CISA's Hidden Secret: More Power to DHSBill Also Would Require Agencies to Beef Up Encryption, Authentication
Senate-approved legislation that would incentivize businesses to share cyber threat information with the government also would strengthen the Department of Homeland Security's oversight of civilian federal agencies in implementing cyber safeguards.
Buried on page 56 of the Cybersecurity Information Sharing Act of 2015, which passed the Senate on Oct. 27, is the Federal Cybersecurity Enhancement Act of 2015, which grants DHS the authority to implement technologies and processes to minimize cyber risks at federal civilian agencies (see Senate Passes Cybersecurity Info Sharing Bill).
"Had the powers of this bill been implemented already, they likely would have stopped the hack of the Office of Personnel Management," says Sen. Ron Johnson, R-Wis., a sponsor of the Federal Cybersecurity Enhancement Act (see Analysis: Why the OPM Breach is So Bad). "They will make it far more difficult for our adversaries to steal our private data and to penetrate government networks."
But is DHS up to the task of ensuring cybersecurity at other federal agencies? "If DHS is given both the resources to accomplish the task and an opportunity to perform without the administration or Congress changing direction 12 months from now, then I think they can succeed," says Robert Bigman, the former CISO at the CIA.
Sen. Tom Carper, D-Del., the Federal Cybersecurity Enhancement Act's cosponsor, says DHS is well-positioned to lead the government in cybersecurity. Helping to pave the way, he says, are last year's reforms to the Federal Information Security Management Act, the law that governs federal IT security, and the creation of DHS's National Cybersecurity and Communications Integration Center.
"Five, six years ago, the Department of Homeland Security was a 98-pound weakling; it is no weakling anymore," Carper said on the Senate floor during the CISA debate.
Bigman sees granting DHS additional authority over civilian agencies' IT security as a natural extension of the DHS's responsibilities. "Giving DHS primacy for intrusion assessment plans and incident management will hopefully lead to programmatic and technology consistency across the civilian sector of the government," he says. "It should also speed up the adoption of consistent standards for incident reporting and consistent protection of privacy-related information."
But granting DHS broader authority isn't universally supported within the IT security community. "Not all agencies are alike and therefore they cannot be governed as one," says Patricia Titus, a distinguished fellow at the Ponemon Institute and former CISO at DHS's Transportation Security Administration, Freddie Mac, Symantec and Unisys.
"DHS appears to have become the melting pot for everything that's too hard for executive leadership to figure out within the executive branch," Titus says. "Civilian agencies all have different missions and forcing them to be constrained by DHS oversight may create a larger issue then they already have. Perhaps a better route would be to rethink the organizational structure of the information security program and have [each agency's] CISO a peer to the CIO. ... If you want things fixed, empower the people that can fix the problem rather than pushing it all under one department."
Ironing Out Differences
Still, CISA has a long way to go before it becomes law.
Earlier this year, the House passed two bills to promote cyberthreat information sharing (see House OKs 2nd Cyberthreat Info-Sharing Bill). As a result, the Senate and House will form a conference committee to come up with legislative language for a new bill incorporating provisions in measures approved by both chambers, which would then be voted upon by Congress before it goes to President Obama for his signature. The conference committee has yet to be formed, and neither Senate nor House leaders have stated when such a panel will be assembled.
"We are hopeful the Senate and the House can work together expeditiously to send the best possible bill to the president's desk as soon as possible," White House spokesman Eric Schultz says.
One of the House-passed cyberthreat information sharing measures - National Cybersecurity Protection Act - contains language similar to the Federal Cybersecurity Enhancement Act, which is included in the Senate's CISA legislation.
Encryption, Authentication Requirements
The best-known element of CISA is a provision that gives liability protections to businesses that share cyber threat information with the government and each other.
But the bill's Federal Cybersecurity Enhancement Act provisions would require federal civilian agencies to encrypt sensitive and mission-critical data, employ single sign-on trusted identity platforms for public websites and implement multifactor authentication standards for remote access to agency systems. The legislation also would:
- Require DHS to include intrusion detection and mitigation tools as part of its initiative to identify systems anomalies at civilian agencies in its continuous monitoring initiative;
- Provide liability protections to private organizations hired to assist DHS in providing cybersecurity to civilian agencies;
- Direct DHS to collaborate with the Office of Management and Budget to update government information security metrics to include measures of intrusion and incident detection and response times;
- Require OMB to display agency metrics on federal government performance websites; and
- Authorize DHS to operate technology at civilian agencies to diagnose and mitigate against cyber threats and vulnerabilities.
Provisions of the Federal Cybersecurity Enhancement Act section of CISA would sunset seven years after its enactment, although the remainder of CISA's provisions would terminate in 10 years.
CISA also incorporates the Federal Cybersecurity Workforce Assessment Act of 2015, which would require all agencies to identify jobs within their organizations that require cybersecurity or related skills.
Each job would be assigned an employment code to be created by the National Institute of Standards and Technology. All agencies would be required to conduct baseline assessments using the employment codes to identify critical cybersecurity needs within their organizations and report those needs to Congress within two years.