A bill introduced in the Senate Wednesday would greatly expand the powers of the Department of Homeland Security (DHS) to detect and defend against intrusions on any civilian government network, a measure its sponsors say is necessary to guard against cyber attacks like the Office of Personnel and Management (OPM) breach that compromised the personal information of more than 21 million people.
The Federal Information Security Management Reform Act of 2015 (FISMA Reform)is sponsored by Senate Intelligence Committee members Susan Collins (R-Maine), Mark Warner (D-Va.), Barbara Mikulski (D-Md.), and Dan Coats (R-Ind.), as well Senate Homeland Security and Governmental Affairs Committee members Kelly Ayotte (R-N.H.) and Claire McCaskill (D-Mo.).
While DHS is responsible for protecting civilian government networks, it is unable to monitor those networks and cannot deploy any counter-malware tools unless given express permission by that federal agency.
“There is no minimum standard,” Warner said at a news conference held at the Capitol Wednesday. “There is no ability for DHS to come in and test and detect and improve quality. It’s all done on a voluntary basis, and every agency … has got a reason why they in particular can’t comply. This voluntary system has resulted in an inconsistent patchwork of security across the whole“ of government.
Collins noted that certain agencies like the Food and Drug Administration (FDA) and Internal Revenue Service (IRS) had not ever allowed DHS access to their computer networks.
The FISMA Reform bill would allow DHS to conduct risk assessments and operate intrusion detection and prevention tools on all federal networks ending in dot-gov without needing permission from an agency. It would let the DHS secretary to put in place defensive countermeasures once a threat was detected. The legislation also strengthens the authority of the department to issue “binding operational directives” to government agencies in case of a substantial cyber threat or in an emergency, such as when an intrusion is underway, Collins said.
It would also require the Office of Management and Budget (OMB), which has the power to enforce government-wide security standards, to submit an annual report to Congress on how it was using that authority, she said.
The authorities described in the bill would pertain only to civilian government agencies, not military or intelligence networks on the dot-mil domain.
The threat of cyber intrusions has been increasing exponentially. The Government Accountability Office (GAO) found that “information security incidents” in the federal government increased from 5,500 in fiscal year 2006 to more than 67,000 in FY ’14. Civilian agencies like OPM, IRS and the Social Security Administration (SSA) are also vast repositories of data on employees and citizens alike, Collins noted.
“As the OPM breach and the IRS breach show, our unsecured or inadequately secured databases have a lot of personal information and if we can secure those databases then individual privacy will be enhanced,” she said.
Collins anticipates the legislation could be added as an amendment to the Cybersecurity Information Sharing Act of 2015 (S.754), which is scheduled to hit the floor later this month or early September, she said. The Senate Intelligence Committee passed CISA—which would expand the sharing of cyber threat indicators between the private and public sectors—earlier this year in a 14-1 vote.
“This bill would dovetail very nicely with that legislation,” she said. “That legislation is more of an information sharing bill. It’s another essential step in the puzzle.”
Collins added she wasn’t predicting the bill to be held up in committee as the six sponsors of the bill sit on all of the relevant panels that could be charged with passing it.
Coats said that over the past few years, DHS had strengthened its cyber capabilities and needs the authority to lead cyber security efforts.
“There were concerns about whether DHS had the capability, had the experience and had the …authority to handle this,” he said. “Since three years ago, DHS has gained capability and the current secretary is capable.”
Although the Senate has yet to debate a cyber bill on the floor this year, the House has passed two: the National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731) and the Protecting Cyber Networks Act (H.R. 1560).
While there is some convergence between the FISMA reform bill and the House legislation, Collins believes the Senate language is “more comprehensive in its approach.”
The House’s support of its own bill is “another reason that I’m optimistic that we can get this bill enacted this year,” she added.