OPM Breaches' Impact on LegislationSizing Up the Senate's Late Summer Cybersecurity Agenda
Will the Office of Personnel Management breaches, which exposed the personal information of more than 22 million individuals, make it more or less likely that Congress will enact cyberthreat information sharing legislation?
We may find out next month. That's when Majority Leader Mitch McConnell says the Senate might consider the Cybersecurity Information Sharing Act of 2015, which the Senate Intelligence Committee approved earlier this year. "These cybersecurity issues are enormously significant," McConnell told Fox News.
CISA would promote the voluntary sharing of cyberthreat information between business and government and among businesses. The bill provides businesses with liability protection if they share cyberthreat information.
The OPM breach, believed to have been initiated by hackers with ties to the Chinese government, has lawmakers up in arms, and as citizens grow more concerned about their own cybersecurity, pressure could mount on Congress to act. The House has passed cyberthreat information sharing legislation in the past three Congresses, but similar bills have languished in the Senate (see House OKs 2nd Cyberthreat Info Sharing Bill).
The holdup in the upper chamber has been a number of senators who believe CISA doesn't provide sufficient privacy protection to businesses. "If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill - it's a surveillance bill by another name," says one of the Senate bill's most vocal opponents, Sen. Ron Wyden, D-Ore.
PII of 1 in 15 Americans Exposed
The OPM breach exposed the personal information of 1 in 15 Americans, and some critics of CISA contend enacting the legislation could put more U.S. citizens at risk at having their PII stolen.
"It's shocking that the Senate is considering a cybersecurity bill that would inevitably lead to government agencies collecting and storing even more sensitive information on still more Americans," Patrick Eddington, a civil liberties policy analyst at the think tank Cato Institute, and Sascha Meinrath, director of X-Lab, a tech policy think tank, write in an article published by the Christian Science Monitor. "If the bill is passed, it means that any future data breach could be far more catastrophic as many more Americans' data could be compromised."
But industry is pressuring the Senate to act. The leader of the trade group Information Technology Industry Council, on July 23, wrote to McConnell and Minority Leader Harry Reid, D-Nev., calling for quick action on CISA. "Passing legislation to help increase voluntary cybersecurity threat information sharing between the private sector and the federal government, and within the private sector, is an important step Congress can take to enable all stakeholders to address threats, stem losses and shield their systems, partners and customers," Council President Dean Garfield wrote.
CISA has bipartisan support - one of its chief backers is Sen. Dianne Feinstein, D-Calif., who's the ranking member of the Senate Intelligence Committee. Still, a number of senators, primarily Democrats, contend the bill doesn't do enough to prevent the potential sharing of individuals' information with intelligence agencies, a contention the bill's backers reject. But it's not clear whether CISA opponents could muster the 41 votes needed to sustain a filibuster.
The cyberthreat information sharing bill isn't the only cybersecurity-related legislation getting attention this summer.
A bipartisan group on of senators introduced on July 23 legislation known as the Federal Information Security Management Reform Act of 2015 that would bolster the Department of Homeland Security's role in ensuring the security of executive department agencies, the so-called .gov domain. "There is currently a disconnect in our federal cybersecurity system when it comes to the responsibility, capability and authority to protect federal agency networks, resulting in serious security vulnerabilities," says Sen. Kelly Ayotte, R-N.H., one of the bill's co-sponsors.
The FISMA Reform Act, if enacted, would:
- Allow the Homeland Security secretary to operate intrusion detection and prevention capabilities on all federal agencies on the .gov domain;
- Direct the DHS secretary to conduct risk assessments of any network within the government domain;
- Permit the DHS secretary to operate defensive countermeasures on these networks once a cyber-threat has been detected;
- Strengthen and streamline the authority Congress gave to DHS last year to issue binding operational directives to federal agencies, especially to respond to substantial cybersecurity threats in emergency circumstances; and
- Require the Office of Management and Budget to report to Congress annually on the extent to which OMB has exercised its existing authority to enforce government wide cybersecurity standards.
"This (OPM) attack was a stark reminder that our adversaries are increasingly turning to the cyber realm, and we must make certain that the Department of Homeland Security is empowered to deploy effective tools in the .gov domain to ensure that government agencies are properly protected," says the bill's co-sponsor, Sen. Susan Collins, R-Maine.
Requiring Agencies to Use Einstein
Another bill to require all civilian government agencies to employ the Einstein intrusion prevention system could be introduced within a week by the leaders of the Senate Homeland Security and Governmental Affairs Committee, Chairman Ron Johnson, R-Wis., and Ranking Member Tom Carper, D-Del., according to several published reports.
The administration has sought legislation that would clarify that departments and agencies can disclose their network traffic to DHS for narrowly tailored purposes to protect agency networks using Einstein. "Some agencies have questioned how deployment of Einstein under DHS authority relates to their existing statutory restrictions on the use and disclosure of agency data," DHS Assistant Secretary Andy Ozment told the House Oversight and Government Reform Committee in June.
At that hearing, Ozment explained that the Einstein 1 and 2 detection systems, which only can detect known signatures, were in place during the OPM breach, but did not detect the cyberattack. After discovering the breach, Ozment said DHS developed a signature for that particular threat, and used Einstein 2 to look back in time for other compromises across the federal civilian government. He said that DHS loaded the same threat information into the more advanced Einstein 3 Advanced intrusion protection system to block potential threats using the same signature from damaging federal networks.