose. We are also investigating the feasibility of segmented midlife maintenance projects to mitigate impacts to operations.

Building the 21st Century Coast Guard

History has proven that a responsive, capable, and agile Coast Guard is an indispensable instrument of national and international security. Funding 21st century Coast Guard icebreakers is an especially prudent investment. To ensure we are equipped to address the demands of the evolving Arctic operating environment, the Coast Guard, with the continued strong support of the Congress, is accelerating acquisition of a heavy icebreaker and beginning to plan for additional icebreakers. Modern platforms and a strong, resilient workforce will ensure the Coast Guard is prepared to meet 21st century challenges.


As we approach our 226th anniversary, with the continued support of the Administration and Congress, the Coast Guard’s future is bright and we will continue to live up to our motto to be Semper Paratus – Always Ready. I look forward to continuing to work with the Administration and Congress to answer the President’s call for new heavy polar icebreakers as soon as they can be built. We understand the significant investment recapitalizing this fleet represents, and appreciate and embrace the trust the Nation has placed in the Service. Thank you for the opportunity to testify before you today and for all you do for the men and women of the Coast Guard. I look forward to your feedback and answering your questions.

Syndicated from the Department of Homeland Security

Read more