By Tim Starks
Threats to federal computer networks have increased by 650 percent over five years, a figure from a recent report that leaders of the Senate Homeland Security and Governmental Affairs Committee seized on Monday as they renewed calls for passage of their cybersecurity bill.
Under a 2002 law called the Federal Information Security Management Act (FISMA), the Government Accountability Office provides periodic reports to Congress on how well federal departments and agencies defend their computer systems against hackers. The latest report found that all of the 24 agencies reviewed had weaknesses when it came to protecting their information. And security incidents at federal agencies, the GAO concluded, had risen from 5,503 reported in 2006 to 41,776 reported in 2010.
The increase “demonstrates that federal systems will remain prime targets for the foreseeable future,” Senate Homeland Security Chairman Joseph I. Lieberman, I-Conn., said in a news release.
Despite Lieberman’s making cyber- security one of his top priorities before leaving the Senate next year — and despite active involvement from Majority Leader Harry Reid, D-Nev. — meaningful progress on related legislation has been hard to come by in the Senate. Multiple national security officials in the Obama administration have also cited cybersecurity as a legislative priority for the president.
FISMA Overhaul Measure
A wide-ranging cybersecurity bill (S 413) sponsored by Lieberman and cosponsored by top committee Republican Susan Collins of Maine and Thomas R. Carper, the Delaware Democrat who chairs the Federal Financial Management Subcommittee, would overhaul the 2002 FISMA law (PL 107-347). Among other provisions, it would require agencies to put in place more continuous, automated systems for monitoring threats and vulnerabilities rather than rely on annual checklist-style security criteria and periodic reviews. It also would give the Department of Homeland Security additional powers to oversee FISMA implementation.
“Legislation that I introduced with Sens. Lieberman and Collins earlier this year will help strengthen FISMA requirements and provide more tools to combat cyberattacks,” Carper said. “It is my hope that we can pass this much-needed cybersecurity legislation as soon as possible so we can improve our efforts to keep Americans’ valuable personal information — and our nation’s information infrastructure — secure.”
But Senate passage of cybersecurity legislation has been hampered by jurisdictional conflicts and other problems. Lieberman in June criticized Republican leaders for not participating in negotiations, a characterization rejected by the office of Minority Leader Mitch McConnell, R-Ky.
A source familiar with negotiations, however, said that any partisan disputes over negotiations have since been resolved. Now, it is primarily about coordinating the numerous committees with jurisdiction over cybersecurity, a list that includes Lieberman’s panel as well as the Armed Services, Foreign Affairs, Judiciary, and Commerce, Science and Transportation committees.
If a bill passes in the Senate, it could also be hard to reconcile with the strategy in the House, which has taken a more piecemeal approach to cybersecurity legislation.
The House Intelligence panel is set to hold a hearing Tuesday on the cyber threat, with a focus likely to be on “the advanced threats, state-based actors,” a panel staff member said. China is widely regarded as the country that is going after U.S. cyber networks most aggressively, although few are willing to publicly declare the nation as the biggest threat for fear of retaliation, according to the staff member.
The hearing will feature testimony from former CIA and National Security Agency director Michael V. Hayden, now a principal with the consulting firm The Chertoff Group; the executive chairman of RSA, a cybersecurity firm that recently suffered an attack; and Kevin Mandia, CEO and president of the computer security and forensic firm Mandiant Corp.