Senate Homeland Security Committee Republicans Fault Federal Agencies’ Cybersecurity Readiness

The report, based in part on more than 40 previous reports by the GAO and agencies’ inspectors general, said government systems experienced more than 48,000 reported cyber “incidents” during 2012. The number may actually be higher because agencies may only be able to detect and report four in 10 such incidents to the Department of Homeland Security (DHS), said the report and the White House Office of Management and Budget (OMB) (http://1.usa.gov/Mrxvsr).

The report was particularly critical of DHS and what the report called its internal cybersecurity failures, which the authors believe are concerning because the department leads coordination of government cybersecurity and is in charge of implementing much of President Barack Obama’s 2013 cybersecurity executive order. Cybersecurity vulnerabilities pervade DHS despite steady improvements, with the department continuing to lag behind other agencies in key areas, the report said. DHS failed to meet OMB’s goal for routing agencies’ traffic through trusted Internet connections (TICs) and was not adequately securing its own networks and facilities, the report said. Many of the report’s DHS findings came from a DHS inspector general’s report released in November (CD Nov 5 p7).

DHS “has taken significant measures to improve and strengthen our capabilities to address the cyber risks associated with our critical information networks and systems, while continuing to interact with all Federal entities regarding cybersecurity by making readily available its portfolio of capabilities and services,” a department spokesman said.

The report also faulted cybersecurity readiness at the FCC and seven other agencies. The report highlighted the February 2013 hacking of the emergency alert system as an example of a recent cyber incident. Hackers were able to infiltrate the EAS and got broadcasters in Michigan, Montana and North Dakota to broadcast “zombie attack” warnings that said “civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living” (CD Feb 14/13 p8). The report says the FCC operates EAS, which the report refers to by the name of its predecessor, the emergency broadcast system. EBS ceased operations in January 1997. The FCC has some rulemaking authority for the EAS system, but the Federal Emergency Management Agency actually operates the system.

The report’s conclusion that “for the Federal government to protect private systems it should first protect its own is flawed logic,” said James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy program by email. “If we keep saying the same stuff over and over again on cybersecurity, we'll never get anywhere.” Lewis also faulted the report for not discussing private sector vulnerabilities. “All the networks are terrible,” he said.

The report is correct that federal agencies need to improve, but it also risks politicizing the issue in an unhelpful way, said Allan Friedman, a visiting scholar at George Washington University’s Cyber Security Policy Research Institute. “Rather than saying ‘how do we improve public sector security?’ it focused on making a political point of it, when in fact the challenges faced by the public sector are quite unique.”

True improvements in federal cybersecurity will likely only come if Congress revamps the Federal Information Security Management Act and better determines effective incentives for public sector adoption of cybersecurity measures, Friedman said. “It’s no secret that FISMA has not led to complete security for public sector information systems,” he said. “The compliance model has been getting better, but certainly no one would look at FISMA as the optimal pathway to security. You have to spend a lot of time and resources on aspects that are no longer very valid for information security, nor do some initiatives get credit for FISMA compliance.” The Senate Homeland Security Republican staff report notes that FISMA “could benefit from reforms of its own. But more importantly, its history can hold clues to the federal government’s ability to effectively mandate and enforce cybersecurity standards."

Many see a FISMA revamp as “low-hanging fruit,” but it has not been a major factor in Congress’ legislative efforts on cybersecurity during the 113th Congress, Friedman said. “Part of the challenge is that Congress has been looking at this from a high-impact, omnibus cybersecurity bill approach, which has meant they've avoided attacking some of these low-hanging fruits,” he said. “FISMA reform has been identified as a key need for five years now and there've been numerous bills, but no one’s ever moved forward on them because leadership on both sides has been pushing for a more grand and final cybersecurity gesture."

Senate Homeland Security’s Democrat members are still reviewing the report, but a committee spokeswoman said in an email that committee Chairman Tom Carper, D-Del., believes “it is critical that Congress do its job” and update FISMA. “This law hasn’t been updated by Congress in over ten years. That’s unacceptable and something Chairman Carper’s been working to fix for years,” she said. “Ranking Member Coburn and Chairman Carper have spent much of the past year trying to find areas where they can work together on bipartisan legislation to enhance our nation’s cybersecurity efforts. He remains hopeful that they will soon come to agreement on bipartisan legislation to enhance our nation’s cyber security.”