[Congressional Record Volume 161, Number 115 (Wednesday, July 22, 2015)]
[Senate]
[Pages S5456-S5459]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
By Ms. COLLINS (for herself, Mr. Warner, Ms. Mikulski, Mr. Coats,
Ms. Ayotte, and Mrs. McCaskill):
S. 1828. A bill to strengthen the ability of the Secretary of
Homeland Security to detect and prevent intrusions against, and to use
countermeasures to protect, government agency information systems and
for other purposes; to the Committee on Homeland Security and
Governmental Affairs.
Ms. COLLINS. Mr. President, I rise today to introduce the Federal
Information Security Management Act of 2015. I am very pleased that
Senator Warner, Senator Mikulski, Senator Coats, Senator Ayotte, and
Senator McCaskill are joining me in this bipartisan effort to
strengthen cyber security in Federal agencies. I very much appreciate
their input into this bill and their support.
The cyber attack that stole sensitive personal data from millions of
current, former, and retired Federal employees from the poorly secured
databases at the Office of Personnel Management
[[Page S5457]]
underscores the extraordinary vulnerability of our Federal computer
networks, but for the more than 21 million Americans affected and
indeed for our country, the threat from this theft continues. Whether
it is the risk to the individual of identity theft or the impact on our
Nation of the compromise of the identity of those dealing with
classified information or the potential for espionage or blackmail, the
threat remains extremely serious.
Worst of all, better security of computer networks at OPM might well
have prevented this terrible breach. The negligence of OPM officials
who ignored repeated warnings over years from the inspector general
that its networks were vulnerable is inexcusable. As the FBI Director
testified before the Intelligence Committee during an open session
earlier this month, this breach is a huge deal and represents a
treasure trove of information for potential adversaries.
But this cyber attack also points to a broader problem, and that is
the glaring gap in the process for protecting sensitive information in
Federal civilian agencies. Thus, we join together today to introduce
this bipartisan bill.
Our bill would strengthen the security of the networks of Federal
civilian agencies by taking five important steps:
First, our bill would allow the Secretary of Homeland Security to
operate intrusion detection and prevention capabilities on all Federal
agencies on the dot-gov domain without waiting for a request from every
single agency.
Today, if an agency is uncooperative with DHS or simply does not want
to make cyber security a priority, there is little that can be done to
strengthen that agency's vulnerable network. I have visited the center
at DHS that monitors some of the civilian networks. You could see the
attempted intrusions in real time. Yet, I was told by some of the
officials there that when they call the chief information official of
that agency, sometimes the answer is very lackadaisical, almost
indifferent. That cannot be allowed to continue.
Second, our bill directs the Secretary of Homeland Security to
conduct risk assessments of any network within the dot-gov domain. This
provision would ensure that no Federal agency can be unaware if it is
operating an insufficiently secured network and thus jeopardizing
sensitive data.
Third, our bill would allow the Secretary of Homeland Security to
operate defensive countermeasures on these networks once a cyber threat
has been detected. Currently, DHS can deploy technical assistance to
agencies to diagnose and mitigate cyber threats only at that agency's
discretion, and sometimes there are legal impediments for doing so.
Fourth, our bill would strengthen and streamline the authorities that
Congress gave to DHS last year to issue binding operational directives
to Federal agencies, especially to respond to substantial cyber
security threats or in an emergency where an intrusion is underway.
Finally, while DHS oversees the protection of Federal civilian
networks, the Office of Management and Budget has the ultimate
responsibility to enforce governmentwide cyber security standards for
civilian agencies. Our bill would require OMB to report to Congress
annually on the extent to which OMB has exercised its existing
authority to enforce governmentwide cyber security standards.
Congress has already given the OMB the authority, for example, to
recommend increases or decreases in an agency's funding or to exercise
administrative control over information resources if such actions could
increase the degree of compliance with cyber security standards. But I
regret to say that the evidence that OMB has actually exercised this
authority is pretty slim.
The primary problem our bill would solve is that DHS has the mandate
to protect the civilian Federal networks, but it has only limited
authority to do so. Now, as the Presiding Officer is well aware, this
approach stands in stark contrast to how the National Security Agency
defends the dot-mil domain.
By the way, our legislation does not affect the dot-mil domain--which
covers the Department of Defense and our intelligence agencies--in any
way. The Director of the NSA has the responsibility to protect the dot-
mil domain, but he also has the authority from the Secretary of Defense
to monitor all DOD networks and to deploy countermeasures when
necessary. If the Director deems that an agency's network is insecure,
he can shut it down. Contrast that to the inspector general at OPM, who
last fall issued a report saying that OPM ought to shut down parts of
its network because it was so insecure, and nothing happened. OPM
didn't take any action and DHS lacked the authority to do so. That
stands in sharp contrast to how we protect our defense and intelligence
agencies' networks. As a result, our military and intelligence networks
are better protected from foreign adversaries than our civilian
agencies' networks.
Although the Secretary of Homeland Security is tasked with a similar
responsibility to protect Federal civilian networks, he has far less
authority to accomplish that task. Yet--think about it--Federal
civilian agencies such as OPM, the IRS, the Social Security
Administration, Medicare, and the Patent Office are the repositories of
vast quantities of sensitive, personal, and economic data belonging to
the American people. We have to do a better job of protecting that data
as well.
When the Intelligence Committee on which I served asked the current
Director of NSA how we might improve the protection of the dot-gov
domain, he emphasized the importance of providing the authority
commensurate with the responsibility for protecting civilian agency
networks.
The Secretary of Homeland Security, Jeh Johnson, similarly said that
obtaining clear, congressional authorization for DHS to deploy
protective capabilities to secure civilian agencies' networks is one of
his priorities.
I heard the same message from his predecessor, Secretary Janet
Napolitano, when I was the ranking member of the homeland security
committee in 2012.
By the way, that year former Senator Joe Lieberman and I urged our
colleagues to pass the Cybersecurity Act of 2012, which we drafted and
which included, among other provisions, major reforms to improve the
protection of Federal networks. We will never know if the OPM breach
that compromised the security clearance background information of more
than 21 million people could have been prevented if the Senate had
passed our bill at that time. Of course, no bill, no law can protect
against every cyber breach, but I believe we would have been far better
positioned had we acted then.
What we do know is that once a malware signature is identified, it
was DHS's intrusion detection system--known as EINSTEIN--and other DHS-
recommended tools that played key roles in identifying the massive
compromise of the OPM data. Without these tools, OPM might still be
blissfully unaware that it had been subjected to a major hack.
The government's response to the breach demonstrates the urgent need
for our legislation. The five agency networks that were monitored by
EINSTEIN 3 were protected and capable of blocking the malware the
moment the dangerous signatures used in the OPM breach were loaded into
their systems. For every other civilian agency, however, that was not
the case. DHS had to call the chief information officer responsible for
every one of those networks that were not covered yet by the EINSTEIN 3
system. Then the bad indicators had to be passed on to each CIO, and
each CIO had to search their agency networks for the harmful malware.
Cyber threats move at the speed of light. No organization that takes
cyber security seriously would rely upon a game of telephone tag to
guard the security of its information.
I also note that at the time the OPM breach actually occurred, the
latest version of EINSTEIN had been deployed on less than 25 percent of
the dot-gov network. So even if the government had detected the malware
immediately, the government's ability to protect all of the networks
would have taken that much longer because DHS's best intrusion system
was not deployed widely enough. And, inexplicably, to this day, it is
still not installed at OPM despite the information it stores as the
chief employment office for millions of Federal employees and retirees.
If we fail to give these much needed authorities to DHS, the
unacceptable
[[Page S5458]]
status quo will prevail. Under the status quo, each agency--however
competently or incompetently--monitors its own networks and only asks
DHS for assistance if it sees fit to do so. Let me describe just how
poorly that approach has worked so far.
We know that information security incidents in the Federal Government
have increased more than twelvefold--from 5,500 in fiscal year 2006 to
more than 67,000 in fiscal year 2014 according to the Government
Accountability Office. That undoubtedly understates the real number
since these are just the incidents of which we are aware. Nineteen of
twenty-four major agencies have declared cyber security as a
significant deficiency or material weakness for financial reporting
purposes. At the same time, Federal agencies have failed to implement
hundreds of recommendations from the GAO and inspectors general that
could enhance the security of their networks.
I could go on and on, citing the breach at IRS, at the Postal
Service, at FAA, at NOAA, not to mention the OPM breach. It is
unacceptable that we are putting important data belonging to the
American people as well as our economic edge at risk. We simply have to
take action now.
It is incredible that OPM implausibly asserted earlier this month
that ``there is no information at this time to suggest any misuse or
further dissemination of the information that was stolen from OPM's
systems.'' That incredible statement, which implied that the
perpetrators of this lengthy and extensive attack have no intention of
ever using the stolen data, suggests that OPM still has yet to
recognize the gravity of this cyber attack.
But Congress also has the responsibility to make the job for those
securing our Federal civilian networks easier to do in light of the
extraordinary threat that foreign adversaries, international criminal
gangs, and other hackers pose to government systems and the privacy and
safety of our citizens. This bill is the first of many steps to
strengthen our Nation's cyber security, and I urge my colleagues to
support this bipartisan measure.
Mr. WARNER. Mr. President, I rise today to speak on the Federal
Information Security Management Reform Act, FISMA Reform, of 2015,
which I introduced today with Senator Collins, Senator Mikulski,
Senator Coats, Senator Ayotte, and Senator McCaskill. This legislation
will give the Department of Homeland Security the power to make sure
that civilian government agencies--like OPM--have adequate cyber
defenses against these kinds of attacks.
Cyberattacks present one of the most critical national and economic
threats that this Nation faces. As the FBI Director recently stated,
there are two types of companies in the U.S.--those that have been
hacked by China, and those that do not yet know they have been hacked.
Estimates by the Center for Strategic and International Studies
indicate that cyberattacks and cybercrime account for between $24 and
as much as $120 billion in economic and intellectual property loss per
year in the U.S. That is the equivalent of .2 to .8 percent of our GDP.
The same CSIS study suggests that $100 billion in losses due to
cyberattacks is the equivalent of over half a million lost U.S. jobs.
As we have seen with the OPM cyberattack, more than 22 million
Federal employees, retirees and applicants had their personal data
stolen, including--most troublingly--information on their security
clearance background investigations. The scope of this breach was
unprecedented. As the FBI Director told the Intelligence Committee
recently, this is a ``huge deal'' and represents a treasure trove of
information for potential adversaries.
But this is a serious problem that isn't limited to government, as we
have already seen with recent breaches involving Anthem, CareFirst,
Target, Neiman Marcus, Home Depot, and banks like J.P. Morgan, just to
name a few. Both the private and public sector need to be better
prepared for an increasing number of these cyberattacks.
To figure out how to protect consumers' financial data, last year I
held the first hearing in Congress into data breaches in the aftermath
of the Target breach.
One takeaway was how much more serious private sector and government
entities need to be in investing in infrastructure and talent to secure
their systems from cyberattack and breach. While there is always a risk
of breaches, we can significantly mitigate those risks by increasing
our ability to detect and respond to attacks.
I also believe we must get serious about passing cybersecurity
legislation. This is also why I supported the Cyber Information Sharing
Act (CISA) that passed in the Senate Intelligence Committee 14-1 in
March.
A couple years ago, Senators Lieberman and Collins had a
comprehensive cybersecurity bill which was unable to pass in the
Senate. Unfortunately, when the bill did not pass, so did many of the
good-government provisions such as strengthening the ability of the
government to protect the ``Dot-gov'' infrastructure. While some of the
language in the Lieberman-Collins bill regarding the DHS's role in
cybersecurity did make it into law in December 2014, these changes did
not go far enough.
That is why today I have introduced with Senator Collins, Senator
Mikulski, Senator Coats, Senator Ayotte and Senator McCaskill the
Federal Information Security Management Reform Act, FISMRA, of 2015.
This legislation would give the DHS strengthened authorities to enforce
standards, employ cyber threat detection technology and defensive
countermeasures, and to conduct threat and vulnerability analyses
across all civilian U.S. Government agencies. Our bill would affect
federal agencies only, except defense and intelligence agencies, not
the private sector.
The basic problem with protecting U.S. Government information systems
is that while DHS has the responsibility to protect the ``Dot-gov''
domain, right now it does not have the ``teeth'' to actually enforce
security standards or fix vulnerabilities. It is likely that if the DHS
had the additional authorities we are proposing this could have helped
to discover the OPM breach sooner. In fact, OPM only discovered the
breach after implementing a cybersecurity tool that was recommended by
the DHS.
Our bill would give the DHS secretary the authority to direct--not
request--that agencies undertake needed corrective actions to protect
their cyber and information systems. Now, some government agencies
systems may already be pretty good--so the DHS may not need to issue
them directives. But I also know that we are not where we want to be.
While the breach at OPM was and continues to be devastating to those
federal employees who are affected, we need to remember that
cybersecurity is not just an issue at OPM. A recent article in the New
York Times quoted the President's cyber advisor, Michael Daniels, as
saying ``it's safe to say that federal agencies are not where we want
them to be across the board,'' that the bureaucracy needed a ``mind-set
shift,'' that would put cybersecurity at the top of their list of
priorities, and that ``we clearly need to be moving faster.''
Likewise, a recent audit of the Federal Aviation Administration's
network in January cited ``significant security control weaknesses . .
. placing the safe and uninterrupted operation of the nation's air
traffic control system at increased and unnecessary risk.'' The FAA's
former chief information security officer told the press that he had
been frustrated by the failure to address obvious security holes in its
most important networks.
Similarly, at the Department of Energy's network that contains
sensitive information on critical infrastructure and nuclear
propulsion, investigators found ``numerous holes,'' according to the
New York Times.
At the IRS network, auditors found 69 vulnerabilities.
I believe it is not a matter of if, but of when government systems
will again be hit by a major cyberattack. And that is why I believe we
cannot wait to give one primary entity the authority--especially when
it already has the responsibility--to ensure that all ``Dot-gov''
government agencies meet robust cybersecurity standards, and that they
are able to deploy tools and technology across the government to detect
and prevent cyberattacks like the ones we saw at OPM. The Department of
Homeland Security is such an entity.
I know that some of my colleagues have argued that the NSA is the
best in
[[Page S5459]]
government at countering the cyber threat. I think that the NSA's
capabilities are impressive. They do an excellent job protecting our
defense and intelligence information systems. However, it would be
unfeasible to put the NSA in charge of the United States' civilian
cybersecurity.
DHS cyber capabilities have been steadily improving. It is deploying
innovative tools like EINSTEIN 3A. It has an extremely capable National
Cybersecurity and Communications Integration Center, NCCIC, located in
Virginia, that already detects threats and promotes information sharing
with industries through the so-called ISACs, Information Sharing and
Analysis Centers, that cover a range of industries from Aviation,
Defense Industries, the Financial and Banking sectors, Electricity, IT,
Communications and others.
As DHS Secretary Jeh Johnson recently stated: ``Legally, each agency
and department head has the responsibility for their own system--
legally, and I stress that to my colleagues. We have the responsibility
for the overall protection of the Federal civilian dot-gov world [. .
.] [W]here we need help in protecting Federal cybersecurity is legal--
making express our legal authority to receive information from other
departments and governments. [. . .] [W]e want the express legal
authority to make it plain that when we utilize things like EINSTEIN,
EINSTEIN 3A, those other agencies are authorized to share information
with us, to give us access to our network.''
In short, this bill would allow DHS--which already has the
responsibility to protect ``Dot-gov'' networks--the authority and the
ability to deploy tools and technology across the government to
proactively detect and prevent cyberattacks like the ones we saw at
OPM. The alternative is continuing the status quo, where each agency--
no matter how poorly--monitors its own networks and only asks for
outside assistance when it feels like it. That doesn't work. I urge my
colleagues to join us in supporting this bipartisan bill.
______