By Cory Bennett - 07/22/15 09:14 AM EDT
A bipartisan group of senators wants to give the Department of Homeland Security (DHS) more power to repel cyberattacks in the wake of hacks that have rattled the federal government.
The group on Wednesday introduced the FISMA Reform Act, which would update the 12-year-old Federal Information Security Management Act (FISMA) and formalize the DHS role in protecting government networks and websites.
“While the Department of Homeland Security has the mandate to protect the .gov domain, it has only limited authority to do so,” Sen. Susan CollinsSusan CollinsSwing-state Republicans play up efforts for gun control laws Reid knocks GOP on gun 'terror loophole' after attacks GOP pressures Kerry on Russia's use of Iranian airbase MORE (R-Maine), the lead Republican on the bill, told reporters at a press conference.
The FISMA Reform Act would lower some of the barriers preventing the DHS from inspecting other agencies’ networks and kicking out hackers. Currently, it needs permission to come in and investigate or monitor networks. Legal hurdles have also stymied the agency, said Sen. Mark WarnerMark Warner5 questions about the Yahoo hack Dem senator calls for probe over Yahoo hack Overnight Tech: Pressure builds ahead of TV box vote | Intel Dems warn about Russian election hacks | Spending bill doesn't include internet measure MORE (D-Va.), the measure’s lead Democrat.
“There is no minimum standard,” he said. “This is all done on a voluntary basis. And every agency has got their reason why they, in particular, can’t comply. This voluntary system has resulted in an inconsistent patchwork of security across the whole federal government.”
The bill’s other co-sponsors include Republican Sens. Dan CoatsDan CoatsConservative group targets Evan Bayh on ObamaCare George W. Bush to headline Rubio fundraiser What Our presidential candidates can learn from Elmo Zumwalt MORE (Ind.) and Kelly AyotteKelly AyotteSenate rivals gear up for debates WATCH LIVE: Warren campaigns for Clinton in NH Green group endorses in key Senate races MORE (N.H.), and Democratic Sens. Claire McCaskillClaire McCaskillFacebook steps up fight against fake news The Trail 2016: Off the sick bed McCaskill: Trump and Dr. Oz a 'marriage made in heaven' MORE (Mo.) and Barbara MikulskiBarbara MikulskiBlack Caucus demands Flint funding from GOP GOP puts shutdown squeeze play on Dems Overnight Finance: McConnell offers 'clean' funding bill | Dems pan proposal | Flint aid, internet measure not included | More heat for Wells Fargo | New concerns on investor visas MORE (Md.).
The recent data breach that rocked the Office of Personnel Management (OPM) and compromised more than 22 million people’s information has spurred lawmakers to action. Hackers made off with almost every federal employee's personnel file in the attack. They also took millions of personal background investigation files from the OPM’s security clearance database.
The digital pilfering has exposed the government’s sluggish approach to bolstering its online defenses against the rapidly rising threat of foreign hackers.
“This cyberattack points to a broader problem,” Collins said: “the glaring gaps in the process for protecting sensitive personal and economic information in federal agencies.”
In the wake of the hack, the DHS has scrambled to speed up government-wide implementation of software meant to protect federal data from hacks.
The agency manages Einstein, a program designed to detect and repel known digital threats. The DHS also oversees the Continuous Diagnostics and Mitigation (CDM) program, which searches for nefarious actors once they’ve already penetrated the networks.
Some have criticized the programs as outdated, multibillion-dollar boondoggles diverting attention from a larger security overhaul.
After the OPM breach, DHS Secretary Jeh Johnson promised lawmakers that both programs will be fully implemented by the end of 2015, years ahead schedule.
The FISMA Reform Act would assign DHS an even more proactive mandate to jolt the government to action.
It would modernize the 2002 law that still governs government network security protocol. Over a decade old, the original law has been knocked as a static, self-certified check list that does not encourage agencies to think about cyber defense in real-time.
Wednesday’s measure would give DHS legal authority to deploy tools that search for intrusions on government networks at any agency without a formal request. It’s a power that the National Security Agency (NSA) already has in its mandate to protect the military’s digital domain.
Collins said giving DHS equivalent powers will help the government respond to cyberattacks and digital emergencies.
“DHS has the tools, the technology, the cyber center and the privacy and civil liberties protections to be the leader for the .gov domain,” she said.
The FISMA Reform Act would also give DHS power to conduct risk assessments of any other agency’s system, allowing inspectors to force agencies to respond to security flaws that might have gone overlooked.
The provision may have been spurred by accusations that OPM officials failed to heed warnings from their inspector general about glaring holes in its digital defenses. Against the recommendation of the agency’s watchdog arm, OPM officials did not shut down several databases that were lacking a proper security certificate.
Under the FISMA Reform Act, DHS could conduct its own analysis and then issue a binding directive to patch a digital hole or shutd own a database.
“One of the problems that we have now is that there are certain agencies like FDA and the IRS that have not allowed DHS access to their computer networks,” Collins said.
Wednesday’s offering builds on a series of small-bore cyber bills that Congress passed during last year’s lame-duck session. Two of those measures attempted to clarify the DHS cyber authority.
One bill formally authorized the DHS’s cyber information sharing hub. Known as the NCCIC — or National Cybersecurity and Communications Integration Center — the hub collects and analyzes digital threat information from around the government and private sector.
Another measure revised FISMA, authorizing the Office of Management and Budget (OMB) to set federal information security policies and directing the DHS to implement those policies.
DHS Secretary Jeh Johnson wielded his new powers earlier this year, issuing a first-of-its-kind emergency directive in May that required all federal agencies to patch critical network vulnerabilities within 30 days.
The alert came on the heels of the bruising cyberattack that hit the OPM and a string of at least least nine connected digital assaults on industry and government over the past year.
“The cyber threat actors involved in each of these incidents demonstrated a well-planned attack and high level of sophistication,” said the DHS report.
It’s believed Chinese officials orchestrated many of these digital hits as part of a broader cyber espionage scheme to create a comprehensive database on U.S. government workers. Such information can be used to stage future cyberattacks, digitally imitate officials, blackmail workers or even recruit government informants.
Senators said Wednesday they are angling to tack their language on to a stalled cybersecurity bill that is expected to hit the floor either directly before or right after the August recess.
The measure, known as the Cybersecurity Information Sharing Act (CISA), is intended to boost the public-private exchange of data on hackers. While the CISA has bipartisan, industry and perhaps even White House support, an ongoing fight over privacy concerns has sidelined the upper chamber’s efforts.
Digital rights advocates believe the bill would simply shuttle Americans personal data to the NSA, further empowering its surveillance programs.
Collins told reporters that she thinks the FISMA Reform Act could mitigate some of the privacy concerns that have delayed CISA’s passage.
“If we can secure those [government] databases, then individual privacy will be enhanced,” she said. “So I see our bill as being a very important measure to strengthen privacy.”