Legislation that would address recent government data breaches by requiring agencies to implement best practices and accelerating deployment of federal intrusion detection and prevention systems were introduced this week in both the House and Senate, with Department of Homeland Security (DHS) Secretary Jeh Johnson Thursday voicing his support.
Senate Committee on Homeland Security and Governmental Affairs Chairman Ron Johnson (R-Wis.) and former committee chairman and ranking member Sen. Tom Carper (D-Del.) introduced The Federal Cybersecurity Enhancement Act of 2015, which would give federal agencies stronger tools to protect their critical networks and Americans’ sensitive information, in addition to requiring that all federal agencies implement stronger protections and state-of-the-art technologies to defend against cyberattacks.
The Senate bill also would address shortcomings in deployment and adoption of the DHS’s federal cybersecurity program known as EINSTEIN, which was deployed by DHS’ Office of Cybersecurity and Communications (CS&C) to defend federal civilian executive branch agency networks from cyber threats. Similar to EINSTEIN 1 and EINSTEIN 2, DHS has since deployed EINSTEIN 3A (E3A) to enhance cybersecurity analysis, situational awareness and security response.
DHS earlier explained that, “With E3A, [the department] will not only be able to detect malicious traffic targeting federal government networks, but also prevent malicious traffic from harming those networks. This is accomplished through delivering intrusion prevention capabilities as a Managed Security Service provided by Internet Service Providers (ISP). Under the direction of DHS, ISPs will administer intrusion prevention and threat-based decision-making on network traffic entering and leaving participating federal civilian executive branch agency networks.”
Thursday, Johnson issued a statement in which he endorsed the Senate bill. "I strongly support the Federal Cybersecurity Enhancement Act of 2015 that was approved unanimously by the Senate Homeland Security and Governmental Affairs Committee yesterday under the leadership of chairman Ron Johnson and ranking member Tom Carper," he said.
Johnson said, "Cybersecurity is a top priority for me, for the President and for this administration. I am pleased that Congress has recognized that we need to work together to ensure that we have adequate resources and budget, and the legal authorities necessary to pursue the mission."
Johnson said, "This bill will strengthen our cyber defenses by requiring all federal agencies to implement stronger protections and state-of-the-art technologies to defend against cyberattacks. Importantly for DHS, [the legislation] would accelerate deployment of a federal intrusion detection and prevention system across the federal government, increasing our visibility as a government into adversary activity."
Johnson said the Senate bill "accomplishes this by ensuring agencies understand they are legally permitted to disclose network traffic to DHS for narrowly tailored purposes," and that the bill "also sets forth several privacy protections that are consistent with DHS’s current operations and privacy controls." He noted that the House passed legislation "which contains similar provisions authorizing the EINSTEIN program."
Finally, Johnson said, "As cyber threats continue to increase in frequency, scale, sophistication and severity, we need to be as aggressive in strengthening our defenses. I thank chairman Ron Johnson and ranking member Tom Carper for their bipartisan leadership on this vital piece of legislation. Now, I urge the Senate to move quickly and pass this bill."
“Over the last several years,” Carper and Johnson said in a joint announcement, “sensitive information on tens of millions of Americans has been stolenby malicious actors in cyberspace as a result of federal agencies’ failure to secure some of their most sensitive data. As the committee has learned in recent hearings, strong information security policies, such as multifactor authentication and encryption, could have prevented or slowed several recent cyber breaches at federal agencies, including the loss of sensitive data for more than 21.5 million individuals at the Office of Personnel Management.”
“Similar protections,” the statement said, “could have also helped prevent the cyber theft of tax returns for more than 100,000 Americans at the Internal Revenue Service. The Federal Cybersecurity Enhancement Act of 2015 would mandate the deployment of cybersecurity best practices at agencies — measures such as intrusion assessments, strong authentication, encryption of sensitive data and appropriate access controls.”
The two senators noted that, despite being 10 years in the making, EINSTEIN’s capability is not available to all agencies, and more than half of federal agencies have yet to deploy the full EINSTEIN system. Currently only 45 percent of federal agencies are using the program’s intrusion prevention capabilities.
Carper and Johnson’s bill would “dramatically accelerate deployment and adoption of EINSTEIN, and it includes reporting requirements to increase program accountability.”
“We know that with each passing day, and for the foreseeable future, our federal agencies will continue to come under a cascade of attacks in cyber space, as will our businesses and critical infrastructure. Congress needs to make bolstering our cyber defenses – and staying ahead of this evolving threat – a top priority,” Carper said, adding, “Making sure our federal agencies have access to the best technology is a critical part of that effort. At the same time, agencies must be constantly assessing and increasing their internal cyber defenses to be as strong as possible. EINSTEIN is a valuable tool that can help agencies detect and block cyber threats before they can cause too much harm.”
Carper stated “we [need to] ensure every agency is equipped with the ever-improving capabilities needed to fend off cyber attacks in the future.”
Johnson added, “The US government’s computer networks are under attack. Hacktivists, organized crime syndicates and nation-states have successfully launched electronic assaults against vulnerable government networks, some of which house millions of Americans’ personal and private information.”
“The Federal Cybersecurity Enhancement Act … will accelerate deployment of a federal intrusion detection and prevention system that will improve the government’s cyber defense capabilities,” Johnson said. “It also will require agencies to adopt best practices in cybersecurity. Had the powers of this bill been implemented already, they likely would have stopped the hack of the Office of Personnel Management. They will make it far more difficult for our adversaries to steal our private data and to penetrate government networks.”
Specifically, the Federal Cybersecurity Enhancement Act of 2015 would:
- Mandate better cybersecurity practices across government to ensure a defense-in-depth approach, including intrusion assessments, two-factor authentication and encryption for sensitive systems;
- Accelerate the adoption of EINSTEIN across the government by clarifying the Department of Homeland Security’s legal authority to deploy it and by mandating adoption by agencies;
- Advance the system’s capabilities by requiring that it include the most advanced cyber technologies, including leading commercial tools and that it evolve to better protect agencies as threats evolve;
- Mandate strong privacy protections with the EINSTEIN program and data; and
- Increase transparency and accountability by requiring annual status reports.
Although DHS is charged with coordinating the implementation of federal network security and providing government-wide situational awareness of dangerous activity online, Carper and Johnson said “ambiguities in the law have made it difficult for the department to deploy EINSTEIN quickly across the federal government. The Federal Cybersecurity Enhancement Act of 2015 would provide explicit statutory authority for the system and require agency adoption within one year of enactment.”
Over in the House
Meanwhile, in the House, The Cyber Defense of Federal Networks Act of 2015, was introduced by House Committee on Homeland Security Chairman Michael McCaul (R-Texas). The bill would streamline the federal government’s ability to more effectively identify and thwart cyber attacks.
“In light of the massive Office of Personnel Management (OPM) hacks, it’s clear that our nation’s federal digital infrastructure isn’t capable of effectively detecting and defending against these cyber threats,” McCaul said, adding, “Currently, the Department of Homeland Security’s hands are tied in responding to ever growing cyber threats. Providing DHS with similar abilities to defend federal networks that the Department of Defense uses to protect military networks is commonsense legislation.”
McCaul commended his " colleagues in the Senate for quickly addressing federal network security and I encourage my peers in the House to take action so more Americans won’t have their personal information compromised and sensitive government information stolen."
"This is a bipartisan and bicameral issue to ensure our federal cyber networks are able to defend against nation-states like China, Russia, Iran and North Korea and terrorist threats," McCaul stated.
Rep. John Ratcliffe (R-Texas) and chairman of the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, added that, “Following the disastrous breaches at OPM, I convened a hearing to examine the Department of Homeland Security’s efforts to secure federal networks. It became readily apparent that although DHS is charged with protecting the .gov domain, the department lacks the authority to carry out this vital mission.”
“The Cyber Defense of Federal Networks Act is a vital step in ensuring that actions are taken to effectively implement DHS’ binding directives to better secure the .gov domain and all the highly sensitive information it protects,” he said.
The Cyber Defense of Federal Networks Act would require:
- Deploying enhanced network cybersecurity tools at federal agencies;
- Ensuring agencies are prioritizing the use of cybersecurity tools;
- Providing increased technical assistance capabilities through incident detection, mitigation, and response information for federal civilian networks; and
- Authorizing the use of protective capabilities immediately when a federal agency is under a cyber attack.
