As Congress gets ready to leave Washington once again without enacting significant cybersecurity reform, the top cybersecurity policymaker at the Department of Homeland Security voices her concern about the lack of progress.
Why is Phyllis Schneck concerned? Look back to last April, when reports of the Heartbleed bug that exposes a flaw in OpenSSL first surfaced (see Heartbleed: Gov. Agencies Respond).
Schneck, DHS deputy undersecretary for cybersecurity, said this week in an interview with the Lawfare blog that DHS was delayed up to 10 days in helping other federal agencies mitigate the threat posed by the Heartbleed vulnerability last spring. That's because current federal law is muddled on DHS's responsibility - or right - to intercede in safeguarding other federal civilian agencies information systems when vulnerabilities such as Heartbleed arise.
Exhausting Valuable Time
Schneck contends a patchwork of existing laws gives DHS the authority to mitigate threats facing other agencies' information systems by, for example, scanning for vulnerabilities. But before DHS could help, lawyers did their job, which exhausted valuable time that hackers might have exploited.
"To their credit, the lawyers were looking at the legal ways that we'd be getting on the network," Scheck says in the interview. "We lost a lot of time" - seven to 10 days - "and gave the bad guys an advantage with that. So, we're looking to mitigate that [moving] forward."
Despite the delays in addressing Heartbleed, another DHS official this week said the lag did not "enable the bad guys to exploit federal government systems."
Schneck raised similar concerns last spring at a Senate hearing: "As fast as we could, we went door-to-door and got a letter of authorization from each agency, working with each lawyer, to make sure that we can scan [their systems]. That cost us precious ... days in some cases because the whole world knew about this vulnerability and all the information they could capture, while we were lawyering. If we had the clarification in law that this was our role, we would have gotten started a lot faster."
That clarification appears in the Federal Information Security Amendments Act of 2014, the Senate version of legislation updating the Federal Information Security Management Act, the law that governs federal government information security. But that authority is not found in the House version of FISMA reform, which passed that chamber unanimously last year (see FISMA Reform Passes House on 416-0 Vote). And therein lies the problem of getting FISMA reform enacted.
Some lawmakers, mostly Republicans, object to granting DHS additional authorities. They just don't trust DHS and don't think it's up to the task overseeing civilian agency IT security. The House version of FISMA reform does not provide the additional role of DHS securing other agencies' IT.
No Vote Scheduled
In June, the Senate Homeland Security and Governmental Affairs Committee approved the Federal Information Security Modernization Act of 2014, which grants DHS authority to help civilian agencies mitigate digital vulnerabilities (see FISMA Reform Heads to Senate Floor). That measure has yet to be scheduled for a vote by the full Senate as senators try to work out disagreements they have about the legislation.
Schneck, though, feels progress is being made. "We continue working with the Senate on these information security bills," she says. "I think a lot of good progress has been made."
Perhaps. FISMA reform might get a Senate vote, if not in the waning days of the pre-election session that wraps up at week's end, then during the lame-duck session that follows the midterm vote in November.
Seeking a Compromise
If the Senate passes FISMA reform, there's no guarantee it would become law. Unless either house accepts the other chamber's version of the measure word-for-word, then House and Senate conferees must draft a compromise bill both houses must approve. That could be a challenge. Would DHS antagonists accept an elevated role for DHS? If they don't, would supporters of the Senate bill concede DHS's promotion to federal agencies' cybersecurity guardian?
Still, with relatively few legislative days left in the current Congress calendar, the clock might run out even if a compromise on FISMA reform can be reached.