The Homeland Security and Governmental Affairs Committee (HSGAC) sent 11 bills to the Senate floor today, including legislation to enhance agencies’ ability to protect themselves from cyber attacks.
Sens. Ron Johnson (R-Wis.) and Tom Carper (D-Del.), the committee’s chairman and ranking member, respectively, introduced The Federal Cybersecurity Enhancement Act of 2015 (S. 1869).
“The U.S. government’s computer networks are under attack. Hacktivists, organized crime syndicates and nation-states have successfully launched electronic assaults against vulnerable government networks, some of which house millions of Americans’ personal and private information,” Johnson said, in a release. “To protect their privacy against our adversaries, Senator Carper and I are introducing the Federal Cybersecurity Enhancement Act, which will accelerate deployment of a federal intrusion detection and prevention system that will improve the government’s cyber defense capabilities.”
FCEA mandates that all agencies adopt the Homeland Security Department’s EINSTEIN intrusion detection and prevention system. Agencies would use EINSTEIN to analyze their network traffic in order to detect and prevent cyber threats. Currently, only 45 percent of agencies are using the system.
“Making sure our federal agencies have access to the best technology is a critical part of that effort,” Carper said, in the release. “At the same time, agencies must be constantly assessing and increasing their internal cyber defenses to be as strong as possible. EINSTEIN is a valuable tool that can help agencies detect and block cyber threats before they can cause too much harm.”
The bill requires agencies to adopt best practices in their cybersecurity, using, for example, two-factor authentication and encrypting sensitive systems. In addition, the bill authorizes DHS and the Office of Management and Budget to conduct comprehensive assessments of agencies’ networks to detect and remove intruders.
“Had the powers of this bill been implemented already, they likely would have stopped the hack of the Office of Personnel Management,” Johnson said. “They will make it far more difficult for our adversaries to steal our private data and to penetrate government networks.”
The bill also requires agencies to provide annual status reports of their EINSTEIN programs, in order to promote transparency and accountablity.
During today’s markup session, committee members approved several amendments to FCEA. These included:
- Authorizing the Director of National Intelligence to assess unclassified information systems that when combined with other unclassified systems could together create classified information. This refers to a “mosaic” effect, in which seeming unclassified material, when taken together, would reveal information that is classified.
- Authorizing the ODNI and the DHS secretary to conduct ongoing damage and risk assessments of the OPM data breaches.
- In the event of a known cybersecurity intrusion that represents a substantial threat to an agency’s information security, an agency secretary may take any lawful action to protect that information system, in coordination with the ODNI.
As amended, the committee voted to send FCEA to the full Senate.
Sens. Susan Collins (R-Maine) and Mark Warner (D-Va.) sent out a release voicing their support for the amended bill. They said it includes all five of the key provisions of the bipartisan FISMA Reform Act of 2015, which they introduced a week ago.
“The recent cyber attack at OPM exposed the current vulnerabilities to our federal networks in a glaring manner. It is long overdue to make sure all of our federal networks and the information they hold are properly protected and secured,” Collins said, in the release. “I am very pleased that one week after the introduction of our bipartisan legislation, that HSGAC has reported legislation that Carper includes the five critical provisions that DHS needs to properly defend the dot-gov domain from cyberattacks like the ones we saw at OPM.”
Warner added that DHS does not have the authority necessary to enforce cybersecurity standards, and agencies have to come to DHS voluntarily in order to obtain help detecting an neutralizing cyber threats.
“That’s a real problem as we face a growing number of these cyber attacks, because our federal networks are only as secure as their weakest link,” he said.
Other bills affecting federal employees the committee passed included:
- Department of Homeland Security Border Security Metrics Act (S. 1864) : “To improve national security by developing metrics to measure the effectiveness of security between ports of entry, at points of entry, and along the maritime border.”
- Critical Infrastructure Protection Act (S. 1846): “To amend the Homeland Security Act of 2002 to secure critical infrastructure against electromagnetic threats.”
- Stop Improper Payments to Deceased People Act (S. 1073): “To amend the Improper Payments Elimination and Recovery Improvement Act of 2012, including making changes to the Do Not Pay initiative, for improved detection, prevention, and recovery of improper payments to deceased individuals.”
- Northern Border Security Review Act (S. 1808): “To require the Secretary of Homeland Security to conduct a Northern Border threat analysis.”
- Fair Access to Science and Technology Research Act (S. 779): “To provide for Federal agencies to develop public access policies relating to research conducted by employees of that agency or from funds administered by that agency.”
- Land Management Workforce Flexibility Act (H.R. 1531): “To amend title 5, United States Code, to provide a pathway for temporary seasonal employees in Federal land management agencies to compete for vacant permanent positions under internal merit promotion procedures.”