CORRECTION: An early version of the story incorrectly identified who is the lead in taking action if DHS discovers a substantial cyber threat. The agency head is the person that would be given the power to take action if the bill becomes law. Federal News Radio regrets the error.
Let’s get beyond the back-slapping and glad handing over the fact that Senate lawmakers introduced and tucked much needed legislation to protect federal networks into the Cybersecurity Information Sharing Act.
There is one provision in the Federal Cybersecurity Enhancement Act that is scaring both industry and government alike.
And yes, scaring is probably the best word here—not worrying or concerning, but actually putting fear into their minds.
Without a doubt there is a lot of positive requirements in the provision, which Sens. Tom Carper (D-Del.), Ron Johnson (R-Wis.), Susan Collins (R-Maine) and Barbara Mikulski (D-Md.) are sponsoring and added to CISA.
But under Section 209, lawmakers would give the Homeland Security Department Secretary the power to issue an emergency directive when there is a “substantial threat” to the information security of an agency and tell the secretary or administrator that they could take “any lawful action with respect to the operation of the information system, including such systems owned or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.”
Put in more straightforward terms, if DHS determines a cyber threat is so great, it can tell agency leaders to go into their network or a contractor’s network, which holds federal data, and take actions to protect it.
But government and industry sources said getting DHS help during a cyber attack makes sense, but the provision as written is too broad and basically gives DHS carte blanche to do what they think is best to protect the networks and data.
“Basically, the bill is giving DHS the authority to walk into a commercial facility and take it over,” said one industry source who requested anonymity because they are working with the Hill on this bill. “It’s not just government data when the data is in a multi-tenant set up. We have other commercial clients and other government data mixed in. If DHS is going in, the bill doesn’t include any protection for trade secrets, commercial or financial information, and there is nothing limiting their authority. It just says they have to consult the head of an agency. There are no notifications to contractors or companies that DHS is about to come knock on your door. There is nothing notifying the company to say there is a problem and we will issue emergency authority and take over your systems.”
The sources said the language is too vague and it opens the door to enable a potential for abuse.
“What is an emergency?” another industry source asked. “An undefined emergency and any lawful action, DHS can come in and do anything they want within the law, and who knows what law would look like. This is a reoccurring issue with some legislation involving DHS in terms of giving unbounded discretion to secretary. I’m sure it’s all well intentioned, but there are concerns that there are few limits other than any lawful action and that’s pretty broad.”
Part of the problem with the legislation is it’s not written in a way that takes into account the move of agencies to cloud computing where their data may be intermingled with other agency data or information from other industry sectors or even international organizations.
The bill also assumes DHS knows what’s best for an agency when its network is under attack, when in reality Homeland Security will never have the resources or expertise to fully understand every agency’s architecture, which is needed to make immediate decisions to protect their networks.
But some on Capitol Hill said industry and agencies may be overreacting a bit.
A Senate Democratic staff member, who requested anonymity to talk about the bill, said the provision is modeled after one in the cybersecurity bill developed by former Sen. Joe Lieberman (I-Conn.) and Collins back in 2012.
“This so-called reach by DHS, we don’t see that as being the case. The language doesn’t go that far,” the staff member said. “The procedures are taken from the 2012 bill and we heard the concerns of contractors and others and teased them out more. In their shoes, we understand they want to proceed with the utmost caution, and they fear DHS would push every boundary and limit they have in law. We haven’t seen DHS do that, but time-to-time DHS is reluctant to be bad cop so to speak and they have more luck in being the friend and be there to help.”
The staff member said lawmakers fully recognize that agency chief information officers will know their network best, and DHS’ emergency authorities are limited to protective and detective capabilities.
“That’s why the provision says for broader authorities, procedures for use, DHS has got to consult with OMB,” the staff member said. “I think DHS understands busting in to someone’s network and turning things off or changing things wouldn’t be good either.”
Another Senate staff member said one of the goals of the legislation is to broaden DHS’ authority to be able to force agencies to secure their networks if they fail to do so on their own.
Another red flag in the legislation is the assumption lawmakers made around how DHS would apply the EINSTEIN program to contractor systems.
Rich Beutel, president of Cyrus Analytics and a former Hill staff member, said the bill assumes DHS could overlay the software that runs the EINSTEIN intrusion detection and prevention system on a commercial cloud. He said that’s easier said than done.
“You can’t have EINSTEIN monitoring all traffic,” he said. “Cloud service providers and Internet service providers would have the responsibility to sequester the data, break it into two streams of government data and non-government data so EINSTEIN can run over only government data? I don’t think it’s possible. Maybe there is some magic way you can packetize data in some way, but that blows the value proposition for cloud and scalability.”
Johnson summed up the need to empower DHS succinctly:
“Agencies across the federal government are dragging their feet to implement cybersecurity practices already long in place in the private sector that would keep their data secure. These failures have made it clear that current law does not go far enough in requiring agencies to protect their networks,” he said in an emailed statement. “Therefore, using what the Committee learned from its oversight, Sen. Tom Carper and I introduced the Federal Cybersecurity Enhancement Act (FCEA), to provide a comprehensive approach to securing civilian federal agencies’ networks. This bill requires agencies to take the same kind of common sense approaches to secure their networks that private companies have been doing for years — like encrypting sensitive data, installing signature-based intrusion detection systems and using multi-factor authentication. Cyber-attacks, whether for destructive purposes or to steal information, are a significant threat facing our nation today. While there is no silver bullet to protect our networks from cyber-attacks, this bill would make it much more difficult for our adversaries to hack into our networks.”
The House has a similar bill, H.R. 3305, but it doesn’t include the specific provisions talking about giving DHS emergency powers to the extent the Senate’s version does. Rep. Will Hurd (R-Texas) sponsored the six-page bill and it calls for DHS to work with industry to deploy and protect federal data.
The first industry source said Congress is interested in passing cyber legislation in the wake of the massive data breach that impacted the Office of Personnel management.
“The problem is what I will call it in-artful drafting,” said the second industry source. “I’m sure they are trying to address a legitimate concern, but giving any unbounded discretion to federal officials is concerning.”
No one is arguing against the need for better cybersecurity, but it seems once again there’s a lack of understanding from both sides of what is needed and instead of making several small changes, Congress is trying to eat the cyber elephant in one bite. And we know that never works.
This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.