Collins, Warner look to give DHS more power to police federal networks

The hack of the Office of Personnel Management databases is reverberating on Capitol Hill. The first phase of the response was a series of withering hearings that put (now former) OPM Director Katherine Archuleta in the spotlight, along with agency CIO Donna Seymour.

Now, lawmakers are looking for ways to tighten up security on federal networks by expanding the authority the Department of Homeland Security to run network protection systems across the dot-gov domain, whether a particular agency wants DHS help or not.

The Federal Information Security Management Reform Act of 2015, co-sponsored by Sen. Susan Collins (R-Maine) and Sen. Mark Warner (D-Va.) would put new authority behind the DHS mandate to protect federal networks. It would permit DHS to operate its intrusion watchdog and remediation systems across dot-gov networks, while requiring the department to conduct risk assessments of networks inside the federal civilian domain.

The bill also would empower DHS to conduct "defensive countermeasures" when a hack is detected, and give DHS the authority to shut down at-risk government databases, systems, or networks if the need arises, without prior notification.

The measure would essentially give DHS the same authority over civilian government systems that the National Security Agency has over military and intelligence systems.

The OPM hack "underscores the extraordinary vulnerability of computer networks in our federal civilian agencies," Collins said at a July 22 press conference announcing the legislation. "This cyberattack points to a broader problem -- the glaring gaps in the process for protecting sensitive personal and economic information in federal systems," she said.

DHS monitors and defends federal networks through its Einstein program. The Einstein 1 and Einstein 2 systems detect malicious activity across all federal networks. Einstein 3 Accelerated resides on commercial ISPs used by the government, and actively blocks malware, phishing attempts, and other intrusions using a classified database of previously identified forms of cyber attack. Currently, Einstein 3A covers about 45 percent of the federal civilian workforce.

In a July 8 speech at the Center for Strategic and International Studies, DHS Secretary Jeh Johnson said he hoped to have Einstein 3A capabilities available to all civilian feds by the end of 2015. He also called on Congress to "expressly authorize the Einstein program." Right now, there's nothing that compels agencies to avail themselves of DHS's security umbrella, even though DHS has a mandate to safeguard civilian networks.

"Every agency has got the reason why they in particular can't comply," Warner said at the press conference. "This voluntary system has resulted in an inconsistent patchwork of security across the whole federal government."

Collins said she hoped the bill could be attached to the cybersecurity bill approved by the Senate Select Committee on Intelligence in March. That legislation, Collins said, could come to the floor in August or September. The bill is co-sponsored by Sens. Dan Coats (R-Ind.), Kelly Ayotte (R-N.H.), Barbara Mikulski (D-Md.) and Claire McCaskill (D-Mo.) The co-sponsors, Collins noted, range across relevant Senate committees of jurisdiction including Homeland Security and Governmental Affairs, Intelligence, Commerce and Appropriations.

The House has passed its own bill supporting DHS and the Einstein system, the National Cybersecurity Protection Advancement Act of 2015, in April by a vote of 355-63. After the OPM hack, House Homeland Security Committee Chairman Michael McCaul (R-Texas) urged the Senate to take up the House bill. Collins alluded to McCaul's measure in her remarks, but said the Senate bill is "more comprehensive in its approach."

Persistent disagreements about how much information sharing should take place between private companies and government and whether the NSA or other non-civilian agencies should have access to data on cyber threats reported by private firms and network operators have hamstrung cyber legislation in the past.

Even with Republicans in control of both chambers, those divisions remain, with a lot of Republicans in the House in particular favoring an approach that keeps the NSA out of the picture when it comes to data coming from the private sector. The Senate Intel bill, which passed out of committee by a vote of 14-1, takes a different tack.