Sen. Carper: Federal Infosec Efficiencies NeededChair of Senate Panel Seeks to End Wasteful IT Security Spending
Carper says laws such as the Federal Information Security Management Act must be changed to stop wasteful spending on programs that do not truly secure government IT. And the chairman of the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security also says the government should require agencies to buy only IT products preconfigured for security.
"There are things we can do to save some money for. And, the last one is to make sure that we're not wasting a billion-and-a-half dollars a year on paperwork exercises that pretend to reflect improvements in our cybersecurity, when they do nothing of the sort," Carper says in an interview with GovInfoSecurity.com (transcript below), a reference to the check-box compliance process required under FISMA. "At the end of the day, we're going to have to spend money on this, real money on this, but we have to make sure that we're spending in a way that makes sense."
On Tuesday, Carper subcommittee heard from Federal CIO Vivek Kundra and others on White House efforts to more wisely appropriate money on information technology.
Carper says another way to smartly spend money is for the government to require agencies to only acquire information technology preconfigured to be secured. "We would be foolish not to look to use our purchasing power to leverage greater protection built into our technology," he says.
Because of the federal government's purchasing power, some in the high-tech industry argue that a requirement for federal agencies to buy only IT wares preconfigured to be secured will establish a de facto industry standards that could drive up product costs for everyone, a point Carper discounts. "To do otherwise would be foolish, and we've heard from a lot of folks that are not necessarily representatives of the industry, but people who are very well informed about cybersecurity and how to protect our interest, our sensitive materials, who say, 'You know, if you're going to do anything do this.'"
Much of what Carper advocates can be found in the Cybersecurity and Internet Freedom Act of 2011, a bill he's sponsoring with Sens. Joseph Lieberman, ID-Conn., and Susan Collins, R-Maine, the chairman and ranking minority member of the Senate Homeland Security and Government Affairs Committee (see Senate Bill Eyes Cybersecurity Reform). "My hope is that it will be reported out of committee this spring and before the Senate this summer or maybe this fall," Carper says.
Key elements of the Cybersecurity and Internet Freedom Act would likely be combined with other cybersecurity bills, Carper says. "We need to develop a consensus bill," he says. "Other committees have jurisdiction over these issues. One of the toughest things in getting things done sometimes in the Congress is that you got three or four or five committees have jurisdiction, working out all of their differences and having the ability to go forward."
Carper, in the interview with GovInfoSecurity.com's Eric Chabrow, also addresses:
- The impact of the 111th Congress' failure to enact cybersecurity legislation on the safety of government IT security.
- Differing approaches to IT security legislation in the Senate and House, where some leading lawmakers would rather enact more narrowly targeted bills.
- Whether IT security legislation should be exempt to budget cuts to reduce the federal deficit.
Carper, Delaware's senior senator, chairs the Senate Homeland Security and Governmental Affairs Subcommittee Federal Financial Management, Government Information, Federal Services and International Security.
A Slow Process
ERIC CHABROW: For the past three year Congress, you've been one of the primary advocates for IT security reform, yet Congress hasn't passed comprehensive IT security legislation in years. Are the government's and nation's critical IT systems more at risk today because of Congress's failure to enact comprehensive cybersecurity legislation?
SEN. TOM CARPER: Even though some of our legislation has not been enacted, the administration has moved through executive action to incorporate some of the changes that we think are needed. We need legislation. Some of what needs to be done, as at least begun by administrative action through the executive branch.
CHABROW: And this would be things such as moving toward continuously monitoring with FISMA (Federal Information Security Management Act) compliance?
CARPER: Yeah, I like to use the example: Say you have some especially valuable horses that we put in a corral. The way we've worked in our IT security for too long, we basically check the corral for holes, like once a year, and meanwhile then once a year we find where the bad guys are trying to get in to steal our valuable possession, our horses. We fix that hole and then a year later we come back and do it all over again.
Well, rather than having a camera taking a photograph once a year, we need to a video camera that is going 24x7, monitoring the entire perimeter of the corral and that would prepare to go to work 24x7to fix the holes. Our legislation would essentially mandate moving to that kind of approach. Some of the agencies, have begun doing so on their own. Among them, I think the Army has done a pretty good job. I think State Department has done a good job. I think NASA has done a good job and that is without the legislation. We should point to them as an example to the other agencies as what they can be doing and what they ought to be doing.
CHABROW: What's happening with your bill, the Cybersecurity Internet Freedom Act?
CARPER: It slowed down in the last Congress. There was concern, especially as you saw what was going on early this year in Egypt and other countries where they tried to shut down the Internet in order to quell uprising and demonstrations and efforts to change the government. There is a concern that there is an Internet kill switch that would be available to our president and future presidents to take away the use of the Internet in times of civil uprising. That is not what we are about at all. We try to make clear in the revised, reintroduced version of the bill that there is no Internet kill switch here. The president and the director of the national security for cybersecurity, or any other officer for that matter or employ the U.S., doesn't have the authority to shut down the Internet. We make it really clear. While legislations even takes the extra step to provide an opportunity for judicial review of designations of some of the more sensitive systems, and assets as covered critical infrastructure.
The legislation had a fair amount of support. We worked in the last Congress with Sens. Jay Rockefeller and Olympia Snow to come up with a bipartisan, almost consensus bill in the Senate. Got side-tracked in the congressional, back and forth last fall, there were just other things too much to get done right after the election, so we didn't get done. This year we got side-tracked because of the concerns about all those Internet kill switch, so we fixed that and addressed that to make it clear that's not the case. I think we're back on track and my hope is that we'll be able to move the legislation out of committee fairly soon, and then have a position to go to the floor maybe by, I don't know if it is going to be summer, but I hope by summer. My hope is that it will report out of committee this spring and before the Senate, this summer or maybe as late as this fall.
We need to develop a consensus bill of the committees have jurisdiction, or share a jurisdiction, over these issues. One of the toughest things to getting things done sometimes in the Congress is you've got three or four or five committees with jurisdictions, working out all the differences and having the ability to go forward, and for those who have a different view on a different committee they have an opportunity to offer amendments to whether the base bill comes to the floor and hopefully we can do that by summer, maybe fall, but hopefully sooner.
Senate Vs. House: Differing Approach
CHABROW: Your bill is somewhat comprehensive. There are some in the House saying that they would rather see more targeted IT security legislation. Will that present a problem getting the necessary IT security enacted by the 112th Congress?
CARPER: I think we're going to just do one day at a time. Our first challenge to have adjusted concerns of rates by those who set others and like kill switch bill, we've done that. Our second challenge is get bill to the (Senate) Committee on Homeland Security and Governmental Affairs, and I think we are poised to do that. Then, our third challenge would be to come up with hopefully a consensus bill among the different competing committee or competing jurisdiction, and get the legislation through the Senate. Right now that is what I am focused on, and I think we have some back-channel dialogue going on with the folks who also share an interest on these issues. At the end of the day, we'll see if we can't find common ground.
If we develop a bill with a strong bipartisan support, and it passes the Senate overwhelmingly or maybe even on an unanimous consent with no negative look, that sends a very strong message that at least the Senate is interested in the comprehensive approach, not a piecemeal approach, but we need to take a broad view.
CHABROW: Are there any issues you can see holding up possible enacting of this bill?
CARPER: Oh gosh, well one of the issues that came up was that Internet kill switch that stopped Senate tracks early this year. We've addressed that and my hope and expectation of the people look at we've done and say, "Well, that's pretty clear that they're not going to allow the president or anybody works for the president to have an Internet kill switch here." So, there may be other things that pop up, nothing pops up in mind at this time, but I'm sure there will be some bumps along the way.
CHABROW: There are some reservations by industry about establishing some kind of processes that you make sure that the products that are acquired by the government are secure?
CARPER: About the products that are acquired?
CARPER: No, I like to use the analogy of a car. We use to have a lot more people dying actually in cars, trucks and vans years ago. Although we drive more miles than ever, the traffic fatalities don't continue to climb. In fact, I think they actually go down. What we've done is we've learned to build the safety features into our cars, trucks and vans. We need to do the same sort of thing when we are buying technology, build as much protection against hackers as we can. People have a concern about that, God bless them, but this is one of those deals where I think it is common sense. If you buy the protection going in, we've had plenty of witnesses that have come before us, people a lot smarter on this stuff than I am, who say if you do nothing else, buy technology where you have built in the protection against a lot of hackers that are coming after this stuff from other countries and from criminal groups and from young people out for a lark.
CHABROW: But you don't see the potential of this bill being killed because of some objections that the industry has that the government will be establishing a standard even though it is for government, it would go into whole marketplace?
CARPER: I think we would be foolish not to look to use our purchasing power to leverage greater protection built into our technology. To do otherwise would be foolish, and we've heard from a lot of folks that are not necessarily representatives of the industry, but people who are very well informed about cybersecurity and how to protect our interest, our sensitive materials, who say, "You know, if you're going to do anything do this."
IT Security Spending Rising
CHABROW: The Federal Information Security Act requires OMB to report annually to Congress and Government IT security. In its fiscal 2009 report, it pegged IT security spending at $6.8 billion dollars. In its fiscal year 2010 report, it said it cost about $12 billion dollars. The reports were presented in such a way that it may not be an apple to apple comparison, yet it seems government spending on cybersecurity is increasing dramatically. As Congress looks to cut the federal deficit, should you the government continue to increase spending on IT security or should freeze spending at current levels or perhaps should it reduce the amount of spends on IT security?
CARPER: I'm trying to lead an effort in the Senate that helps us to focus on every nook and cranny in the federal government to see if we can better results for less money or better results for not using a whole lot more money. I'm convinced we can get better results if we move away from, I call these paperwork exercises that we pretend like we are evaluating the effectiveness of our security, but it is just really paperwork. We waste about, I don't know, $1 billion or $2 billion a year on the paperwork, which frankly doesn't reflect that our cybersecurity protection any better. That is a good place to start and my hope is that our legislation here in some other stuff that we're doing will help in that regard.
The other thing is again if we are smart, we'll use our purchasing power to leverage better protection up front, and if we're smart, we'll make sure that all of our agencies are doing better like NASA, with the Department of the Army, what the Department of State are doing, and in terms of 24x7 protection with video camera purchase oppose to taking a like a photograph once a year.
One of the things I think we do very effectively with the Nuclear Regulatory Commission, they don't just do paperwork exercise to make sure that 104 nuclear power plants in this country are safer than they use to be; they do force-on-force exercises. They'll get bad guys who really are good guys to play the role of a bad guy, really try force-on-force, force their way into nuclear power plants and take them over. That is not a paperwork exercise. That is the real deal. We need to take that kind of approach where we're not doing paperwork exercises to test the strength of our cybersecurity protection, but we actually do the real deal.
Then the last thing I would say, Eric, is the China is actually quite good at recruiting and training young people, who are aspiring hackers and they put them together in schools and camps and train them to be really good at this stuff. We're beginning to do that, we begun doing that in this country a year or two ago. We're doing it, especially in Delaware, and there are a lot of jobs, there are a lot of job opportunities for the young people and not so young people, to have the professional skills to better protect sensitive materials. We need people with these skills, and up until now we've not been producing in our country. We're beginning to do that, and that is another important thing as part of our legislation.
CHABROW: Let me just go back to the spending point. Yes there could be a lot saved as you pointed out, maybe billions of dollars in eliminating paperwork. However, I guess there is a sense that there is a need to invest more into IT security, just like we have to invest in defense to protect important infrastructures. Is there something about IT security where even some of the core programs should not be touched and we have to spend on it?
CARPER: I'm sure there are some elements of cybersecurity that are essential, but I'm convinced almost every federal program that we run, there are some things that we are doing that frankly aren't very smart. It is not very smart for us to monitor for breaches into our systems like on an annual basis or even monthly basis, or a weekly basis. We need to do it 24x7. That will actually get the job done. We need to make sure that we leverage our purchasing power by technology with protections already built in. That will save money, and in fact, it will make us more secure, and we need to provide job opportunities for millions of people who can't find work. We need to keep in mind that there is a crying need for folks who have the skills that will enable people to go to work protecting our sensitive materials for whether it is the public sector or the private sector.
There are things we can do to save some money for. And, the last one is to make sure that we're not wasting a billion-and-a-half dollars a year on paperwork exercises that pretend to reflect improvements in our cybersecurity, when they do nothing of the sort. There are some things we can do. At the end of the day, we're going to have to spend money on this, real money on this, but we have to make sure that we're spending in a way that makes sense.