[Congressional Record (Bound Edition), Volume 154 (2008), Part 6]
[Extensions of Remarks]
[Pages 8080-8081]
[From the U.S. Government Publishing Office, www.gpo.gov]




       INTRODUCTION OF THE HOMELAND SECURITY NETWORK DEFENSE AND 
                       ACCOUNTABILITY ACT OF 2008

                                 ______
                                 

                         HON. JAMES R. LANGEVIN

                            of rhode island

                    in the house of representatives

                         Wednesday, May 7, 2008

  Mr. LANGEVIN. Madam Speaker, today we are introducing the Homeland 
Security Network Defense and Accountability Act of 2008, a bill 
designed to improve the cybersecurity posture of the Department of 
Homeland Security.
  The security of our federal and critical infrastructure networks is 
an issue of national security. The United States and its allies face a 
significant and growing threat to our information technology, IT, 
systems and assets, and to the integrity of our information. The 
acquisition of our government's information by outsiders undermines our 
strength as a nation and over time could cost the United States our 
advantage over our adversaries. This is a critical issue that we can no 
longer ignore.
  One of the first things that Chairman Thompson tasked me with when I 
was named Chairman of the Subcommittee on Emerging Threats, 
Cybersecurity and Science and Technology was to lead a bipartisan 
inquiry into the cybersecurity posture of our federal networks and our 
critical infrastructure. Viewing the potential for cyber attacks on 
federal networks as an emerging threat that warrants attention, 
Chairman Thompson challenged me to address the four areas that the 9/11 
Commission determined our systems failed: in imagination, policy, 
capabilities, and management. The same can be said of the federal 
government's approach to cybersecurity--and as a result, our critical 
information and technology systems are vulnerable to cyber terrorists.
  So far in the 110th Congress, we have held seven hearings on 
cybersecurity, heard from hundreds of experts on how best to tackle 
this issue, reviewed information security best practices in the public 
and private sectors, investigated cyber incidents across the spectrum, 
from the State and Commerce Departments to our Nation's electric grid, 
and uncovered and assisted law enforcement in investigating breaches at 
the Department of Homeland Security. It has become clear that an 
organization is only as strong as the integrity and reliability of the 
information that it keeps. Therefore we must make cybersecurity a 
national priority.
  This legislation represents a small but critical step toward 
improving the cybersecurity posture at the Department of Homeland 
Security by addressing two key issues: ensuring a robust defense-in-
depth of our information systems, and holding individuals at all levels 
accountable for mitigating vulnerabilities. Early in our investigative 
process, I announced that the Committee's oversight goals were to 
increase public awareness of the problems associated with federal 
network security; fix those vulnerabilities that are, or could be, 
successfully exploited; and hold individuals, agencies, and private 
sector entities responsible for their actions. Though much work remains 
to be done, I believe that we are moving in the right direction. The 
Department has already begun acting to improve its information security 
as a result of several Committee hearings. By fully implementing and 
carefully considering the intent of this bill, I believe the Department 
of Homeland Security will continue to make great strides in improving 
its information security posture. I hope that one day DHS will be 
considered a global leader in cybersecurity.

[[Page 8081]]

  This measure is comprised of several important pieces. First, this 
bill would establish authorities and qualifications for the Chief 
Information Officer, CIO, position at the Department of Homeland 
Security. In March 2007, Secretary Chertoff issued a management 
directive giving the Chief Information Officer hiring authority for 
CIOs and approval authority over agency CIO budgets and IT investments. 
This bill statutorily authorizes that directive, but includes 
additional requirements for information security qualifications. In a 
number of hearings, we expressed concern that the lack of an 
information security background can hamper the CIO's understanding and 
efforts to secure the Department's networks. We cannot allow future 
Presidents to repeat the mistakes made by this Administration in 
appointing unqualified individuals to this important office.
  This bill would also establish specific operational security 
practices for the CIO, including a continuous, real-time cyber incident 
response capability, a network architecture emphasizing the positioning 
of security controls, and vulnerability assessments for each external-
facing information infrastructure. As we learned through our 
investigations of cyber incidents on DHS networks, the absence of a 24 
hour/7 day a week real-time response capability can lead to devastating 
consequences, and we simply cannot afford significant time lapses in 
our response to cyber incidents.
  This legislation also includes testing protocols to reduce the number 
of vulnerability exploitations throughout the Department's networks. 
Through our investigations and oversight hearings, we identified a 
significant gap between requirements under the Federal Information 
Security Management Act, FISMA, and the current threat environment. As 
we have learned, agencies that receive high FISMA scores are not 
necessarily secure from the latest attacks. This provision will require 
the CIO to consult with other federal agencies and establish attack-
based testing protocols to secure Department networks. Today, one of 
the biggest problems with FISMA is that while we continue to identify 
vulnerabilities in our systems, we fail to provide adequate funding to 
mitigate those vulnerabilities. This bill will hold both the CIO and 
the agency head responsible for developing and implementing a 
vulnerability mitigation plan that includes budget and personnel marks.
  The ubiquitous nature of the Internet can lead to significant 
problems if one party is infected with a virus or rootkit that can 
penetrate another person's network undetected. That is why our bill 
requires the Secretary to determine if the internal security policy of 
a contractor who provides network services to the Department matches 
the requirements of the Department. Network service providers for the 
Department are also required to implement and regularly update their 
internal information security policies, and deliver timely notice of 
any computer incidents that could affect the Department's computers. 
This section is similar to provisions contained in the security 
controls developed by the National Institute of Standards and 
Technology, NIST, special condition ``SA-9.''
  Finally, we seek a formal report from the Secretary on several 
critical issues. I was disturbed to learn that the Department still has 
not conducted a risk assessment on its unclassified network, despite a 
series of breaches, and we seek a detailed counter-intelligence plan 
from the Secretary to investigate all breaches, as well as an outline 
of a program to increase threat information sharing with cleared 
contractors. DHS must also examine a similar undertaking, and consider 
offering training to contractors using the attack-based protocols 
established in consultation with the defense and intelligence 
communities. We also ask the Secretary to update us on how effective 
the Department has been in meeting the deadlines established by the 
Office of Management and Budget, OMB, for Trusted Internet Connections, 
TIC, encryption and authentication mandates.
  Regrettably, poor information security practices plague the entire 
federal government, not just DHS. NIST continues to serve as an 
excellent guide for robust cybersecurity practices; unfortunately, 
federal agencies are often quick to cut cybersecurity budgets in favor 
of tangible products. If we care about information security, then we 
must not allow agencies to bleed money out of these programs.
  Of course, legislation alone will not accomplish our goals. The 
Homeland Security Committee continues to conduct robust oversight over 
this Administration's Cyber Initiative. While I support the aim of the 
Cyber Initiative, I continue to have significant questions about the 
scope, budget, and secrecy of these efforts. Furthermore, there are 
several critical issues that each federal agency must immediately 
address to improve its security posture. We must start conducting 
robust damage assessments that can measure exposure to current attacks, 
and continue to fix those vulnerabilities. We must enhance and educate 
the federal workforce to limit successful exploits. We must support 
focused R&D efforts to solve the big challenges that face us in the 
world of cybersecurity. We must support and enhance initiatives like 
the Federal Desktop Core Configuration, the OMB-mandated security 
configuration for all Microsoft Windows Vista and XP operating system 
software. We must continue to monitor the efforts of the Administration 
to collapse federal connections to the Internet, known as the TIC 
Initiative. And finally, we must hold accountable those responsible for 
these efforts--whether they are our CIOs or Chief Information Security 
Officers, OMB, DHS, the Defense Department, the Intelligence community 
or contractors charged with securing our networks. Information security 
must become a prime concern for each of us if we are to ever be 
successful in defending ourselves from attack.
  Madam Speaker, the Homeland Security Network Defense and 
Accountability Act of 2008 is a robust and carefully crafted bill, and 
is the result of a bipartisan effort to treat information security and 
cybersecurity with the same attention and effort that our adversaries 
would use to exploit us. I thank Chairman Thompson for co-sponsoring 
this bill with me, and I send the bill to the desk and ask that it be 
properly referred to the Homeland Security Committee.

                          ____________________