“The U.S. government’s computer networks are under attack. Hacktivists, organized crime syndicates and nation-states have successfully launched electronic assaults against vulnerable government networks, some of which house millions of Americans’ personal and private information,” Johnson said, in a release. “To protect their privacy against our adversaries, Senator Carper and I are introducing the Federal Cybersecurity Enhancement Act, which will accelerate deployment of a federal intrusion detection and prevention system that will improve the government’s cyber defense capabilities.”
FCEA mandates that all agencies adopt the Homeland Security Department’s EINSTEIN intrusion detection and prevention system. Agencies would use EINSTEIN to analyze their network traffic in order to detect and prevent cyber threats. Currently, only 45 percent of agencies are using the system.
“Making sure our federal agencies have access to the best technology is a critical part of that effort,” Carper said, in the release. “At the same time, agencies must be constantly assessing and increasing their internal cyber defenses to be as strong as possible. EINSTEIN is a valuable tool that can help agencies detect and block cyber threats before they can cause too much harm.”
The bill requires agencies to adopt best practices in their cybersecurity, using, for example, two-factor authentication and encrypting sensitive systems. In addition, the bill authorizes DHS and the Office of Management and Budget to conduct comprehensive assessments of agencies’ networks to detect and remove intruders.
“Had the powers of this bill been implemented already, they likely would have stopped the hack of the Office of Personnel Management,” Johnson said. “They will make it far more difficult for our adversaries to steal our private data and to penetrate government networks.”
The bill also requires agencies to provide annual status reports of their EINSTEIN programs, in order to promote transparency and accountablity.
During today’s markup session, committee members approved several amendments to FCEA. These included:
Authorizing the Director of National Intelligence to assess unclassified information systems that when combined with other unclassified systems could together create classified information. This refers to a “mosaic” effect, in which seeming unclassified material, when taken together, would reveal information that is classified.
Authorizing the ODNI and the DHS secretary to conduct ongoing damage and risk assessments of the OPM data breaches.
In the event of a known cybersecurity intrusion that represents a substantial threat to an agency’s information security, an agency secretary may take any lawful action to protect that information system, in coordination with the ODNI.
As amended, the committee voted to send FCEA to the full Senate.
Sens. Susan Collins (R-Maine) and Mark Warner (D-Va.) sent out a release voicing their support for the amended bill. They said it includes all five of the key provisions of the bipartisan FISMA Reform Act of 2015, which they introduced a week ago.
“The recent cyber attack at OPM exposed the current vulnerabilities to our federal networks in a glaring manner. It is long overdue to make sure all of our federal networks and the information they hold are properly protected and secured,” Collins said, in the release. “I am very pleased that one week after the introduction of our bipartisan legislation, that HSGAC has reported legislation that Carper includes the five critical provisions that DHS needs to properly defend the dot-gov domain from cyberattacks like the ones we saw at OPM.”
Warner added that DHS does not have the authority necessary to enforce cybersecurity standards, and agencies have to come to DHS voluntarily in order to obtain help detecting an neutralizing cyber threats.
“That’s a real problem as we face a growing number of these cyber attacks, because our federal networks are only as secure as their weakest link,” he said.
Other bills affecting federal employees the committee passed included:
Stop Improper Payments to Deceased People Act (S. 1073): “To amend the Improper Payments Elimination and Recovery Improvement Act of 2012, including making changes to the Do Not Pay initiative, for improved detection, prevention, and recovery of improper payments to deceased individuals.”
Land Management Workforce Flexibility Act (H.R. 1531): “To amend title 5, United States Code, to provide a pathway for temporary seasonal employees in Federal land management agencies to compete for vacant permanent positions under internal merit promotion procedures.”
Rep. Will Hurd (R-Texas) introduced the EINSTEIN Act of 2015 in the House on Wednesday. It would authorize DHS to deploy its EINSTEIN 3A program. DHS Secretary Jeh Johnson has called on Congress to authorize the program’s deployment.
,“Our adversaries are attempting to steal military secrets and valuable information on a daily, if not hourly basis,” said Hurd, in a release. “It is imperative that the federal government does everything it can to protect ourselves from the bad actors who are continuously trying to hack our systems. It’s bad enough when any person’s private information is stolen and used for identify theft, but imagine the grave impact of the theft of information belonging to those who are tasked with protecting America’s most sensitive information. ”