Senators Want to Give DHS New CYBERCOM-Like Powers to Thwart Civilian Agency Hacks

Senators from both parties are pushing to position the Department of Homeland Security as the U.S. Cyber Command of the civilian government, after many agencies refused to fall into line on information security last year.

Following the largest known hack of U.S. federal employee information, a bipartisan group of six lawmakers believes there is now enough momentum to grant DHS power over government networks.

Just as CYBERCOM monitors and blocks threats to the military network, DHS, under proposed legislation, would scan for and repel attacks against the dot-gov domain.

In the event of a suspected threat, the new 2015 Federal Information Security Management Reform Act lets DHS direct agencies "to take any lawful action with respect to the operation of the information system" at risk. IT systems subject to partial override, during emergencies, would include private-sector networks that handle government information.

The bill also would task DHS with "conducting targeted risk assessments and operational evaluations" of agency and contractor systems, including vulnerability scans."

Currently, Homeland Security has limited ability to shield agency networks with its primary intrusion-blocking tool, called EINSTEIN. DHS can only enter an agency’s network with EINSTEIN if the agency asks for help. Under the proposed law, DHS could run intrusion detection and prevention technology on all agency systems.

Last year, agencies lagged in patching federal websites that harbored the Heartbleed superbug. The White House, after the fact, issued a policy that permitted DHS to proactively perform governmentwide network scans for vulnerabilities. Earlier this month, DHS Secretary Jeh Johnson said about 45 percent of the federal workforce is protected by the latest model of the EINSTEIN system.

Almost since its inception, policy papers have labeled DHS the "focal point" of cybersecurity, but generally, in name only. A multiyear effort to update the 2002 Federal Information Security Act and deputize DHS to oversee cyber operations finally became law in 2014.

But the legislation did not authorize the department to take control of networks during emergencies.

Senate sponsors say the tactics in their measure are patterned after the way the military and intelligence communities protect the dot-mil domain, a part of cyberspace excluded from the DHS legislation.

Republican Sens. Susan Collins of Maine, Dan Coats of Indiana, and Kelly Ayotte of New Hampshire are behind the bill. The Democratic backers include Sens. Barbara Mikulski of Maryland, Claire McCaskill of Missouri and Mark Warner of Virginia.

“The attack on OPM has been a painful illustration of just how behind the curve some of our federal agencies have been when it comes to cybersecurity," Warner said in a statement. "If we want to be better prepared to meet this threat in the future, we have to make sure that the Department of Homeland Security has the tools it needs to adequately secure our federal civilian networks.”

Similar language is included in an amendment to a controversial House cybersecurity bill that would exchange threat indications -- including, sometimes, personal data -- between government and industry.

Noticeably absent from the list of Senate co-sponsors are the heads of the Homeland Security and Governmental Affairs Committee, the panel with jurisdiction over DHS. Typically, that committee would have to agree to send the bill to the full Senate for a vote.

Committee Chairman Sen. Ron Johnson, R-Wisc., is "fully supportive of Sen. Collins’ efforts on federal cybersecurity legislation," a Johnson aide said in an email. The aide said Johnson’s staff had just received the bill text and was still reviewing it.

Johnson and committee Ranking Democrat Sen. Tom Carper, D-Del., "plan to soon introduce very similar legislation they have been developing over the last several months," the aide said.

The committee last month postponed voting on a House bill, H.R. 1731, which would mandate agencies to funnel network traffic through EINSTEIN for tailored purposes.

As of July 10, Carper was still pressing Congress to mandate EINSTEIN be activated to stop OPM-like attacks.

"Congress needs to provide agencies with the best tools to stop these intrusions. That includes authorizing the cyber intrusion detection and prevention system currently known as EINSTEIN," he said in remarks upon the resignation of then-OPM Director Katherine Archuleta.