[co-author: Jake Nevola]*

In a legislative environment charitably described as challenging, the fact that the Senate recently passed cybersecurity legislation by unanimous consent is noteworthy and highlights the bipartisan nature of this issue. The DHS Cyber Hunt and Incident Response Act (H.R. 1158) responds to the recent spate of ransomware attacks against government agencies and private sector organizations¹. It would require the Department of Homeland Security (DHS) to form “cyber hunt” and incident response teams that could be called upon to assist federal, state, and local entities to respond to a ransomware or other type of cybersecurity incident or to identify vulnerabilities in their systems that may increase the likelihood and success of a future attack. While continued government attention to the availability of cybersecurity capabilities should be welcomed by the private sector, the extent to which businesses will directly benefit from this legislation is unclear given its focus.

The bill would require the newly-formed DHS teams to provide assistance to public and private entities, upon request, on preparing for and responding to cyber-related incidents, including:

• restoring services after a cyber incident;
• identifying and analyzing cybersecurity risks and unauthorized cyber activity;
• creating mitigation strategies against cybersecurity risks; and
• providing recommendations to asset owners and operators on how to lower their cybersecurity risks and improving their digital networks and systems.

DHS is also required to report to Congress annually, for four years after the date of enactment, on the utilization and effectiveness of the new teams using metrics it creates for this purpose. These metrics are required to be quantifiable, actionable, and improve the teams’ effectiveness and accountability.

While this legislation has the potential to offer additional resources to protect against ever-increasing ransomware and other cyber threats, significant questions remain unanswered. It is not clear how DHS’ expanded role in cybersecurity incident planning and response will be coordinated with the existing authorities of the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS). Even before this legislation, the question of “who ya gonna call?” to help navigate the myriad challenges an organization may face before, during, and after a cyber incident was unclear, and some will view this Act as only adding to that confusion. In addition, on a practical level it is unclear how DHS would be able to marshal the necessary resources to rapidly respond to cyber incidents outside of the Washington, DC area, as it lacks the local presence and relationships that FBI and USSS have in jurisdictions across the country.

¹ For instance, a ransomware attack infiltrated government computer systems in 22 Texas municipalities in August, and in another, Louisiana’s Governor had to declare a state of emergency following the deployment of ransomware against three Louisiana school districts.

* Law Clerk