The information and communications networks we refer to as cyberspace are critical to our economy, national defense, homeland security, and everyday lives. Yet every week, we learn of more threats to our cyber infrastructure. The specter of our adversaries disrupting our telecommunication system, shutting down our electrical power, or freezing our financial markets is not science fiction.
This reality was powerfully demonstrated by the recent cyber attack that compromised the personal information of at least 21.5 million former and current federal employees. The hacking of computer systems at the Office of Personnel Management (OPM) affected a staggering number of Americans. OPM was inexcusably negligent in protecting this information, but this cyber theft exposed a tremendous vulnerability in the defense of federal civilian networks. Like millions of Americans, I received a letter that my personal data had been compromised.
The information systems of the federal government contain highly sensitive personal data, such as Social Security numbers, home addresses, dates of birth, and in some cases, extensive background information of federal employees, retirees, and contractors, who have applied for security clearances. Yet, while the Department of Homeland Security (DHS) has a mandate to protect the dot-gov domain of federal civilian agencies, it has only limited authorities to do so. At present, DHS experts do not have the authority to monitor the networks of government agencies unless they have permission from that agency. DHS also cannot regularly deploy countermeasures to block malware without permission from the agency.
This limited authority hinders the security of dot-gov information systems. The OPM attack was a stark reminder that our adversaries are increasingly turning to the cyber realm. We must make certain that the Department of Homeland Security is empowered to deploy effective tools in the dot-gov domain to ensure that government agencies and the data their systems contain are protected.
As a member of the Senate Intelligence Committee and based on my experience as a former leader of the Homeland Security Committee, I have introduced bipartisan legislation that is crucial to securing our government systems and helping to prevent future, potentially devastating, cyber attacks against our nation.
This protection is urgently needed. In addition to the OPM, such federal agencies as the IRS, the Patent Office, the Social Security Administration, and Medicare are repositories of vast quantities of sensitive personal data of Americans. And, the threat is increasing. Between 2006 and 2014, information security incidents in the federal government increased more than twelve-fold, from 5,500 incidents to more than 67,000.
Our bipartisan Federal Information Security Management Reform Act takes five important steps to strengthen the security of the networks of our federal civilian agencies. First, our bill would allow the Department of Homeland Security to operate intrusion detection and prevention capabilities on all federal civilian agencies without waiting for a request from every federal agency. Today, if an agency is uncooperative with DHS or simply does not want to make cybersecurity a priority, there is little that can be done to strengthen the agency’s vulnerable network.
Second, our bill would also allow DHS to conduct risk assessments of any network within the dot-gov domain. This provision will ensure that no federal agency can be unaware if it has not sufficiently secured its network and thus jeopardized sensitive data.
Third, our bill would allow DHS to operate defensive countermeasures on these networks once a cyber threat has been detected. Currently, DHS can only deploy technical assistance to assist agencies to diagnose and mitigate cyber threats at an agency’s discretion, and sometimes there are legal impediments to doing so.
Fourth, our legislation would strengthen and streamline the authority Congress gave to DHS last year to issue binding directives to federal agencies, especially to respond to substantial cyber security threats or in emergency circumstances.
Finally, while DHS administers the protection of federal networks, the Office of Management and Budget has the ultimate responsibility to enforce federal cybersecurity standards. Our bill would require OMB to report to Congress on its enforcement of government-wide cybersecurity standards through the use of its budget process. Congress has already given OMB this significant tool, but the evidence to date suggests that OMB is not wielding this tool enough.
The primary problem our bill would solve is that DHS has the mandate to protect the dot-gov civilian domain, but it has only limited authorities to do so. This approach is in sharp contrast to the robust authorities that the National Security Agency has to defend the military’s dot-mil domain, which our legislation does not affect in any way.
Secretary of Homeland Security Jeh Johnson has said that obtaining clear congressional authorization for DHS to deploy protective capabilities to secure civilian agencies is one of his priorities. I heard that same message from his predecessor, Janet Napolitano, when I was the Ranking Member of the Senate Homeland Security Committee in 2012. That year, we urged our colleagues to pass the Cybersecurity Act that included major reforms to improve the protection of federal networks. We will never know if the OPM breach that compromised the personal information of more than 21 million people could have been prevented if the Senate had passed that bill three years ago.
What we do know, however, is that the federal government has enormous amounts of personal information for a wide range of valid and important purposes, such as determining eligibility for federal programs, and that the government has a great obligation to safeguard that information. For years, experts have warned that the question of a crippling cyber attack is not “if,” but “when.” As the OPM breach has shown, “when” is here, and the time to act is now.