Carper, Johnson Introduce Bill to Strengthen Federal Agencies’ Cyber Defenses

Bill would address recent government data breaches by requiring agencies to implement best practices and accelerating deployment of federal intrusion detection and prevention system.

WASHINGTON — Senate Homeland Security and Governmental Affairs Committee Ranking Member Tom Carper (D-Del.) and Chairman Ron Johnson (R-Wis.) on Monday introduced a bill to give federal agencies stronger tools to protect their critical networks and Americans’ sensitive information. The Federal Cybersecurity Enhancement Act of 2015 would require that all federal agencies implement stronger protections and state-of-the-art technologies to defend against cyberattacks, and it would address shortcomings in deployment and adoption of the Department of Homeland Security’s federal cybersecurity program known as EINSTEIN.

Over the last several years, sensitive information on tens of millions of Americans has been stolen by malicious actors in cyberspace as a result of federal agencies’ failure to secure some of their most sensitive data. As the committee has learned in recent hearings, strong information security policies, such as multifactor authentication and encryption could have prevented or slowed several recent cyber breaches at federal agencies, including the loss of sensitive data for more than 21.5 million individuals at the Office of Personnel Management. Similar protections could have also helped prevent the cyber theft of tax returns for more than 100,000 Americans at the Internal Revenue Service. The Federal Cybersecurity Enhancement Act of 2015 would mandate the deployment of cybersecurity best practices at agencies — measures such as intrusion assessments, strong authentication, encryption of sensitive data and appropriate access controls.

The bill would also authorize EINSTEIN, an intrusion detection and prevention system intended to screen federal agencies’ Internet traffic for potential cyber threats. Despite being 10 years in the making, the capability is not available to all agencies, and more than half of federal agencies have yet to deploy the full EINSTEIN system. Currently only 45 percent of federal agencies are using the program’s intrusion prevention capabilities. This bill would dramatically accelerate deployment and adoption of EINSTEIN, and it includes reporting requirements to increase program accountability.

The senators made these remarks upon the bill’s introduction:

Sen. Carper: “We know that with each passing day, and for the foreseeable future, our federal agencies will continue to come under a cascade of attacks in cyber space, as will our businesses and critical infrastructure. Congress needs to make bolstering our cyber defenses – and staying ahead of this evolving threat – a top priority. Making sure our federal agencies have access to the best technology is a critical part of that effort. At the same time, agencies must be constantly assessing and increasing their internal cyber defenses to be as strong as possible. EINSTEIN is a valuable tool that can help agencies detect and block cyber threats before they can cause too much harm. I look forward to working with Chairman Johnson and our colleagues on this bipartisan legislation so that we can ensure every agency is equipped with the ever-improving capabilities needed to fend off cyber attacks in the future.”

Sen. Johnson: “The U.S. government’s computer networks are under attack. Hacktivists, organized crime syndicates and nation-states have successfully launched electronic assaults against vulnerable government networks, some of which house millions of Americans’ personal and private information. To protect their privacy against our adversaries, Senator Carper and I are introducing the Federal Cybersecurity Enhancement Act, which will accelerate deployment of a federal intrusion detection and prevention system that will improve the government’s cyber defense capabilities. It also will require agencies to adopt best practices in cybersecurity. Had the powers of this bill been implemented already, they likely would have stopped the hack of the Office of Personnel Management. They will make it far more difficult for our adversaries to steal our private data and to penetrate government networks.”

Specifically, the Federal Cybersecurity Enhancement Act of 2015 would:

• Mandate better cybersecurity practices across government to ensure a defense-in-depth approach, including intrusion assessments, two-factor authentication and encryption for sensitive systems.

• Accelerate the adoption of EINSTEIN across the government by clarifying the Department of Homeland Security’s legal authority to deploy it and by mandating adoption by agencies.

• Advance the system’s capabilities by requiring that it include the most advanced cyber technologies, including leading commercial tools and that it evolve to better protect agencies as threats evolve.

• Mandate strong privacy protections with the EINSTEIN program and data.

• Increase transparency and accountability by requiring annual status reports.

The Department of Homeland Security is the federal agency charged with coordinating the implementation of federal network security and providing government-wide situational awareness of dangerous activity online. However, ambiguities in the law have made it difficult for the department to deploy EINSTEIN quickly across the federal government. The Federal Cybersecurity Enhancement Act of 2015 would provide explicit statutory authority for the system and require agency adoption within one year of enactment.