Security news that informs and inspires

Senate Bill Creates DHS Threat Hunting Teams


With government agencies at every level facing ransomware attacks on a regular basis, the Department of Homeland Security likely will soon have the authority to send specially trained incident response and hunt teams to help targeted agencies respond to and recover from such attacks.

New legislation called the DHS Cyber Hunt and Incident Response Teams Act passed by the Senate would establish teams specifically dedicated to helping agencies find threats and recover from any serious cybersecurity incident, not just ransomware attacks. Crucially, the new measure authorizes DHS to bring in private sector security experts to join the hunt teams as needed.

“The Center shall maintain cyber hunt and incident response teams for the purpose of leading Federal asset response activities and providing timely technical assistance to Federal and non-Federal entities, including across all critical infrastructure sectors, regarding actual or potential security incidents, as appropriate and upon request,” the legislation says.

“After notice to, and with the approval of, the entity requesting action by or technical assistance from the Center, the Secretary may include cybersecurity specialists from the private sector on a cyber hunt and incident response team.”

The Senate legislation is similar to a separate bill that has passed the House of Representatives, so the next step in the process is to reconcile the differences between the two measures and then move forward.

“Our cyber response teams play an important role in protecting against cyber threats, reducing cybersecurity risks, and helping to get our cyber infrastructure back up and running after an attack occurs,” said Sen. Rob Portman (R-Ohio), one of the sponsors of the legislation, which passed the Senate last week.

The legislation gives responsibility for creating and running the new teams to DHS’s National Cybersecurity and Communications Integration Center (NCCIC), which serves as the clearinghouse for information sharing on threats and attacks between the federal government and the private sector. The act does not specify how many teams the NCCIC should establish or how large each team should be, nor does it provide any additional budget for the center to build out the teams.

Government agencies, especially at the state and local levels, have faced an onslaught of ransomware attacks in the last few years, some of which have been devastating and prevented governments from functioning for weeks at a time. Baltimore, New Bedford, Mass., more than 20 government agencies in Texas, and a number of smaller towns in Florida all have been victims of ransomware attacks recently. Some municipalities have elected to pay ransom, while others have opted to restore their systems from backups or try to recover in other ways. But the thing that many of these attacks have in common is the difficulty state and local agencies have in dealing with them, regardless of the outcome. While it’s common for large enterprises to employ internal threat hunting teams and incident response groups, that’s a luxury that government agencies don’t typically have.

Permanent teams of specialists housed at DHS that can call on outside experts from the private sector could provide invaluable assistance to those agencies and municipalities that are without the resources to respond to serious attacks.