Congress' Week: Data Breaches, Kaspersky and Murderers with Security Clearances

Lawmakers ricocheted like pinballs between a trio of major breach stories but also found time advance bills with major implications for federal agencies.

Agencies that haven’t optimized data centers need to figure out their plans. The Senate Homeland Security and Governmental Affairs Committee moved along the FITARA Enhancement Act, which would extend rules on federal data consolidation and transparency in technology purchases. The committee also approved the Connected Government Act, which would require agencies have mobile-accessible websites, and the Hack the DHS Act, which would allow Homeland Security Department to run a bug bounty program.

Billions with a B…and an S.

There was Yahoo’s announcement that a 2013 data breach didn’t just compromise 1 billion user accounts as previously disclosed: It compromised all 3 billion of the company’s user accounts.

Senate Commerce Committee Chairman John Thune, R-S.D., pledged to haul Yahoo executives before his committee this month and declared sternly that witnesses should “think hard about their obligations to consumers and offer a sober assessment of remaining risks that could be the subject of a future announcement.”

The hearing date and witness list will come out later this month, Thune said. Yahoo was purchased last year by Verizon.

No Rest for Equifax

Meanwhile, former Equifax CEO Richard Smith appeared before five congressional committees this week to answer questions about his company’s breach affecting more than 145 million people.

Senate Minority Whip Dick Durbin, D-Ill., urged Equifax to assume the cost of consumer credit freezes across all credit reporting agencies.

Senate Finance Committee Chairman Orrin Hatch, R-Utah, and ranking member Ron Wyden, D-Ore., are demanding answers from the IRS about its $7 million bridge contract with the breached credit rating agency. A collection of nine Democratic senators sent a similar letter, led by Sen. Gary Peters, D-Mich.

Jeffrey Tribiano, the IRS’ deputy commissioner for operations support, Wednesday told a House Ways and Means subcommittee the agency was caught between an expiring contract and waiting for bid protest—filed by Equifax—to be decided. GAO, however,  told Nextgov the IRS could have started the new contract if it “is in the best interest of the United States.”

There’s Always Room for Kaspersky

Finally, on Thursday, Sen. Jeanne Shaheen, D-N.H., wrote to leaders of the Senate Armed Services Committee urging hearings on a Wall Street Journal report that Russian government-linked hackers exploited Kaspersky anti-virus to steal details of National Security Agency hacking tools from a contractor’s home computer. “This development should serve as a stark warning, not just to the federal government, but to states, local governments, and the American public, of the serious dangers of using Kaspersky software,” Shaheen said in a separate statement.

Are Murderers and Pedophiles Really Getting Security Clearances?

The House Oversight committee holds a hearing Wednesday about Defense Security Services Director Daniel Payne’s statement that murders, rapists and pedophiles received interim security clearances. The Defense Department, he said, issued the temporary clearances while it waits on the significant backlog of security clearances. National Background Investigation Bureau Director Charlie Phalen confirmed that backlog includes 700,000 federal employees, contractors and applicants.

Rep. Elijah Cummings, D-Md., requested Payne, Phalen, White House Chief of Staff John Kelly, and Director of National Intelligence Daniel Coats provide information about anyone with a criminal conviction who got temporary clearances.

Earlier this week, the Senate Homeland Security and Governmental Affairs Committee advanced the SECRET ACT,  a bill that would reinstate reporting requirements on the security clearance backlog.

Surveillance Reform Part Deux

House lawmakers formally introduced a bill Friday that would reauthorize but rein in a controversial NSA spying tool revealed by Edward Snowden back in 2013. The bill would place restrictions on when intelligence agencies can share information collected under Section 702 of the Foreign Intelligence Surveillance Act with law enforcement and amps up public reporting about how the authority is used.

Unlike Section 215 of the USA Patriot Act, which was renewed after a lengthy battle in 2015, Section 702 deals with actual communications rather than metadata such as when a text message or email is sent and to whom.

Another Brick in the Border Wall

Whatever the president’s border wall may be made of, both legislative branches laid some groundwork for high-tech purchases. Senate Homeland advanced the Border Security Technology Accountability Act, which includes provisions to ensure any technology bought doesn’t end up on the Government Accountability Office’s high-risk list. The House Homeland Security committee also passed its version, which designates $10 billion for the wall and its tech and $5 billion for port security. The markup includes provisions for situational awareness tech, like sensors, radar and drones.

Wyden Queries Voting Machine Companies

Sen. Ron Wyden, D-Ore., wrote to the top six voting machine makers Tuesday asking about cyber protections on their machines. Wyden wants to know if the companies have chief information security officers, how many of their employees focus on information security, whether third-party cyber firms audit their systems and whether they accept unsolicited bug reports from security researchers, among other questions.

Other Hearings Coming Up

Two House Science, Space and Technology subcommittees hold a joint hearing Wednesday about a GAO investigation into the National Institute of Standards and Technology’s physical security. The House Administration committee continues its look at how the Government Publishing Office is changing for the next century and a House Small Business Committee wants to see if Paperwork Reduction Act efforts are working for small businesses.

House Oversight on Thursday looks into the Census Bureau’s 2020 efforts, one of GAO’s high-risk list programs. A House Homeland Security subcommittee examines North Korea threats—cyber, nuclear and otherwise.  A House Energy and Commerce panel looks into how coming trade changes to cross-border data flow may impact U.S. jobs with witnesses from BSA-The Software Alliance, Information Technology Industry Council and ACT-The App Store.

Joseph Marks and Heather Kuldell contributed to this report.