Senators want DHS to have NSA-like defensive cyber powers

A bipartisan group of Senate lawmakers want to give the Homeland Security Department more authority over the dot-gov domain.

A new bill would codify the responsibilities and authorities DHS currently has under policy from the White House. The Federal Information Security Management Reform Act of 2015, introduced in the Senate Wednesday, would give DHS the clout it’s been lacking over the last five years, and, in some respects, put it on par with the National Security Agency.

The bill would take five specific steps to change the way DHS oversees the dot-gov domain.
Each of these five areas are problems that have risen over the last year, but the major cyber breach at the Office of Personnel Management really brought the lack of authority DHS has home to these members.

“Our bill would allow the secretary of Homeland Security to operate intrusion detection and prevention capabilities in all federal agencies on the dot-gov domain without waiting for a request from a federal agency,” said Sen. Susan Collins (R-Maine), one of six co-sponsors of the legislation, at a press conference on Capitol Hill Wednesday. “Second, our bill would direct the secretary to conduct risk assessments of any network in that domain. Third, our bill would allow the secretary of Homeland Security to operate defensive countermeasures on these networks once a cyber threat has been detected.”

Advertisement

She said the fourth area would strengthen and streamline DHS’s ability to issue binding operational directives, especially during emergency circumstances when an intrusion is underway.

DHS Secretary Jeh Johnson issued its first binding operational directive May 21 ahead of the massive data breach that ended up impacting more than 22 million current and former federal employees.

The fifth area isn’t about DHS, but the Office of Management and Budget. Collins said OMB would have to report to Congress annually on the extent to which it exercised its authority to implement governmentwide cyber standards.

Sens. Mark Warner (center), Susan  Collins (left), Dan Coats and Kelly Ayotte introduce the FISMA Reform Act Wednesday.
Sens. Mark Warner (center), Susan Collins (left), Dan Coats and Kelly Ayotte introduce the FISMA Reform Act Wednesday.

Along with Collins, Sens. Mark Warner (D-Va.), Kelly Ayotte (R-N.H.), Barbara Mikulski (D-Md.), Claire McCaskill (D-Mo.) and Dan Coats (R-Ind.) signed on as original co-sponsors of the bill. The sponsors also are members on all the appropriate oversight committees, including Homeland Security and Governmental Affairs.

Congress in December passed the FISMA Modernization Act of 2014, which President Barack Obama signed into law. The White House also issued policies in 2010 and 2014 giving DHS more authorities over civilian networks, but lawmakers saw over the last year it wasn’t nearly enough.

Warner said DHS needs the heft of the law rather than the light touch of policy.

“As a former governor, I can tell you executive decrees to get agencies to actually collaborate and cooperate don’t always take place,” he said. “What we have now where DHS is responsible, many of the agencies, as Senator Collins mentioned, have a voluntary compliance. There is no minimum standard. There is no ability for DHS to come in and test and detect and improve quality. This is all done on a voluntary basis. Every agency, and we’ve dug into some of these agencies, have got the reason why they in particular can’t comply. This voluntary system has resulted in an inconsistent patchwork of security across the whole federal government.”

Warner said through this bill, DHS could be more proactive in how it implements tools and processes to better protect federal networks and maybe even stop or limit another massive breach.

The desire for DHS to have these authorities isn’t just coming from Capitol Hill. Department officials asked Congress for clearer authorities several times in 2014 after the Heartbleed vulnerability and other cyber challenges illustrated the roadblocks to work with agencies to close these threats quickly.

Jeff Greene, Symantec’s director of government affairs for North America and their senior policy counsel, said the bill could help remove some of the bureaucratic hurdles that DHS faces when it tries to help agencies deal with these cyber problems.

One major reason lawmakers want to give DHS more authority is because they see the difference between civilian and military oversight of cyber.

Collins said DHS’s responsibilities stand in stark contrast to the National Security Agency’s ability to protect military and intelligence agencies.

“If the head of NSA believes an agency has an unsecured database, he can order that database be shut down,” she said. “DHS needs to have similar authority to protect civilian networks in order to protect the privacy and security of personal data of Americans, and to safeguard our country’s economic edge.”

A big question that will come up is whether DHS can handle this new responsibility. The department’s track record has been mixed.

Coats said members considered DHS’s history and capabilities today as they drafted the bill.

“Substantially since three years ago, DHS has gained capability. The current secretary is capable and strengthened DHS to the point where we need a lead agency in order to get this to happen,” Coats said. “The authorities that have been given to DHS are now there in place, and with this bill, we will enhance those authorities so the various agencies of the government can get up to speed. The breach of OPM records was devastating, but it pointed to a much larger [problem] within a number of agencies that have been mentioned so we need a catalyst, we need a force from the top that would basically get this remedied.”

Through this bill, these members are giving a huge seal of approval for DHS, but they also are creating a single responsible organization that when something goes wrong they can look to for answers.

Greene said that while he hasn’t seen the bill yet, he knows if Collins is involved it’s not just a reaction to the OPM breach so Congress can look like it’s doing something.

Greene said giving DHS more responsibility makes sense for several reasons.

“To some degree it’s reflection that no other agency is positioned well to do it,” he said. “The National Cybersecurity and Communications Integration Center (NCCIC) at DHS has been pretty effective with a pretty good watch floor operations center. It has gained some credibility throughout other agencies because of them operating pretty well. I think when DHS was given more responsibility under FISMA back in 2011, there was an OMB directive, what I heard when I was on the Hill back then was some pretty good feedback from agencies on DHS giving them some good feedback. I think they have made some good incremental progress. It’s a combination of them maturing and, if you say not DHS, then the logical next question is who? If you don’t have an answer, then it’s going to be DHS.”

Greene said there are some valid concerns that agencies have about letting DHS into their systems and who better understands their security needs than them. But he said there has to be a happy medium between giving DHS carte blanche and where agencies are now where DHS must beg and plead for access to their systems.

Greene added the bill finally would match DHS’s responsibility with the authority it needs.
FISMA Reform Act of 2015 is another in an ever-growing stable of cyber bills—many of which have never made it out of both houses of Congress.

But lawmakers and others are optimistic about this bill for a couple of reasons.

First, the OPM breach is yet another wakeup call for lawmakers.

But more importantly, both Senate and House lawmakers better understand the need for cyber legislation.

Collins said she believes Senate members will get a chance to vote on this bill by the fall.

“It’s my understanding that we will be taking up the cybersecurity bill that was approved by the Intelligence Committee as early as before we break for the August recess and if not then, then in early September. This bill would dovetail very nicely with that legislation,” she said. “That legislation is more of an information sharing bill. It’s another essential step in the puzzle to encourage more sharing of threat indicators between the private sector and the public sector. Our bill compliments that bill and I would anticipate that we could offer our bill as an amendment to that bill when it comes to the floor as it will shortly.”

Greene added that because this is non-controversial bill and because it’s bipartisan with Collins at the lead, he could see it getting some traction and passing. He said not as a standalone, but as an amendment like Collins described.