The draft version of the comprehensive cybersecurity bill could give the Homeland Security Department the ability to take “any lawful action” against contractors if their systems are under attack.
Bob Dix, a former staff director for the House Oversight and Government Reform Committee and now vice president government affairs and critical infrastructure protection for Juniper Networks, said that could mean taking over a vendor’s system that contains federal data.
“There’s some concern about what would be the criteria about that and how it would be the government has the ability under a provision of lawful action to take over a system used by an agency even if it’s owned by a contractor,” Dix said. “I am worried about the notion that suggests the government would have the authority under law to be able to take over systems of contractors if they view them as having vulnerabilities even if only a small percentage of that is government utilization.”
The provision Dix is talking about is in Section 3553 of the bill’s Federal Information Security Management Act (FISMA) Reform section.
The draft bill, obtained by Federal News Radio, would give the secretary of DHS the ability to “direct officials of agencies that own, operate, lease or otherwise control an information system, including information systems used or operated by another entity, including contractors, on behalf of a federal agency, to take any lawful action with respect to the operation of such information system for the purpose of protecting that information system from or mitigating a cybersecurity threat.”
Dix said FISMA needs to be updated and several of the changes in the draft bill are good, but this provision goes too far.
Not everyone reads the provision the same as Dix.
James Lewis, the director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), said Dix’s interpretation is a bit extreme. “I think it’s more they could direct the contractors to take action,” he said. “I see this more of as an ability to direct action than actually assuming control.”
He said bills such as this one must include broad language to be implemented successfully.
“You either can try and define prescriptively every single example and those tend to be unworkable, or you have to settle for phrases such as any lawful action,” Lewis said. “That doesn’t bother me as much. Over time should that authority ever be exercised, they would figure out what that meant. But I think it’s the kind of language that actually points to not taking control of contractor systems. I’m still not sure that would be lawful.”
He added the language also fits in with the larger effort to reinforce DHS’ authorities under FISMA. The Obama administration gave DHS more authority and responsibility under FISMA in July 2010.
The Senate promised to take up the comprehensive cyber bill early on in the 2012 session. The House has not publicly committed to take up a comprehensive bill.
Senate lawmakers have been trying to update FISMA for the last three years.
Sen. Tom Carper (D-Del.) introduced a bill to update the 2002 law in 2008 and held out hope each successive year, but couldn’t get enough traction. Rep. Diane Watson (D-Calif.) introduced a version of the FISMA update in 2010, but again, it got nowhere.
Watson also tried to add a FISMA update to the 2010 Defense Authorization bill. But the provisions were not included in the final law.
Similar to other FISMA reform efforts
The FISMA reform in the latest bill looks similar to other efforts, Lewis said.
It codifies the oversight authority for DHS to issue policies, set standards, training requirements, conduct risk assessments and receive reports on agency compliance.
The reform bill also would update agency and chief information officer responsibilities, including ensuring cybersecurity is integrated with agency strategic and operational planning processes and developing and maintaining a risk management strategy.
Alan Paller, the director of research at the SANS Institute, has been an outspoken critic of the paperwork part of FISMA. He said the continuous monitoring language is most important in the reform bill. “I think the key is the report language. There needs to be two or three examples in the report language that comes out with the bill so there is no question,” Paller said. “The key people in this whole thing are the inspectors general. If they misinterpret it so the security people think they are suppose to do one thing and the inspectors general think they are suppose to write reports, which has been happening for the last 10 years, then you will get a lot of wasted reports. The key is the inspectors general understand exactly what was meant for continuous monitoring, meaning automated, online monitoring of every device on the network. If that is in the report language, that is good enough.”
While the provision that could give DHS the ability to take over contractor systems is one controversial piece, it’s what’s in the section about critical infrastructure that could stop the bill in its tracks.
Juniper’s Dix said his and others’ concerns over the critical infrastructure section stem from the government getting too much oversight authority in specific areas. He said one provision would create additional regulatory regimes but not target the real cyber issues, which are the control systems of critical infrastructure providers.
The other area concerns assessing the risk management of critical infrastructure vendors.
“I don’t think that is the role of the government,” Dix said. “I don’t think it’s proper for the government to tell me and my company how best to manage the risk on behalf of my customers, my internal organization and my shareholders. I believe we do a pretty good job of that, and I think most people across the community do a pretty good job of that at this point in time.”
Dix said there absolutely is room for improvement and places industry can improve upon, but it must come through a collaborative process. He pointed to the current effort with DHS through the Critical Infrastructure Coordinating Councils.
Dix said lawmakers in the House seem to understand this approach, but the Senate isn’t getting it as quickly.
Critical infrastructure in most need of cyber help
CSIS’ Lewis said if the critical infrastructure section of the bill doesn’t pass, the rest of the bill isn’t worth much because this is the one area that needs the most attention.
Lewis said the bill does call for a collaborative process but there needs to be a way for DHS to make sure the standards are being met.
“The problem with voluntary, it doesn’t work. We don’t have to prove that anymore,” Lewis said. “And when anyone says we can rely on a voluntary approach, you may want to smell their breadth. That is the crux of the matter. Can we create standards and hold companies to them? We have to recognize this has to be a very light touch, it has to be collaborative and it has to differ from sector to sector. That is the crucial point for me.”
Along with FISMA and critical infrastructure, the bill includes two other sections, codifying DHS operational and oversight authorities and creating an Office of National Cyberspace Policy with a Senate-confirmed director.
“There is a real desire to do something in both parties,” Lewis said. “They want to show this is not a do-nothing Congress and this is an important bill and if they can pass it, it would be an achievement that they would be proud of. The other thing I’ve heard is there is a real push from opponents of the bill to neutralize it and to pass the easy parts and leave out anything meaningful and come back at some point in the future. The odds are good we will get something, but whether it is something useful it remains to be seen.”