Good morning! Today we launch a new–and presumably temporary–feature on FedLine: A regular (as events warrant) rundown of all the noteworthy shutdown-related news that we can find.
Given what happened over the weekend, we’re playing catch-up today. As always, would appreciate your help in keeping federal employees informed on what’s happening across government. You can email tips at any time to firstname.lastname@example.org. Feel free to offer suggestions on how to make this feature useful. We’ll start by calling it “Shutdown Watch,” but are definitely open to something more original.
So, we start Day 7 of the partial shutdown with what is probably old news to most readers, but for the record, there were two major developments Saturday. That morning, the House of Representatives voted 407-0 to ensure furloughed feds get back pay once the partial shutdown ends. The bill is now with the Senate, which could vote to send it to President Obama early this week.
Then, that afternoon, the Defense Department, citing newly granted authority under the Pay Our Military Act, announced that it is recalling most of the approximately 350,000 civilian employees who had been furloughed without pay. For anyone who hasn’t seen it, here’s the official memo from Defense Secretary Chuck Hagel, along with the transcript of a call that DoD Comptroller Robert Hale held with reporters that provides a lot of useful detail. At least some civilian employees who work for the Coast Guard (a part of the Department of Homeland Security that’s nonetheless considered part of the armed forces) could also be going back to work.
On the heels of that step, United Technologies Corp. announced the cancellation of plans to furlough almost 2,000 aerospace workers. The reason, according to the Connecticut-based contractor: DoD is recalling Defense Contract Management Agency inspectors needed to oversee the manufacturing process. But Lockheed Martin is sending home some 2,400 workers (although that’s fewer than the 3,000 initially forecast), and BAE Systems has “excused from work” about 1,000 employees with the company’s intelligence and security division.
In other news, the Federal Aviation Administration is asking creditors to extend “flexibility” to some 45,000 FAA employees who may not be collecting paychecks for a while. And we couldn’t let the occasion pass without posting this much-circulated coded plea from some National Weather Service forecasters in Alaska. As your mother probably told you, it never hurts to use humor to make a point.
At least one federal conference is being postponed this week because of a potential government shutdown.
The National Institute of Standards and Technology is postponing its Cloud Computing and Mobility Forum this week “because we could not guarantee NIST’s facility would be open on the first day of the meeting, Oct. 1,” according to an agency spokeswoman. “The meeting has not been rescheduled.”
More than 500 people had registered for the conference, including about 130 federal employees. Many federal employees would be forced to stay home without pay if Congress doesn’t strike a budget deal by midnight.
Just at DoD, some 400,000 employees — or about half of the civilian workforce — will be sent home on unpaid furloughs if a partial shutdown begins Tuesday, Comptroller Robert Hale said late last week. During a Sept. 27 news briefing, Hale said a shutdown would halt travel and training plans for activities not deemed excepted.
“As of today, no other conferences have been postponed,” according to NIST. “Some scheduled conferences could be affected by a shutdown, depending on the duration of the shutdown and how much lead time each conference requires.”
House lawmakers will consider a bill Wednesday that would allow companies and federal agencies to voluntarily share and receive cyber threat information with each other.
The Cyber Information Sharing and Protection Act (CISPA) passed the House Permanent Select Committee on Intelligence April 10 and will be introduced on the House floor Wednesday. A vote is expected by Thursday.
An earlier version of the bill passed the House last April but lacked additional privacy controls included in the revised bill. Still, that has not satisfied the White House and civil liberties groups who say the bill’s current provisions are insufficient.
CISPA requires the director of national intelligence to enable intelligence agencies to share threat data with the private sector in real time. This includes information about vulnerabilities of federal and industry systems and networks and efforts to destroy or disrupt these systems. Companies that share information under the bill’s provisions would be granted legal protections if they are subject to a cyber attack.
The White House threatened to veto an earlier version of the bill that passed the House last April. Critics of the bill warned that it did little to protect citizens’ personal information and said it would not hold companies accountable for responding to threat information provided by the government.
Despite several amendments to the original bill, CISPA has not met White House expectations.
“We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections,” Caitlin Hayden, spokeswoman for the White House’s National Security Council, said in a statement.
“Further we believe the adopted committee amendments reflect a good faith-effort to incorporate some of the administration’s important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities,” Hayden said. She said the administration will continue working with the bill’s co-authors, House Intelligence Committee Chairman Rep. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md., the committee’s ranking member.
In an effort to appease privacy and civil liberties groups, several amendments were added to the bill, including one that restricts how the government can use cyber information it receives from the private sector. The bill requires that the government only use shared information for cybersecurity, investigation and prosecution of cybersecurity crimes and protection of individuals and minors. A provision that would have allowed the information to be used for national security purposes was removed.
Several companies and trade groups, including Facebook, the U.S. Chamber of Commerce and industry group TechAmerica, have expressed support for the bill. But groups such as the American Civil Liberties Union are not satisfied.
“The changes to the bill don’t address the major privacy problems we have been raising about CISPA for almost a year and a half,” Michelle Richardson, legislative counsel at the ACLU’s Washington Legislative Office, said in a statement. “CISPA still permits companies to share sensitive and personal customer information with the government and allows the National Security Agency to collect the internet records of everyday Americans.”
The Senate on Wednesday failed to pass cybersecurity legislation that would set voluntary security standards for owners of critical infrastructure, such as dams, energy and water systems.
Senators voted 51-47 in favor of the bill, S 3414, but fell short of the 60 votes needed to move forward with final passage.
“Cybersecurity is dead for this Congress,” Senate Majority Leader Harry Reid, D-Nev., said following the vote. “What an unfortunate thing.”
Sen. Susan Collins, R-Maine, a co-sponsor of the Cybersecurity Act, expressed similar disappointment. “In all my years on the Homeland Security Committee, I cannot think of another issue where the vulnerability is greater and we’ve done less,” Collins said in a statement.
Senators were at a similar crossroad in August, but some were hopeful that Sen. John McCain, R-Ariz., and other Republicans who strongly opposed the bill would at least vote to move forward and introduce relevant amendments. McCain, who on Wednesday initially expressed a willingness to move forward with the bill if at least five amendments could be introduced, ultimately voted against the bill.
Under the bipartisan bill, critical infrastructure owners would become eligible for certain benefits if they voluntarily certify through a third party that they meet cybersecurity standards. Those benefits would include liability protections in the event of a cyber attack on their systems.
Republicans argued that implementing the bill would be a financial burden to industry. They also opposed the Department of Homeland Security’s role in approving and overseeing cybersecurity standards.
Retiring Sen. Kay Bailey Hutchison, R-Texas, who voted against the bill, suggested that the Senate start over and allow all committees with jurisdiction over cyber to provide their input.
Absent cybersecurity legislation, administration leaders have said the president would move forward with an executive order to improve cybersecurity of the nation’s most critical infrastructure.
Senators said that a draft of the executive order is being circulated. The order is said to include provisions that will establish cybersecurity standards for the 18 critical infrastructure sectors in areas where regulators have existing authority to enforce those standards. The order, however, could not provide liability protections for companies that follow those standards but are attacked.
The Washington Post reported that President Obama signed a secret directive in mid-October, Presidential Directive 20, that explicitly defines how the military will respond to a cyber attack using both offensive and defensive capabilities.
While the Transportation Security Administration has made headway in defending against insider attacks, the agency lacks specific policies and procedures to mitigate those threats, according to a recent inspector general audit.
The September audit, released this week, found that TSA has not implemented insider threat policies and procedures that clearly explain its employees’ role in defending against insider threats. TSA also lacks a risk mitigation plan that ensures all employees address the risks of insider threats in a consistent way.
TSA defines insider threat as “one or more individuals with access or insider knowledge that allows them to exploit the vulnerabilities of the nation’s transportation systems with the intent to cause harm,” according to the Department of Homeland Security IG audit. Threats can include spying, release of information, sabotage, corruption, impersonation, theft, smuggling, and terrorist attacks. Insider threats can include current and former employees and contractors.
The report noted that TSA doesn’t have a mandatory insider threat training and awareness program for employees, and it lacks protective measures to ensure unauthorized employees can’t, for instance, dump massive amounts of sensitive data onto a portable storage device.
The IG recommends that TSA’s assistant administrator for information technology:
- Further develop TSA’s insider threat program by including policies, procedures and a risk management plan.
- Require insider threat awareness training for employees.
- Direct systems administrators to disable USB ports on computers and laptops if there is not a legitimate need for them.
- Limit the size of email file attachments until the proper measures are in place to detect or prevent unauthorized exfiltration of sensitive information.
However, TSA said it has developed a directive, currently awaiting approval, that identifies polices and procedures for its insider threat program. The agency stood up a toll free hotline and email address for reporting insider threats and also plans to roll out an insider threat training and awareness program.
The agency said disabling USB ports isn’t feasible but, instead, has an application in place to alert the agency when data is transferred outside DHS networks. TSA also disagreed with any restrictions on email file sizes.
Further discussions between the agency and the IG are required to hash out differing opinions.
In June, Reps. Bennie Thompson, D-Miss, and Sheila Jackson Lee, D-Texas, questioned TSA’s plans to purchase software that monitors employees’ keystrokes, emails and other online activities as part of a larger effort to defend against internal attacks.
In a response letter, TSA Administrator John Pistole said the software would provide TSA with forensic evidence for investigations should an employee ever be identified as a potential insider threat to TSA’s mission.
In an Oct. 3 response letter to the IG audit, the lawmakers requested a detailed description of TSA’s current spending related to the insider threat, an estimate of the anticipated lifecycle cost of the monitoring software the agency plans to buy, when TSA will have policies, procedures and a risk management plan and other information by Oct. 17.
A coalition of businesses pushing for the privatization of government work ranked Congress this week on votes that would have invited more competition between the public and private sector.
“We are seeing an unprecedented level of government expansion into numerous activities that should be left to the private sector,” John Palatiello, president of the Business Coalition for Fair Competition, said at a news conference at the National Press Club on Thursday. “In our free enterprise system, government should be the umpire, not the opposing team.”
The coalition’s report lists how each member of the U.S. House and Senate voted on legislation, amendments and procedural actions — 10 in each house — that would have allowed private companies to compete with government workers or impeded companies’ competition for federal contracts.
Among the Senate actions members were scored on were amendments that would have repealed the previously enacted government-run healthcare law and allowed private companies to compete with the Postal Service. Key House votes included amendments that prevented the executive branch from requiring companies to disclose their political contributions as a condition of winning government contracts and that would have removed restrictions on agencies’ use of OMB Circular A-76 public-private cost competitions.
Not surprisingly, Republican leaders, such as Senate Minority Leader Mitch McConnell and Rep. Paul Ryan, who is presidential candidate Mitt Romney’s running mate, agreed with the coalition’s position on key votes. On the other hand, Democratic leaders, such as Senate Majority Leader Harry Reid and House Minority Leader Nancy Pelosi, received goose eggs.
A top Democratic senator is calling on the president to use executive branch authorities to better secure critical systems against cyber attacks.
In a letter to President Obama on Monday, Sen. John Rockefellar, (D-W.Va.), urged the president to “explore and employ every lever of executive power that you possess to protect this country from the cyber threat.”
Rockefeller co-sponsored the Cybersecurity Act, S. 3414, which failed passage in the Senate this month. The bill would have set voluntary standards for companies operating critical infrastructure, such as the electric grid, water treatment facilities and transportation systems.
Rockefeller said that many portions of the bill could be implemented via executive order, regulatory processes or under the authorities of the Homeland Security Act.
Obama’s assistant for homeland security and counterterrorism, John Brennan, told the Council on Foreign Relations last week that the administration is considering the use of executive branch authorities. White House officials are determining what cybersecurity guidelines or policies can be enforced through executive order to enhance cybersecurity of critical infrastructure, most of which are controlled by the private sector.
Sen. Joseph Lieberman, I-Conn., has revised his cybersecurity bill “to try carrots instead of sticks as we begin to improve our cyber defenses,” he said.
The bill has the endorsement of President Obama, who, in an op-ed in The Wall Street Journal Thursday, urged the Senate to pass the bill so he could sign it into law.
Under the bill, owners of critical infrastructure — such as dams, energy and water systems — would voluntarily show they meet certain cybersecurity practices through a third-party verification or certification. By volunteering, they would be eligible for benefits, such as liability protections in the event of a cyber attack on their systems, expedited security clearances and priority assistance with cybersecurity issues.
The bill would establish a multi-agency council chaired by the secretary of the Department of Homeland Security to assess the risks and vulnerabilities of critical systems and work with industry to develop voluntary security practices.
The first iteration of the bill would have authorized DHS to regulate security standards for privately owned critical systems.
The revised bill uses “incentives rather than mandatory regulations,” Lieberman said.
The bill is expected to win a motion to proceed, which would assume there is wide support for the bill.
Sen. John McCain, R-Ariz., and seven Republican co-sponsors introduced their own bill in March that promotes voluntary information sharing of cyber threats between government and industry through existing partnerships.
A House subcommittee on Wednesday passed a bill to ensure vets are quickly notified when their personal information is breached.
The Veterans Data Breach Timely Notification Act, , H.R. 3730, requires the Veterans Affairs Department to notify Congress and vets within 10 business days of their personal information being breached. VA could request a five-day extension if more time is needed to identify affected individuals or mitigate a breach.
VA contractors that handle vets’ personal information would be held to the same standards under the bill.
“In the unfortunate event of a breach of sensitive information, veterans and their families should be notified as soon as practically possible,” Rep. Joe Donnelly, D-Ind., ranking member of the House Veterans Affairs Subcommittee on Oversight and Investigations, said in a statement.
“Current law, however, gives the VA a full thirty days to notify veterans that their personal information may have been compromised. That is too long.”
Sen. Joseph Lieberman, I-Conn., is confident the Senate will consider his controversial cybersecurity bill within the next month. Whether he has garnered enough support among divided lawmakers is another issue.
“I’m as confident as I can be that this will come up no later than July,” Lieberman told reporters at one of two cyber briefings by the Department of Homeland Security on Wednesday. Lieberman echoed intentions by Senate Majority Leader Harry Reid, D-Nev., to bring cyber legislation to the Senate floor as soon as possible.
The House passed the Cyber Intelligence Sharing and Protection Act (CISPA), HR 3523, in April, but Lieberman said his bill is the better bill. In a statement Wednesday he urged the Senate to pass the bill and iron out differences with the House.
Under Lieberman’s 2012 Cybersecurity Act, certain companies operating the nation’s electric grid, water supply and other critical systems would have to meet cybersecurity standards approved and enforced by DHS and share with the government all instances when they come under cyber attack.
But Congress is at odds about DHS regulating the security of some privately owned networks and whether the department is capable of taking on that role. The briefing on Capitol Hill was one of several that Lieberman hopes will change people’s perception of DHS and highlight its cyber defense capabilities.
“I want people to be confident that the folks at the department can handle it,” he said.
Mark Weatherford, DHS’ deputy under secretary for cybersecurity, said the department has the capacity and cybersecurity expertise in house as well as partnerships with the Defense Department and National Security Agency. He also refuted claims that DHS’ latest intrusion detection system, Einstein 3, may not be made available to agencies. DHS is considering how to deploy the system, he said.
Officials from DHS’ United States Computer Emergency Readiness Team demonstrated how easily hackers can gain control of a person’s computer through spear phishing — targeted emails crafted to convince an individual to divulge information or open malicious files.
The officials simulated how hackers might gather personal information from social networking sites to design a seemingly credible email. They planted malicious code into an email attachment using an open software tool called BackTrack5. By opening the corrupt file, victims can give attackers complete access to their computer, web camera, documents and other data.
The tool was created for security testing purposes but can also be used to launch intentional attacks.
Spear phishing is the most common form of cyber attacks used against personal computers and critical cyber infrastructure, Lieberman said. He added that his bill would raise the defenses against these types of attacks through information sharing and security requirements. For example, the bill would likely require companies to create more complex passwords.
“Some just have the word password,” he said.