Bill proposes new DHS centers for testing security of critical government tech

The Department of Homeland Security would create cybersecurity testing centers under new legislation based on a recommendation from congressional cybersecurity experts.

The Critical Technology Security Centers Act of 2023 introduced Tuesday by Rep. Ritchie Torres (D-N.Y.) would create two cybersecurity-focused offices to evaluate and test the security of critical technology used by the federal government.

A spokesperson for Torres told Recorded Future News that the legislation emerged from the work of the Cyberspace Solarium Commission, which recommended that Congress fund centers that would “more centralize efforts directed toward evaluating and testing the security of devices and technologies that underpin our networks and critical infrastructure.”

“These centers would strengthen the capacity of the U.S. government to test the security of critical technologies and, when appropriate, assist in identifying vulnerabilities, developing mitigation techniques with relevant original equipment manufacturers, and supporting new and ongoing efforts to certify technologies as secure,” the spokesperson said.

“The Centers could also play an important role as project managers and, in some cases, would provide funding for the broader research community already working toward similar ends.”

As of Tuesday, there was no word about cosponsors or a Senate version of the bill. Sen. Angus King (I-Maine) was a member of the commission, as was a prominent House Republican, Mike Gallagher of Wisconsin.

In a copy of the bill first shared with Politico, the Homeland Security secretary would have 180 days from the passage of the law to create “award grants, contracts, or cooperative agreements to covered entities for the establishment of not fewer than two cybersecurity-focused Critical Technology Security Centers.”

The centers would focus on the security of information and communications technology as well as networked industrial equipment like connected programmable data logic controllers (PLCs) and supervisory control and data acquisition servers (SCADA) — both of which have become frequent targets of nation state actors in recent years.

The centers will also examine open source software and other software used by the federal government.

The DHS Undersecretary for Science and Technology could also expand the topics covered by the centers. Any vulnerabilities found by the center would have to be reported to developers through coordinated disclosure processes and the Cybersecurity and Infrastructure Security Agency (CISA).

The centers also would be tasked with “developing capabilities that can detect or eliminate entire classes of vulnerabilities.”

The bill includes a section allowing centers to award grants to individual open source software developers and maintainers, nonprofit organizations, and other non-federal entities to “fund improvements in the security of the open source software ecosystem.”

The centers would get $42 million in fiscal 2024, with funding gradually increasing each year to $52 million by 2028.

The Cyberspace Solarium Commission report from March 2020 said the centers were needed because the U.S. government “lacks trusted, centralized entities” that provide security evaluations and testing.

Much of the bill pulls language directly from the recommendations listed in the commission’s report.

Several experts said the bill raises a good idea but may face headwinds when it comes to implementation.

“Most of the capability to test both commercial and open-source projects exists now, spread among independent, commercial, and government organizations,” said Mike Parkin, senior technical engineer at Vulcan Cyber.

“If this is implemented properly and helps to coordinate these research efforts and get their results to the right people in a useful format, great. But there are a lot of steps between proposing new legislation and having that legislation become an effective security tool.”

Viakoo CEO Bud Broomhead suggested that the centers should draw on existing work being done within Information Sharing and Analysis Centers (ISACs) and university-sponsored efforts, such as the Real Estate Cyber Consortium or Commonwealth of Virginia Cybersecurity Initiative, which he said are already serving some of the functions proposed in this legislation.