[Congressional Record Volume 161, Number 115 (Wednesday, July 22, 2015)]
[Senate]
[Pages S5456-S5459]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Ms. COLLINS (for herself, Mr. Warner, Ms. Mikulski, Mr. Coats, 
        Ms. Ayotte, and Mrs. McCaskill):
  S. 1828. A bill to strengthen the ability of the Secretary of 
Homeland Security to detect and prevent intrusions against, and to use 
countermeasures to protect, government agency information systems and 
for other purposes; to the Committee on Homeland Security and 
Governmental Affairs.
  Ms. COLLINS. Mr. President, I rise today to introduce the Federal 
Information Security Management Act of 2015. I am very pleased that 
Senator Warner, Senator Mikulski, Senator Coats, Senator Ayotte, and 
Senator McCaskill are joining me in this bipartisan effort to 
strengthen cyber security in Federal agencies. I very much appreciate 
their input into this bill and their support.
  The cyber attack that stole sensitive personal data from millions of 
current, former, and retired Federal employees from the poorly secured 
databases at the Office of Personnel Management

[[Page S5457]]

underscores the extraordinary vulnerability of our Federal computer 
networks, but for the more than 21 million Americans affected and 
indeed for our country, the threat from this theft continues. Whether 
it is the risk to the individual of identity theft or the impact on our 
Nation of the compromise of the identity of those dealing with 
classified information or the potential for espionage or blackmail, the 
threat remains extremely serious.
  Worst of all, better security of computer networks at OPM might well 
have prevented this terrible breach. The negligence of OPM officials 
who ignored repeated warnings over years from the inspector general 
that its networks were vulnerable is inexcusable. As the FBI Director 
testified before the Intelligence Committee during an open session 
earlier this month, this breach is a huge deal and represents a 
treasure trove of information for potential adversaries.
  But this cyber attack also points to a broader problem, and that is 
the glaring gap in the process for protecting sensitive information in 
Federal civilian agencies. Thus, we join together today to introduce 
this bipartisan bill.
  Our bill would strengthen the security of the networks of Federal 
civilian agencies by taking five important steps:
  First, our bill would allow the Secretary of Homeland Security to 
operate intrusion detection and prevention capabilities on all Federal 
agencies on the dot-gov domain without waiting for a request from every 
single agency.
  Today, if an agency is uncooperative with DHS or simply does not want 
to make cyber security a priority, there is little that can be done to 
strengthen that agency's vulnerable network. I have visited the center 
at DHS that monitors some of the civilian networks. You could see the 
attempted intrusions in real time. Yet, I was told by some of the 
officials there that when they call the chief information official of 
that agency, sometimes the answer is very lackadaisical, almost 
indifferent. That cannot be allowed to continue.
  Second, our bill directs the Secretary of Homeland Security to 
conduct risk assessments of any network within the dot-gov domain. This 
provision would ensure that no Federal agency can be unaware if it is 
operating an insufficiently secured network and thus jeopardizing 
sensitive data.
  Third, our bill would allow the Secretary of Homeland Security to 
operate defensive countermeasures on these networks once a cyber threat 
has been detected. Currently, DHS can deploy technical assistance to 
agencies to diagnose and mitigate cyber threats only at that agency's 
discretion, and sometimes there are legal impediments for doing so.
  Fourth, our bill would strengthen and streamline the authorities that 
Congress gave to DHS last year to issue binding operational directives 
to Federal agencies, especially to respond to substantial cyber 
security threats or in an emergency where an intrusion is underway.
  Finally, while DHS oversees the protection of Federal civilian 
networks, the Office of Management and Budget has the ultimate 
responsibility to enforce governmentwide cyber security standards for 
civilian agencies. Our bill would require OMB to report to Congress 
annually on the extent to which OMB has exercised its existing 
authority to enforce governmentwide cyber security standards.
  Congress has already given the OMB the authority, for example, to 
recommend increases or decreases in an agency's funding or to exercise 
administrative control over information resources if such actions could 
increase the degree of compliance with cyber security standards. But I 
regret to say that the evidence that OMB has actually exercised this 
authority is pretty slim.
  The primary problem our bill would solve is that DHS has the mandate 
to protect the civilian Federal networks, but it has only limited 
authority to do so. Now, as the Presiding Officer is well aware, this 
approach stands in stark contrast to how the National Security Agency 
defends the dot-mil domain.
  By the way, our legislation does not affect the dot-mil domain--which 
covers the Department of Defense and our intelligence agencies--in any 
way. The Director of the NSA has the responsibility to protect the dot-
mil domain, but he also has the authority from the Secretary of Defense 
to monitor all DOD networks and to deploy countermeasures when 
necessary. If the Director deems that an agency's network is insecure, 
he can shut it down. Contrast that to the inspector general at OPM, who 
last fall issued a report saying that OPM ought to shut down parts of 
its network because it was so insecure, and nothing happened. OPM 
didn't take any action and DHS lacked the authority to do so. That 
stands in sharp contrast to how we protect our defense and intelligence 
agencies' networks. As a result, our military and intelligence networks 
are better protected from foreign adversaries than our civilian 
agencies' networks.
  Although the Secretary of Homeland Security is tasked with a similar 
responsibility to protect Federal civilian networks, he has far less 
authority to accomplish that task. Yet--think about it--Federal 
civilian agencies such as OPM, the IRS, the Social Security 
Administration, Medicare, and the Patent Office are the repositories of 
vast quantities of sensitive, personal, and economic data belonging to 
the American people. We have to do a better job of protecting that data 
as well.
  When the Intelligence Committee on which I served asked the current 
Director of NSA how we might improve the protection of the dot-gov 
domain, he emphasized the importance of providing the authority 
commensurate with the responsibility for protecting civilian agency 
networks.
  The Secretary of Homeland Security, Jeh Johnson, similarly said that 
obtaining clear, congressional authorization for DHS to deploy 
protective capabilities to secure civilian agencies' networks is one of 
his priorities.
  I heard the same message from his predecessor, Secretary Janet 
Napolitano, when I was the ranking member of the homeland security 
committee in 2012.
  By the way, that year former Senator Joe Lieberman and I urged our 
colleagues to pass the Cybersecurity Act of 2012, which we drafted and 
which included, among other provisions, major reforms to improve the 
protection of Federal networks. We will never know if the OPM breach 
that compromised the security clearance background information of more 
than 21 million people could have been prevented if the Senate had 
passed our bill at that time. Of course, no bill, no law can protect 
against every cyber breach, but I believe we would have been far better 
positioned had we acted then.
  What we do know is that once a malware signature is identified, it 
was DHS's intrusion detection system--known as EINSTEIN--and other DHS-
recommended tools that played key roles in identifying the massive 
compromise of the OPM data. Without these tools, OPM might still be 
blissfully unaware that it had been subjected to a major hack.
  The government's response to the breach demonstrates the urgent need 
for our legislation. The five agency networks that were monitored by 
EINSTEIN 3 were protected and capable of blocking the malware the 
moment the dangerous signatures used in the OPM breach were loaded into 
their systems. For every other civilian agency, however, that was not 
the case. DHS had to call the chief information officer responsible for 
every one of those networks that were not covered yet by the EINSTEIN 3 
system. Then the bad indicators had to be passed on to each CIO, and 
each CIO had to search their agency networks for the harmful malware. 
Cyber threats move at the speed of light. No organization that takes 
cyber security seriously would rely upon a game of telephone tag to 
guard the security of its information.
  I also note that at the time the OPM breach actually occurred, the 
latest version of EINSTEIN had been deployed on less than 25 percent of 
the dot-gov network. So even if the government had detected the malware 
immediately, the government's ability to protect all of the networks 
would have taken that much longer because DHS's best intrusion system 
was not deployed widely enough. And, inexplicably, to this day, it is 
still not installed at OPM despite the information it stores as the 
chief employment office for millions of Federal employees and retirees.
  If we fail to give these much needed authorities to DHS, the 
unacceptable

[[Page S5458]]

status quo will prevail. Under the status quo, each agency--however 
competently or incompetently--monitors its own networks and only asks 
DHS for assistance if it sees fit to do so. Let me describe just how 
poorly that approach has worked so far.
  We know that information security incidents in the Federal Government 
have increased more than twelvefold--from 5,500 in fiscal year 2006 to 
more than 67,000 in fiscal year 2014 according to the Government 
Accountability Office. That undoubtedly understates the real number 
since these are just the incidents of which we are aware. Nineteen of 
twenty-four major agencies have declared cyber security as a 
significant deficiency or material weakness for financial reporting 
purposes. At the same time, Federal agencies have failed to implement 
hundreds of recommendations from the GAO and inspectors general that 
could enhance the security of their networks.
  I could go on and on, citing the breach at IRS, at the Postal 
Service, at FAA, at NOAA, not to mention the OPM breach. It is 
unacceptable that we are putting important data belonging to the 
American people as well as our economic edge at risk. We simply have to 
take action now.
  It is incredible that OPM implausibly asserted earlier this month 
that ``there is no information at this time to suggest any misuse or 
further dissemination of the information that was stolen from OPM's 
systems.'' That incredible statement, which implied that the 
perpetrators of this lengthy and extensive attack have no intention of 
ever using the stolen data, suggests that OPM still has yet to 
recognize the gravity of this cyber attack.
  But Congress also has the responsibility to make the job for those 
securing our Federal civilian networks easier to do in light of the 
extraordinary threat that foreign adversaries, international criminal 
gangs, and other hackers pose to government systems and the privacy and 
safety of our citizens. This bill is the first of many steps to 
strengthen our Nation's cyber security, and I urge my colleagues to 
support this bipartisan measure.
  Mr. WARNER. Mr. President, I rise today to speak on the Federal 
Information Security Management Reform Act, FISMA Reform, of 2015, 
which I introduced today with Senator Collins, Senator Mikulski, 
Senator Coats, Senator Ayotte, and Senator McCaskill. This legislation 
will give the Department of Homeland Security the power to make sure 
that civilian government agencies--like OPM--have adequate cyber 
defenses against these kinds of attacks.
  Cyberattacks present one of the most critical national and economic 
threats that this Nation faces. As the FBI Director recently stated, 
there are two types of companies in the U.S.--those that have been 
hacked by China, and those that do not yet know they have been hacked.
  Estimates by the Center for Strategic and International Studies 
indicate that cyberattacks and cybercrime account for between $24 and 
as much as $120 billion in economic and intellectual property loss per 
year in the U.S. That is the equivalent of .2 to .8 percent of our GDP. 
The same CSIS study suggests that $100 billion in losses due to 
cyberattacks is the equivalent of over half a million lost U.S. jobs.
  As we have seen with the OPM cyberattack, more than 22 million 
Federal employees, retirees and applicants had their personal data 
stolen, including--most troublingly--information on their security 
clearance background investigations. The scope of this breach was 
unprecedented. As the FBI Director told the Intelligence Committee 
recently, this is a ``huge deal'' and represents a treasure trove of 
information for potential adversaries.
  But this is a serious problem that isn't limited to government, as we 
have already seen with recent breaches involving Anthem, CareFirst, 
Target, Neiman Marcus, Home Depot, and banks like J.P. Morgan, just to 
name a few. Both the private and public sector need to be better 
prepared for an increasing number of these cyberattacks.
  To figure out how to protect consumers' financial data, last year I 
held the first hearing in Congress into data breaches in the aftermath 
of the Target breach.
  One takeaway was how much more serious private sector and government 
entities need to be in investing in infrastructure and talent to secure 
their systems from cyberattack and breach. While there is always a risk 
of breaches, we can significantly mitigate those risks by increasing 
our ability to detect and respond to attacks.
  I also believe we must get serious about passing cybersecurity 
legislation. This is also why I supported the Cyber Information Sharing 
Act (CISA) that passed in the Senate Intelligence Committee 14-1 in 
March.
  A couple years ago, Senators Lieberman and Collins had a 
comprehensive cybersecurity bill which was unable to pass in the 
Senate. Unfortunately, when the bill did not pass, so did many of the 
good-government provisions such as strengthening the ability of the 
government to protect the ``Dot-gov'' infrastructure. While some of the 
language in the Lieberman-Collins bill regarding the DHS's role in 
cybersecurity did make it into law in December 2014, these changes did 
not go far enough.
  That is why today I have introduced with Senator Collins, Senator 
Mikulski, Senator Coats, Senator Ayotte and Senator McCaskill the 
Federal Information Security Management Reform Act, FISMRA, of 2015. 
This legislation would give the DHS strengthened authorities to enforce 
standards, employ cyber threat detection technology and defensive 
countermeasures, and to conduct threat and vulnerability analyses 
across all civilian U.S. Government agencies. Our bill would affect 
federal agencies only, except defense and intelligence agencies, not 
the private sector.
  The basic problem with protecting U.S. Government information systems 
is that while DHS has the responsibility to protect the ``Dot-gov'' 
domain, right now it does not have the ``teeth'' to actually enforce 
security standards or fix vulnerabilities. It is likely that if the DHS 
had the additional authorities we are proposing this could have helped 
to discover the OPM breach sooner. In fact, OPM only discovered the 
breach after implementing a cybersecurity tool that was recommended by 
the DHS.
  Our bill would give the DHS secretary the authority to direct--not 
request--that agencies undertake needed corrective actions to protect 
their cyber and information systems. Now, some government agencies 
systems may already be pretty good--so the DHS may not need to issue 
them directives. But I also know that we are not where we want to be.
  While the breach at OPM was and continues to be devastating to those 
federal employees who are affected, we need to remember that 
cybersecurity is not just an issue at OPM. A recent article in the New 
York Times quoted the President's cyber advisor, Michael Daniels, as 
saying ``it's safe to say that federal agencies are not where we want 
them to be across the board,'' that the bureaucracy needed a ``mind-set 
shift,'' that would put cybersecurity at the top of their list of 
priorities, and that ``we clearly need to be moving faster.''
  Likewise, a recent audit of the Federal Aviation Administration's 
network in January cited ``significant security control weaknesses . . 
. placing the safe and uninterrupted operation of the nation's air 
traffic control system at increased and unnecessary risk.'' The FAA's 
former chief information security officer told the press that he had 
been frustrated by the failure to address obvious security holes in its 
most important networks.
  Similarly, at the Department of Energy's network that contains 
sensitive information on critical infrastructure and nuclear 
propulsion, investigators found ``numerous holes,'' according to the 
New York Times.
  At the IRS network, auditors found 69 vulnerabilities.
  I believe it is not a matter of if, but of when government systems 
will again be hit by a major cyberattack. And that is why I believe we 
cannot wait to give one primary entity the authority--especially when 
it already has the responsibility--to ensure that all ``Dot-gov'' 
government agencies meet robust cybersecurity standards, and that they 
are able to deploy tools and technology across the government to detect 
and prevent cyberattacks like the ones we saw at OPM. The Department of 
Homeland Security is such an entity.
  I know that some of my colleagues have argued that the NSA is the 
best in

[[Page S5459]]

government at countering the cyber threat. I think that the NSA's 
capabilities are impressive. They do an excellent job protecting our 
defense and intelligence information systems. However, it would be 
unfeasible to put the NSA in charge of the United States' civilian 
cybersecurity.
  DHS cyber capabilities have been steadily improving. It is deploying 
innovative tools like EINSTEIN 3A. It has an extremely capable National 
Cybersecurity and Communications Integration Center, NCCIC, located in 
Virginia, that already detects threats and promotes information sharing 
with industries through the so-called ISACs, Information Sharing and 
Analysis Centers, that cover a range of industries from Aviation, 
Defense Industries, the Financial and Banking sectors, Electricity, IT, 
Communications and others.
  As DHS Secretary Jeh Johnson recently stated: ``Legally, each agency 
and department head has the responsibility for their own system--
legally, and I stress that to my colleagues. We have the responsibility 
for the overall protection of the Federal civilian dot-gov world [. . 
.] [W]here we need help in protecting Federal cybersecurity is legal--
making express our legal authority to receive information from other 
departments and governments. [. . .] [W]e want the express legal 
authority to make it plain that when we utilize things like EINSTEIN, 
EINSTEIN 3A, those other agencies are authorized to share information 
with us, to give us access to our network.''
  In short, this bill would allow DHS--which already has the 
responsibility to protect ``Dot-gov'' networks--the authority and the 
ability to deploy tools and technology across the government to 
proactively detect and prevent cyberattacks like the ones we saw at 
OPM. The alternative is continuing the status quo, where each agency--
no matter how poorly--monitors its own networks and only asks for 
outside assistance when it feels like it. That doesn't work. I urge my 
colleagues to join us in supporting this bipartisan bill.
                                 ______