Language from two hefty bills that would bolster the Department of Homeland Security’s cybersecurity role were quietly tacked on to a major cyber bill that passed the Senate late Tuesday.
The first, from Sens. Susan Collins (R-Maine) and Mark Warner (D-Va.), would give the DHS more powers to repel cyberattacks on federal agency networks. The language would update the 12-year-old Federal Information Security Management Act (FISMA) and formalize the DHS role in protecting government networks and websites.
“It is past time to make sure our critically important government systems, and the information they hold, are properly protected and secured,” Collins said after the Senate approved the broader bill, known as the Cybersecurity Information Sharing Act (CISA), which encourages businesses to share cyber threat data with the government.
The second measure, from Sens. Ron Johnson (R-Wis.) and Tom Carper (D-Del.), would require all agencies to adopt several cybersecurity best practices. It would also accelerate the rollout of the government’s anti-hacking shield, dubbed “Einstein,” that detects and repels known cyber threats.
Johnson called the proposal, originally known as the Federal Cybersecurity Enhancement Act, “a critical part” of CISA.
The lawmakers were able to get their DHS-centric language in as part of a manager’s package from CISA co-sponsors Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.).
The package, which passed late Tuesday by voice vote, pulled in nearly two dozen edits and offerings from various senators.
While the DHS sections were not heavily debated on the floor, they do make up large chunks of the overall manager’s package.
If the two sections make it through a conference report with the House and into the final bill, they will serve as the next step in Congress’s ongoing bid to bolster the DHS cybersecurity role in protecting the federal government.
During last year’s lame-duck session, Congress approved a number of small-bore bills that codified the DHS’s long-standing cyber role, and delineated an authorized mission for the agency’s cyber information hub, known as the NCCIC, or National Cybersecurity and Communications Integration Center.
The center is a repository for cyber information from myriad government and industry sources. It also disseminates cyber threat information to its partners. Under CISA, the NCCIC would receive a new influx of private sector data.
Both DHS measures included in CISA would further strengthen the agency’s hand in defending federal networks from hackers.
The Collins-Warner language, which was originally co-sponsored by four other lawmakers on both sides of the aisle, would lower some of the barriers preventing the DHS from inspecting other agencies’ networks and kicking out hackers. Currently, it needs permission to come in and investigate or monitor networks.
“If we want to be better prepared to meet this threat in the future, we have to make sure that the Department of Homeland Security has the tools it needs to adequately secure our federal civilian networks,” Warner said Tuesday.
The proposal from Johnson and Carper, the top two lawmakers on the Senate Homeland Security and Governmental Affairs Committee, would widen the availability the government’s Einstein cyber defense program. In the wake of the major hacks at the Office of Personnel Management (OPM), Einstein was maligned as outdated, over budget, and not even fully available to all agencies.
By including his offering, Carper said on the floor this week, “We are going to make sure [Einstein] is not just something that is positive work on a piece of paper, but that 100 percent of the federal agencies are able to use these new tools.”