By Calvin Biesecker
A new government report says that the government agency that oversees the monitoring of cyber security at federal civilian agencies can enforce compliance with its recommendations and can’t make these agencies use technology to gain awareness of immediate cyber attacks, the ranking Republican on the Senate Homeland Security and Governmental Affairs Committee said yesterday.
The Department of Homeland Security (DHS) Inspector General will release its report today that says the United States Computer Emergency Response Team (US-CERT), which provides response support and defense against cyber attacks for federal civilian agencies, “lacks the enforcement authority that it needs to ensure that agencies comply with its recommendations and mitigation guidance,” said Sen. Susan Collins (Maine). Yesterday’s hearing was held to examine new cyber security legislation introduced last week by Collins, Committee Chairman Joseph Lieberman (I/D-Conn.) and Sen. Tom Carper (D-Del.) that in part would give DHS operational control for cyber security in the federal civilian sector (Defense Daily, June 15).
“Our bill would correct those problems,” Collins said. “We would enhance the authorities of US CERT and create a stronger cyber center within DHS, including providing the center with the authority to enforce compliance with its cyber security directives.”
Philip Reitinger, deputy under secretary for the National Protection and Programs Directorate at DHS, said that he couldn’t state a position yet by the Obama administration on the proposed legislation. While DHS has “broad authority” over the civilian agencies in setting requirements, Reitinger acknowledged that it doesn’t have “direct enforcement authority.”
This lack of enforcement authority has been a problem in the past, Reitinger said, pointing to the Conficker computer virus in 2008 where DHS “had difficulty in obtaining responses” from various agencies “regarding the scope of the issue.”
Reitinger said that government agencies may have “valid” reasons for not being responsive, such as a lack of resources and an outright inability to respond.
Collins replied “It’s evident to me that the department needs more teeth in its directives or agencies are going to feel free to ignore them and that’s one of the problems we’re trying to rectify.”
DHS has been developing a cyber defense system called Einstein that initially was focused on obtaining an intrusion detection system, the 1.0 version, followed by a real-time intrusion detection system, the 2.0 version. Einstein 2.0 so far has been deployed to 11 of 19 federal agencies, Reitinger said. The technology is also deployed to four Internet Service Providers and is operational at one, he added. Overall, the Einstein deployments are ahead of schedule, he said.
“Through those deployments we are already discovering…more than 278,000 indicators on average of potentially malicious activity per month,” Reitinger said.
The proposed cyber security legislation would also give the federal government the authority to shut down some critical private sector networks in the event of a cyber attack. Collins said that this measure would essentially update legislation that is nearly 70 years old that would provide authority to the president to react to a cyber event that can only occur if a threat of war or state of war is present. That legislation was enacted long before the Internet was even conceived, she said.
“Our bill has far more targeted authority to respond to a cyber emergency but that authority is limited both in duration and scope, it requires notice to Congress, it does not authorize the president to take over networks, it allows the private sector to propose alternative means of achieving the goals,” Collins said. “Shouldn’t we be spelling out exactly what the president’s authority is, short of a state of war?”
Reitinger said that while he couldn’t comment directly on the legislation, he appreciates “the effort the committee made to tailor the authorities so they are focused on the expected need.”
Collins said she would take his answer as a “yes.” She also said that the committee has worked with the administration for more than a year on the issue and that the waiting is over.