September 26, 2019 - Issue: Vol. 165, No. 156 — Daily Edition116th Congress (2019 - 2020) - 1st Session
All in House sectionPrev41 of 117Next
UNIFYING DHS INTELLIGENCE ENTERPRISE ACT; Congressional Record Vol. 165, No. 156
(House of Representatives - September 26, 2019)
Text available as:
Formatting necessary for an accurate reading of this text may be shown by tags (e.g., <DELETED> or <BOLD>) or may be missing from this TXT display. For complete and accurate display of this text, see the PDF.
[Pages H8015-H8019] From the Congressional Record Online through the Government Publishing Office [www.gpo.gov] UNIFYING DHS INTELLIGENCE ENTERPRISE ACT Ms. JACKSON LEE. Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 2589) to amend the Homeland Security Act of 2002 to establish a homeland intelligence doctrine for the Department of Homeland Security, and for other purposes, as amended. The Clerk read the title of the bill. The text of the bill is as follows: H.R. 2589 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Unifying DHS Intelligence Enterprise Act''. SEC. 2. HOMELAND INTELLIGENCE DOCTRINE. (a) In General.--Subtitle A of title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended by adding at the end the following new section: ``SEC. 210H. HOMELAND INTELLIGENCE DOCTRINE. ``(a) In General.--Not later than 180 days after the date of the enactment of this section, the Secretary, acting through the Chief Intelligence Officer of the Department, in coordination with intelligence components of the Department, the Office of the General Counsel, the Privacy Office, and the Office for Civil Rights and Civil Liberties, shall develop and disseminate written Department-wide guidance for the processing, analysis, production, and dissemination of homeland security information (as such term is defined in section 892) and terrorism information (as such term is defined in section 1016 of the Intelligence Reform and Terrorism Prevention Act of 2004 (6 U.S.C. 485)). ``(b) Contents.--The guidance required under subsection (a) shall, at a minimum, include the following: ``(1) A description of guiding principles and purposes of the Department's intelligence enterprise. ``(2) A summary of the roles, responsibilities, and programs of each intelligence component of the Department in the processing, analysis, production, or dissemination of homeland security information and terrorism information, including relevant authorities and restrictions applicable to each such intelligence component. ``(3) Guidance for the processing, analysis, and production of such information. ``(4) Guidance for the dissemination of such information, including within the Department, among and between Federal departments and agencies, among and between State, local, Tribal, and territorial governments, including law enforcement, and with foreign partners and the private sector, consistent with the protection of privacy, civil rights, and civil liberties. ``(5) A description of how the dissemination to the intelligence community (as such term is defined in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4))) and Federal law enforcement of such information assists such entities in carrying out their respective missions. ``(c) Form.--The guidance required under subsection (a) shall be submitted in unclassified form, but may include a classified annex. ``(d) Annual Review.--For each of the five fiscal years beginning with the first fiscal year that begins after the date of the enactment of this section, the Secretary shall conduct a review of the guidance required under subsection (a) and, as appropriate, revise such guidance.''. (b) Clerical Amendment.--The table of contents in section 1(b) of the Homeland Security Act of 2002 is amended by inserting [[Page H8016]] after the item relating to section 210G the following new item: ``Sec. 210H. Homeland intelligence doctrine.''. SEC. 3. COMPTROLLER GENERAL ASSESSMENT. (a) Annual Assessment Required.--Not later than one year after the date of the enactment of this Act and again not later than five years thereafter, the Comptroller General of the United States shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate an assessment of the degree to which guidance established pursuant to section 210H of the Homeland Security Act of 2002 (as added by section 2 of this Act) is implemented across the Department of Homeland Security. Such assessment should evaluate the extent to which such guidance is carried out in a manner that protects privacy, civil rights, and civil liberties. (b) Elements of Assessment.--In conducting each assessment under subsection (a), the Comptroller General of the United States shall-- (1) use standard methodology and reporting formats in order to demonstrate and display any changes over time; and (2) include any other subject matter the Comptroller General determines appropriate. (c) Access to Relevant Data.--To carry out this section, the Secretary of Homeland Security shall ensure that the Comptroller General of the United States has access to all relevant data. SEC. 4. ANALYSTS FOR THE CHIEF INTELLIGENCE OFFICER. Paragraph (1) of section 201(e) of the Homeland Security Act of 2002 (6 U.S.C. 121(e)) is amended by adding at the end the following new sentence: ``The Secretary shall also provide the Chief Intelligence Officer with a staff having appropriate expertise and experience to assist the Chief Intelligence Officer.''. The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from Texas (Ms. Jackson Lee) and the gentleman from Tennessee (Mr. Green) each will control 20 minutes. The Chair recognizes the gentlewoman from Texas. General Leave Ms. JACKSON LEE. Mr. Speaker, I ask unanimous consent that all Members may have 5 legislative days to revise and extend their remarks and to include extraneous material on this measure. The SPEAKER pro tempore. Is there objection to the request of the gentlewoman from Texas? There was no objection. Ms. JACKSON LEE. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, I rise today in support of H.R. 2589, the Unifying DHS Intelligence Enterprise Act. H.R. 2589 seeks to improve the Department of Homeland Security's intelligence enterprise by ensuring intelligence officers across DHS are sharing information and countering threats in a unified manner. Since the Department was established, intelligence and information sharing capabilities have matured, but DHS still lacks a coordinated intelligence enterprise. In 2016, the Committee on Homeland Security released a comprehensive review of the Department of Homeland Security's use of intelligence to counter terrorist threats and prescribed 30 recommendations. As a result, this bill directs the Secretary of Homeland Security, through a DHS chief intelligence officer, to develop and disseminate written DHS-wide guidance for the processing, analysis, production, and dissemination of Homeland Security and terrorism information, and ensures this guidance is consistent with the protection of privacy, civil rights, and civil liberties. Given the diversity of missions across the Department, it is vital that component intelligence officers are working together, sharing information, and vetting that information against the broader U.S. intelligence community holdings. H.R. 2589 requires an assessment and description of how the dissemination of information to the intelligence community and Federal law enforcement assists such entities in carrying out their respective missions. One of the key missions of DHS is to act as a clearinghouse for threat information, and this bill will ensure that the Department continues to evolve into a better, more effective asset in responding to threats to the homeland. Mr. Speaker, I urge my colleagues to support H.R. 2589, and I reserve the balance of my time. Mr. GREEN of Tennessee. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, I rise today in support of H.R. 2589, the Unifying DHS Intelligence Enterprise Act. In December of 2003, I had the unbelievable opportunity to fly with our Nation's elite special operations aviation unit, the Night Stalkers, in conjunction with our Army's tier I counterterrorism unit in the capture of Iraqi dictator Saddam Hussein. It was the highlight of my Army career. Whether it was on missions in Iraq or hunting Osama bin Laden in Afghanistan, I realized that having a systematic way to gather, process, analyze, and disseminate intelligence information was critical to our success on the battlefield. That experience encouraged me to introduce this bill back in May so that DHS can best fulfill its very important mission to keep America safe. This bill requires the Department's chief intelligence officer, or CINT, to establish a homeland intelligence doctrine for the Department, and it requires the CINT to maintain a dedicated staff. In the years following the terrorist attacks of September 11, the Department was established to consolidate 22 existing Federal agencies and reshape the domestic intelligence and counterterrorism structure of the U.S. Over the years, DHS has matured and refined its intelligence enterprise. Significant improvements have been made, but there is not yet complete unity among the various intelligence offices within all the component agencies. In 2016, the House Committee on Homeland Security released a comprehensive review of the Department's use of intelligence to counter terrorist attacks. They recognized that DHS, ``has improved its ability to protect the homeland against terrorist threats over time, but major gaps remain.'' They prescribed over 30 recommendations to the Department for improved intelligence sharing. The goal of H.R. 2589 is to ensure all of the component entities at DHS are speaking the same language, using the same trade craft, and disseminating their products to the appropriate stakeholders, which include both intelligence communities and State and local partners. This legislation will help professionalize the DHS intelligence enterprise by establishing a shared intelligence doctrine. Across DHS, dedicated border and immigration agents are gathering information on individuals seeking to enter the United States. Threats to transportation systems and critical infrastructure are gathered and assessed, and real-time cyber threats to the government and private networks are analyzed. The incredible differences in the agencies of the Department create natural barriers to information flow. Given this diversity of missions, it is vital that component intelligence offices are working together, sharing information, and vetting that information against intelligence community holdings. As a former member of the Army special operations task forces, I know the value of synchronized intelligence processes in order to connect the dots and successfully carry out a mission. This bill also authorizes the continued dedication to providing staff to the chief intelligence officer ensuring that this distinct mission continues to provide the value necessary to support the intelligence enterprise. I support this legislation, and I urge my colleagues to join me in doing so. Mr. Speaker, I reserve the balance of my time. Ms. JACKSON LEE. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, I thank the gentleman from Tennessee (Mr. Green) for his service, and I thank him for this legislation. It is worth noting that the bill that we just passed and the bill that we are now debating specifically dealing with cybersecurity and intelligence are crucial elements of our security. I think that with the combination of recognizing the importance of the intelligence community that is on the front lines of providing our safety and then acknowledging the vulnerabilities in the cyber system as one of the components of new technology, I started out my remarks by taking note of the drone attack on the refineries in Saudi [[Page H8017]] Arabia. Here we are talking about cyber and its impact. But I think the overall sense of these two initiatives is to ensure that we in Homeland Security are on the front end of dealing with the importance of securing this Nation on the new technologies that we are facing every single day. I ask my colleagues to support the underlying legislation. I include in the Record the following articles on this very topic: ``Thousands of Vulnerabilities in Seattle's IT Network Attributed to Siloed Approach to Cybersecurity,'' September 17, 2019; ``Leader of New NSA Cybersecurity Directorate Outlines Threats, Objectives,'' dated September 5, 2019; and then, August 30, 2019, ``Why Focusing on Threat Hunting May Leave You Vulnerable.'' [September 17, 2019] Thousands of Vulnerabilities in Seattle's IT Network Attributed to Siloed Approach to Cybersecurity (By David Kroman) Last May, Seattle's head of information security flagged a problem within the city's technology department: Because of a process breakdown, employees were indicating that they had fixed vulnerabilities in the department's computer network when, in fact, they had not been fixed. ``It has been discovered that there are currently over 21,000 known critical and high vulnerabilities on systems throughout Seattle IT,'' Andrew Whitaker, then the department's chief information security officer, wrote in a May 22 email to technology leadership. ``Tickets have been closed out, claiming to have vulnerabilities remediated, but upon follow-up review they were, with a few exceptions, not remediated.'' The result was that the servers, desktops and applications within the newly consolidated Department of Information Technology--which now handles the vast majority of the city of Seattle's technology functions, from utilities to the fire department--contained open miniportals that could be accessed by would-be hackers. When left unremediated, vulnerabilities provide possible paths for hackers to plant spyware, ransomware, viruses and other malicious software that can be immensely harmful to an organization, especially one that provides critical services. Cities are often particularly open to an attack and the effect can be devastating, as recent ransom attacks in Baltimore and Atlanta have shown. Saad Bashir, Seattle's new head of the Department of Information Technology, said in an interview that he believes the vulnerabilities are manageable. He said Seattle is at risk, as are all organizations, but, in general, not abnormally so. However, Bashir acknowledged the process breakdown was indicative of a broader problem (https://crosscut.com/2017/ 07/at-city-hall-a-massive-department-is-mired-in-chaos) he has been attempting to address within the organization since taking his position earlier this year. ``What I observed very early was that there was a siloed approach in how cybersecurity was being practiced in the world of IT,'' he said. Because of a disconnect between teams, Bashir said, some part of the security process would get completed, but would not be properly handed off to the next team. ``If you're not clear, then you may not know whether that particular vulnerability management work has been completed the way it's supposed to be completed,'' Bashir said. In an effort to improve the processes within the department, Bashir began a major reorganization of the relatively new department--including his firing of 14 directors and managers (https://crosscut.com/2019/05/ seattles-new-it-boss-fires-14-directors-part-organizational- change)--just two days before Whitaker's message. The reorganization was not motivated solely by security weaknesses, he said, but was intended to create a smoother structure that would better catch possible entry points. When asked if the city was safer from an attack since he took over, Bashir said, ``Absolutely.'' Every organization contains some number of vulnerabilities. The trick is to continually identify and address them as they arise--an e-windshield wiper of sorts, where the vulnerabilities are the raindrops. Experts say hackers are increasingly less likely to gain access through a vulnerability than they are through a phishing expedition. In such cases, a deceiving email message persuades employees to provide passwords or a malware- infected USB drive is left in a parking lot in hopes that someone finds it and plugs it in to their computer. But addressing vulnerabilities in the city's systems continues to be an important function of its IT department. ``If I were a serious bad guy I'd be looking at the most vulnerable place,'' said Dr. Barbara Endicott-Popovsky, executive director of the Center for Information Assurance & Cybersecurity at the University of Washington. ``I'd be looking at cities and I'd be looking at universities, because they're open and they can't afford the latest and greatest. It's kind of like, `Open sesame.' '' Mike Hamilton, founder of CI Security and Seattle's chief information security officer from 2006 to 2013, said there are a number of reasons cities struggle to stay ahead of cyberattacks. For one, the number of qualified security experts is down across the country, he said. And of those who are on the market, cities can't match the pay of large companies like Amazon or Microsoft. ``The ones that are good are in short supply, which means that local governments cannot compete for those resources,'' he said. Additionally, cities are responsible for the security of all their departments, each of which may require vastly different things. ``Because government is a federation of agencies, that makes it a little difficult to have policies in place that apply to [for example] the regulated industry of human resources without raising the ire of unions,'' he said. Hamilton also said the biennial budgeting of local government makes keeping up challenging. ``Technology moves a whole lot freaking faster,'' he said. All of this, Hamilton said, is in the context of extremely high stakes. Compared with for-profit companies, ``the potential impact [of an attack on government] is so much greater and government can't afford it,'' said Hamilton. ``We know something needs to be fixed, and we don't fix it until something blows up.'' Bashir said the new processes he's put into place has made him ``confident that we no longer have any glaring process gaps.'' He couldn't say exactly how many vulnerabilities are still open on city systems, but that it was less than 21,000. The ideal number, Bashir said, is zero, but that's also extremely unlikely, which makes it hard to identify what a ``good'' number is. ``I worry about all of them,'' said Andrew Cushman, the city's new chief security officer. ``Whether that number is 21,000 or whether that number is 10 depends on the attacker and how skilled that attacker is and how motivated that attacker is. So I don't worry more because that number is 21,000, then I do if that number is 10.'' Going forward, Bashir said he wants ``to create a high level of security awareness mindset across the organization.'' The city could have zero vulnerabilities and it wouldn't matter if one employee plugs in the wrong USB to a work computer. Hamilton said there are several easy things cities can do that, while not offering total protection, would make it so they are no longer ``the slowest gnu in the herd getting picked off.'' For one, mandate zero personal use of city equipment, something Singapore implemented in 2017. Phishing attacks remain the easiest entry point for hackers and so that's where the bulk of the city's attention should focus, Hamilton said. Because no matter how many protections are put into place, ``There is not now, nor will there ever be, a firewall for stupid.'' ____ [From CSO Online, Sept. 5, 2019] Leader of new NSA Cybersecurity Directorate Outlines Threats, Objectives (By Cynthia Brumfield) Ransomware, Russia, China, Iran and North Korea are the top cybersecurity threats that will be the focus of a new division within the National Security Agency (NSA), the Cybersecurity Directorate, which is set to be operational on October 1, according to NSA director of cybersecurity Anne Neuberger. She was tapped in July by Director General Paul Nakasone to head the group. The Directorate aims to bring the agency's foreign intelligence and cyber operations together and ``operationalize [its] threat intelligence, vulnerability assessments and cyber defense expertise,'' the agency announced when launching the new division. ``NSA really had to up its game,'' Neuberger said in a fireside chat with Niloofar Razi Howe, cybersecurity venture investor and executive at the Billington Cybersecurity Summit in Washington on September 4. ``And that's what drove this desire to stand up a directorate and frankly to set a pretty aggressive mission, which is to prevent and eradicate cyber actors from national security systems and critical infrastructure with a focus on the defense industrial base.'' In terms of the threats, ``Clearly ransomware is the focus. We've seen there are roughly 4,000 ransomware attacks a day,'' Neuberger said. ``When we look at Russia, we see a country that uses influence operations, uses cyber [that is] really integrated and below the level of armed conflict. They also use entities who aren't necessarily tied to the government, whether the Internet Research Agency for potential elections influence or China has its own unique approach to how the country uses cyber threats to achieve its national security and military objectives, Neuberger said. China's cyber threats are exemplified by three different and wholly distinct types of operations: the 2015 theft of 21.5 million records from the Office of Personnel Management, the hacking campaign known as Cloud Hopper that targeted eight of the world's biggest technology service providers, and ongoing theft of intellectual property such as when Chinese intelligence and business insiders sought to steal information related to a turbofan engine used in commercial airliners. Iran is very volatile and uses destructive attacks in its own region primarily, Neuberger said. ``North Korea always fascinates us as essentially a nation-state [[Page H8018]] criminal, as a country under sanctions using creative ways of cyber, whether it's crypto currency, whether it's cryptomining to gain hard currency and essentially keep the regime afloat.'' Neuberger previously headed the agency's ``Russia Small Group,'' a joint NSA-Cyber Command task force to combat Russian election interference and influence campaigns. The task force ``was stood up out of a realization that something had dramatically changed and we had to reboot our approach as a US government,'' Neuberger said. ``Now influence operations have been around since the days of Adam and Eve, but what really changed was the age of social media,'' she said. Not only could an adversary send out broad messaging, but it could also target disinformation to particular ethnic groups, particular elements of a country, and do it in a ``pretty cheap way ... looking as if one is an American.'' ``So, we realized that it took a more creative approach to protect our democracy. In the Russia Small Group, we worked closely with the DHS and FBI to ensure that from a cyber perspective they had all the threat information we had in a way that can be quickly actionable'' Neuberger said. ``We're tremendously proud of the work we did between NSA, Cyber Command, DHS and the FBI to defend the integrity of our elections and ensure that every American know that their vote counted and their vote matters.,'' referring to the Russia Small Group's efforts to protect the 2018 midterm elections. When it comes to warding off 2020 election threats, the Directorate will take the same approach the Russia Small Group applied in the 2018 elections. ``Ensure there is threat intelligence, gain those insights, share that intelligence, and be prepared to impose costs on an adversary who may attempt to influence our elections,'' Neuberger said. ``We will do the same work that we did in 2018 looking to see who are the actors seeking to shake confidence in the integrity of our elections, and share that with the FBI.'' Ransomware has emerged as a bigger threat to the election infrastructure than it has before. The recent shift ransomware attackers have taken from targeting individuals to targeting entities is ``certainly something that would make it be a key concern for the elections. The best protection is the same security advice we give: ensure one uses principles of least privilege [and] computers with admin access shouldn't have access to the Internet at all times.'' Partnering with other government agencies and private sector companies and organizations will be a major focus of the Directorate. ``Everything we do, we do in partnership with other agencies, with allies around the world and certainly the private sector plays a role,'' Neuberger said, noting that she wants to unify all the various communities involved in cybersecurity to enhance collaboration and focus on the hardest cybersecurity problems. ``Partners are key; they are the root of everything we can accomplish,'' she said. Among the partners the Directorate plans to include in its efforts are the Department of Defense, Cyber Command, DHS, the acquisition community, U.S. allies and certainly the private the sector. ``The private sector is often the first indicator of a significant threat or a significant compromise.'' The goal is to push out as much unclassified information as possible and bring together all the elements that are needed to quickly identify and head off threats. ``Ideally, we are sharing the threat information to prevent an attack, to prevent exploitation rather than being part of a team that helps with incident response,'' Neuberger said. Although the Directorate doesn't have a ``moonshot'' objective as it begins operations, one goal is to address the ``rampant abuse of Internet infrastructure,'' Neuberger said, particularly protecting the Domain Name System (DNS), the naming system underlying the Internet which has been subject to increasing attacks and redirections by malicious actors. ``DNS is a key way that adversaries use for command and control for exploitation,'' she said. Neuberger would like to see efforts such as the UK's NCSC's Protective Domain Name System, which was built to thwart the use of DNS for malware distribution and operation, more widely used. The Directorate can help by adding or contributing threat information to make those services even more effective. The Directorate can serve to interconnect these efforts so they could communicate beyond internet transactions. ``If we could achieve that, it would have even broader impact beyond cybersecurity.'' ____ [From Infosecurity Magazine] Aug. 30, 2019 Why Focusing on Threat Hunting May Leave You Vulnerable (By Bob Shaker) The cybersecurity threat landscape is becoming increasingly complex and crowded, and with security teams around the world largely understaffed and facing burnout, experts are looking for the most efficient way to combat cybercrime. One approach that has gained significant momentum of late is threat hunting--the proactive searching of threat indicators within an environment to sniff out highly advanced cyber threats. In threat hunting, security analysts search their environment for known indicators of compromise (IoCs) and adversary tactics, techniques, and procedures (TTPs)--if any of these are found, there's a good chance that an attack is underway. While threat hunting is a key element of a robust cybersecurity strategy, many organizations rely too heavily on this approach. A narrow focus on specific IoCs and TTPs paints an incomplete picture of the threat environment and means that the attacks that don't bear these hallmarks will get missed. In this evolving threat landscape, enterprises can't just rely on threat hunting to keep their environments secure-- they must broaden their cybersecurity approach, assessing security environments in a more holistic way to better detect advanced and stealth attacks. Why threat hunting has become so popular Threat hunting has recently become a major buzzword in the security industry in large part because it connotes a cooler, more technical and more skilled approach to security. As a result, security experts are gravitating toward it for career-building opportunities and advancing their security approach. While threat hunting might be overhyped, there are also genuine benefits to the practice (when done correctly) that help explain why enterprises are so ready to adopt it. Threat hunting helps refocus security teams on emerging threats, since existing security technologies tend to address things we already know about. Actively looking for emerging threats can mean identifying threats that might be lurking in the environment--reducing dwell time and tackling threats before they escalate and turn into full-blown security breaches. In addition, adopting threat hunting tactics often leads to discovering visibility gaps in your current security approach--for example, your S3 buckets might not be configured properly or perhaps some firewall rules got changed, or maybe you're able to identify an employee or group within your organization that is violating a security policy. Uncovering these poorly managed security solutions is a useful byproduct of threat hunting. The downfalls of threat hunting However, many organizations rely too heavily on threat hunting as they are unable to invest in the required infrastructure, resources and expertise to continually analyze all activity for possible threats. Often, this threat hunting is provided by third-party security companies, as many enterprises either lack the skills and resources entirely or are only able dedicate their in-house teams to a few days of threat hunting a year. With the major talent gap facing cybersecurity, most enterprises simply cannot find or afford to hire professionals with the required level of expertise. As a result, many are turning to managed services offered by security companies to help close the gap. According to Gartner, by 2024, 25% of organizations will be using MDR services, up from less than 5% today. Threat hunting services often focus almost exclusively on threats posed by splashy, sexy attack groups--whether it is notable criminal APTs or nation state groups. A strong security program focuses on risk management, and one of the most important things security teams can do is accurately identify the risks that they are susceptible to, which for many enterprises isn't a nation-state attack. While threat-hunting addresses attacks that everyone is talking about, the reality is that many enterprises should be equally--if not more cognizant--of commodity threats. While sophisticated threats exist and are important to defend against through threat hunting, the majority of threats facing enterprises are better addressed through good security hygiene. Over-investing in threat hunting can lead to an incomplete and irregular picture of the risks enterprises face. In fact, a singular reliance on threat hunting alone means that many types of attacks will get missed if you're not specifically looking for them. Taking a holistic approach By over-rotating on big name threats, security teams leave open the possibility that they are going to miss the obvious. In this threat environment, security teams can't afford to drop the ball on the basics--a recent ESG survey of enterprise cybersecurity leaders revealed that more than three-quarters (76%) believe that threat detection and incident response is more difficult today than it was just two years ago. To ensure a strong security posture, enterprises should take a comprehensive, multi-faceted approach that goes beyond threat hunting. As they build out a holistic approach, they should be sure to: Collect data on everything they can. Often when investigating a breach or incident, security teams find that they don't have any evidence because they aren't collecting and retaining the right data--it's usually the exception when there's sufficient logging for an incident. With living off the land attacks increasing (many of which fly under the radar of traditional logging), it's ever more important that teams don't skimp on data collection, as relying on a mixture of sources is more likely to help you detect threats early and prevent bad actors from getting in unnoticed. Use multiple security tools and strategies. We've recently seen a trend toward new technologies like AI and machine learning across security programs. It's important to layer these tools and strategies as they each have their strengths and weaknesses. To maximize effectiveness, use a mixture of tools, methodologies and frameworks that integrate multiple attack and adversary considerations such as MITRE ATT&CK as well as [[Page H8019]] simple IOCs, rule-based detection, statistical models, linguistic models, and machine learning models--and then correlate with global threat intelligence, validating and augmenting with human expertise. Don't underestimate the importance of humans. The human side of the investigation is critical. There is no better computer for detecting, recognizing and responding to threats than the human mind. While automated systems have helped advance the security industry significantly, a true ``eyes on glass'' approach to threat detection requires years of experience and the corresponding intuition of knowing when something is amiss. Ms. JACKSON LEE. Mr. Speaker, I ask that my colleagues support the underlying legislation, and I reserve the balance of my time. Mr. GREEN of Tennessee. Mr. Speaker, there is bipartisan support for a professional, coordinated Department of Homeland Security intelligence architecture. I want to thank Chairman Thompson and Ranking Member Rogers for supporting this legislation and bringing it to the floor. It is time for DHS to be able to function with the same precision in the handling of intelligence information as our warriors in the Department of Defense, and I am honored to have the opportunity to help them do so. Mr. Speaker, I urge support of the bill, and I yield back the balance of my time. Ms. JACKSON LEE. Mr. Speaker, I ask my colleagues to support the underlying bill, and I yield back the balance of my time. The SPEAKER pro tempore. The question is on the motion offered by the gentlewoman from Texas (Ms. Jackson Lee) that the House suspend the rules and pass the bill, H.R. 2589, as amended. The question was taken; and (two-thirds being in the affirmative) the rules were suspended and the bill, as amended, was passed. A motion to reconsider was laid on the table. ____________________
All in House sectionPrev41 of 117Next