House lawmakers will consider a bill Wednesday that would allow companies and federal agencies to voluntarily share and receive cyber threat information with each other.
The Cyber Information Sharing and Protection Act (CISPA) passed the House Permanent Select Committee on Intelligence April 10 and will be introduced on the House floor Wednesday. A vote is expected by Thursday.
An earlier version of the bill passed the House last April but lacked additional privacy controls included in the revised bill. Still, that has not satisfied the White House and civil liberties groups who say the bill’s current provisions are insufficient.
CISPA requires the director of national intelligence to enable intelligence agencies to share threat data with the private sector in real time. This includes information about vulnerabilities of federal and industry systems and networks and efforts to destroy or disrupt these systems. Companies that share information under the bill’s provisions would be granted legal protections if they are subject to a cyber attack.
The White House threatened to veto an earlier version of the bill that passed the House last April. Critics of the bill warned that it did little to protect citizens’ personal information and said it would not hold companies accountable for responding to threat information provided by the government.
Despite several amendments to the original bill, CISPA has not met White House expectations.
“We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections,” Caitlin Hayden, spokeswoman for the White House’s National Security Council, said in a statement.
“Further we believe the adopted committee amendments reflect a good faith-effort to incorporate some of the administration’s important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities,” Hayden said. She said the administration will continue working with the bill’s co-authors, House Intelligence Committee Chairman Rep. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md., the committee’s ranking member.
In an effort to appease privacy and civil liberties groups, several amendments were added to the bill, including one that restricts how the government can use cyber information it receives from the private sector. The bill requires that the government only use shared information for cybersecurity, investigation and prosecution of cybersecurity crimes and protection of individuals and minors. A provision that would have allowed the information to be used for national security purposes was removed.
Several companies and trade groups, including Facebook, the U.S. Chamber of Commerce and industry group TechAmerica, have expressed support for the bill. But groups such as the American Civil Liberties Union are not satisfied.
“The changes to the bill don’t address the major privacy problems we have been raising about CISPA for almost a year and a half,” Michelle Richardson, legislative counsel at the ACLU’s Washington Legislative Office, said in a statement. “CISPA still permits companies to share sensitive and personal customer information with the government and allows the National Security Agency to collect the internet records of everyday Americans.”
Thousands of rogue Apple, Android and Windows devices found operating on the Army’s network could pose major security risks to sensitive data and Army network operations, according to a recent report.
Army commands failed to report more than 14,000 commercial smartphones and tablet computers being used across the service for research activities, data collection, mobile device pilot programs and other tasks, according to the March 26 inspector general report. Army Corps of Engineers, Engineer Research and Development Center in Vicksburg, Miss., and the U.S. Military Academy at West Point, N.Y., were among the locations using unapproved devices.
Army officials at those sites did not ensure devices met security standards to protect data, and they failed to require all smartphones and tablets be wiped clean of data if reported lost or given to a new user. A lack of clear guidance from the Army chief information officer resulted in officials forgoing training and user agreements before handing out mobile devices.
“The Army did not implement an effective cybersecurity program for commercial mobiles devices,” the report said. “If devices remain unsecure, malicious activities could disrupt Army networks and compromise sensitive DoD information.”
“The Army CIO inappropriately concluded that [commercial mobile devices] were not connecting to Army networks and storing sensitive information; and, therefore, did not” require the same security standards used for other information systems, according to the report.
The IG review was conducted between April 2012 and February 2013 and did not include Blackberry devices.
The IG office set an April 25 deadline for the Army to comment on its recommendations, which include creating clear policy for tracking and reporting mobile device purchases and ensuring mobile devices follow the same security standards as other information systems. Earlier comments provided by the director for the Army CIO Cybersecurity Directorate were deemed nonresponsive.
As of February, DoD reported more than 600,000 commercial mobile devices in use and in a pilot test phase, including 470,000 Blackberrys, 41,000 Apple devices and 8,700 Android devices. The challenge, however, is managing those devices.
Army officials are eager for DoD’s mobile device contract to be awarded this month. The management software will eventually manage, monitor and enforce security for 8 million devices. The software will allow the Army to remotely wipe data from devices and monitor what applications users download, websites they visit and data viewed or modified on their devices.
The General Services Administration has launched a full review of its key online procurement system, after discovering a security vulnerability that may have exposed users’ sensitive data.
The security flaw was reported to GSA on March 8, and the agency has since issued a software patch on the system and is investigating potential impacts to vendors registered in GSA’s System for Award Management (SAM).
“When we got the word that this might be the case, we got right on it,” GSA Acting Administrator Dan Tangherlini told reporters Tuesday following a congressional hearing. “And there is nothing that we won’t do, there’s no step we’re not going to take to ensure the safety and the security of people’s data within that system.”
Tangherlini said GSA is testing changes to the system and will continue to keep users informed. “I am incredibly concerned about it, and the good news is that everyone in the organization is incredibly concerned,” he said of the system’s known security flaw.
The vulnerability could have compromised sensitive information, including Social Security numbers, of individuals registered in the system, according to GSA.gov. Contractors that use Social Security numbers instead of taxpayer identification numbers could be at greater risk, and those individuals will receive credit monitoring.
The vision for the SAM system is to serve as a single access point for nine procurement systems, but GSA has yet to accomplish that goal. To date, the SAM system includes four of the nine systems and provides access to contractors’ business information, their certifications required to receive federal contractors and grants and which contractors have been suspended and debarred.
In 2008, GSA began consolidating its systems in a effort to reduce costs, eliminate redundancies and improve efficiency.
A March 2012 Government Accountability Office report found that “while GSA has taken some steps to reduce costs, it has not reevaluated the business case for SAM or determined whether it is the most cost-effective alternative.”
The Federal Acquisition Service and Office of the Chief Information Officer are now providing program oversight, following an internal review of all GSA operations last year. Tangherlini has also called for the development, reporting and monitoring of key metrics for the SAM project.
President Barack Obama will issue an executive order Wednesday aimed at tightening the nation’s cybersecurity.
Senior administration officials, including White House Cybersecurity Coordinator Michael Daniel and Army Gen. Keith Alexander, head of U.S. Cyber Command, will provide details on cyber policy Wednesday morning at the Commerce Department. Officials will provide an update on cybersecurity priorities for 2013, including information sharing and reducing cyber risks, Commerce announced Tuesday.
The executive order is said to include provisions that will establish voluntary cybersecurity standards for critical infrastructure sectors, such as transportation and energy, where federal regulators have authority to enforce those standards. However, the order could not provide liability protections for companies that follow those standards but are attacked.
The order is also expected to direct agencies to share cyber threat information with companies operating critical infrastructure.
Lawmakers failed last year to pass comprehensive cybersecurity legislation, but Rep. Mike Rogers, R-Mich., chairman of the House Permanent Select Committee on Intelligence, and Rep. Dutch Ruppersberger, D-Md., plan to reintroduce cyber legislation Wednesday.
The Cyber Intelligence Sharing and Protection Act (CISPA), HR 624, would allow the government and industry to voluntarily share information about malicious attacks and viruses. Companies that share information under the bill’s provisions or protect their networks would be granted legal protections if they’re subject to a cyber attack. The bill passed the House in April.
Tags: executive order
Agencies are anxiously awaiting governmentwide standards for securing smartphones and tablet computers.
Come May, they will have a checklist of security standards to use, organized by the sensitivity of data employees share or access on mobile devices and who data is shared with, whether another federal agency or citizens.
Federal officials working on the project refer to the guidelines as a playbook or list of security standards that agencies should consider when using mobile devices. The playbook will include five common ways that most agencies use mobile devices and provide recommendations for securing devices in those environments, said Margie Graves, deputy chief information officer at the Department of Homeland Security.
Graves, who spoke at mobile security event Thursday, is working with the National Institute of Standards and Technology, the Defense Department and the Justice Department to develop the playbook.
The security standards are based on revised NIST standards released Tuesday for final comment. Ron Ross, a senior computer scientist and information security researcher at NIST, said the final document is expected in April.
While many of the existing NIST standards can be applied to mobile devices, some may not be applicable, Ross said. For example, one NIST security standard recommends agencies disable or restrict unnecessary functions or services that their information systems may provide. For mobile devices, that may mean restricting what applications employees can download or disabling mobile capabilities that aren’t needed for work and could be a security risk.
DHS’ Graves described the playbook as an itemized checklist of security standards categorized by use case. However, she wouldn’t provide details on the use cases. DHS CIO Richard Spires has said these standards will help agencies in developing bring-you-own-device programs, where employees are able to use their personal devices for work.
How agencies implement or tailor security standards to meet their needs will vary, Graves said. For instance, the intelligence community, law enforcement agencies and DoD may use similar use cases for mobile, while DHS’ Federal Emergency Management Agency would need to use mobile devices to communicate with the public during a natural disaster.
Some guidance will be released in March on how agencies can best secure mobile devices used for communicating with other agencies. The entire playbook, however, will not be released until May.
The Senate on Wednesday failed to pass cybersecurity legislation that would set voluntary security standards for owners of critical infrastructure, such as dams, energy and water systems.
Senators voted 51-47 in favor of the bill, S 3414, but fell short of the 60 votes needed to move forward with final passage.
“Cybersecurity is dead for this Congress,” Senate Majority Leader Harry Reid, D-Nev., said following the vote. “What an unfortunate thing.”
Sen. Susan Collins, R-Maine, a co-sponsor of the Cybersecurity Act, expressed similar disappointment. “In all my years on the Homeland Security Committee, I cannot think of another issue where the vulnerability is greater and we’ve done less,” Collins said in a statement.
Senators were at a similar crossroad in August, but some were hopeful that Sen. John McCain, R-Ariz., and other Republicans who strongly opposed the bill would at least vote to move forward and introduce relevant amendments. McCain, who on Wednesday initially expressed a willingness to move forward with the bill if at least five amendments could be introduced, ultimately voted against the bill.
Under the bipartisan bill, critical infrastructure owners would become eligible for certain benefits if they voluntarily certify through a third party that they meet cybersecurity standards. Those benefits would include liability protections in the event of a cyber attack on their systems.
Republicans argued that implementing the bill would be a financial burden to industry. They also opposed the Department of Homeland Security’s role in approving and overseeing cybersecurity standards.
Retiring Sen. Kay Bailey Hutchison, R-Texas, who voted against the bill, suggested that the Senate start over and allow all committees with jurisdiction over cyber to provide their input.
Absent cybersecurity legislation, administration leaders have said the president would move forward with an executive order to improve cybersecurity of the nation’s most critical infrastructure.
Senators said that a draft of the executive order is being circulated. The order is said to include provisions that will establish cybersecurity standards for the 18 critical infrastructure sectors in areas where regulators have existing authority to enforce those standards. The order, however, could not provide liability protections for companies that follow those standards but are attacked.
The Washington Post reported that President Obama signed a secret directive in mid-October, Presidential Directive 20, that explicitly defines how the military will respond to a cyber attack using both offensive and defensive capabilities.
The Department of Homeland Security is following through on recommendations to hire at least 600 cybersecurity experts, DHS Secretary Janet Napolitano said Wednesday.
Speaking at a Washington Post cybersecurity forum, Napolitano said the department is looking to hire cyber experts, analysts, IT specialists and people who are familiar with coding.
In June, DHS Secretary Janet Napolitano directed a newly formed CyberSkills task force to develop recommendations for growing DHS’s cyber workforce and expanding the pipeline of cyber talent nationwide, which includes hiring at least 600 cyber professionals.
Napolitano said DHS has increased its workforce by 600 percent over the last few years, and she praised President Obama’s budgetary backing of the department’s cybersecurity efforts.
However, similiar efforts have been underway for the past few years to hire cyber professionals, James Lewis, senior fellow and program director at the Center for Strategic and International Studies, said on a separate panel. “So, what’s going on?”
One issue, the report identified, is that DHS has not properly identified the skills needed to defend against threats, making it difficult to hire people with those skills. To keep pace with the growing threat, DHS has relied heavily on contractors, “leaving fewer of these sought-after positions open to federal employees,” the report said.
“We’ve probably gone from about five miles an hour to 85 miles an hour at DHS in the last three or so years,” Napolitano said. ”We need to be at 120 miles an hour, and I would say that across the federal government.”
Napolitano wouldn’t discuss the starting salaries of DHS cyber experts but joked that there are not signing bonuses.
Overall, she said the government needs to improve real-time information sharing with the private sector and there needs to be better widespread adoption of cybersecurity best practices for critical infrastructure. She said most sectors have adopted adequate cyber practices, but in an interconnected world if there is one weak link everyone is affected.
Tags: Janet Napolitano
While the Transportation Security Administration has made headway in defending against insider attacks, the agency lacks specific policies and procedures to mitigate those threats, according to a recent inspector general audit.
The September audit, released this week, found that TSA has not implemented insider threat policies and procedures that clearly explain its employees’ role in defending against insider threats. TSA also lacks a risk mitigation plan that ensures all employees address the risks of insider threats in a consistent way.
TSA defines insider threat as “one or more individuals with access or insider knowledge that allows them to exploit the vulnerabilities of the nation’s transportation systems with the intent to cause harm,” according to the Department of Homeland Security IG audit. Threats can include spying, release of information, sabotage, corruption, impersonation, theft, smuggling, and terrorist attacks. Insider threats can include current and former employees and contractors.
The report noted that TSA doesn’t have a mandatory insider threat training and awareness program for employees, and it lacks protective measures to ensure unauthorized employees can’t, for instance, dump massive amounts of sensitive data onto a portable storage device.
The IG recommends that TSA’s assistant administrator for information technology:
- Further develop TSA’s insider threat program by including policies, procedures and a risk management plan.
- Require insider threat awareness training for employees.
- Direct systems administrators to disable USB ports on computers and laptops if there is not a legitimate need for them.
- Limit the size of email file attachments until the proper measures are in place to detect or prevent unauthorized exfiltration of sensitive information.
However, TSA said it has developed a directive, currently awaiting approval, that identifies polices and procedures for its insider threat program. The agency stood up a toll free hotline and email address for reporting insider threats and also plans to roll out an insider threat training and awareness program.
The agency said disabling USB ports isn’t feasible but, instead, has an application in place to alert the agency when data is transferred outside DHS networks. TSA also disagreed with any restrictions on email file sizes.
Further discussions between the agency and the IG are required to hash out differing opinions.
In June, Reps. Bennie Thompson, D-Miss, and Sheila Jackson Lee, D-Texas, questioned TSA’s plans to purchase software that monitors employees’ keystrokes, emails and other online activities as part of a larger effort to defend against internal attacks.
In a response letter, TSA Administrator John Pistole said the software would provide TSA with forensic evidence for investigations should an employee ever be identified as a potential insider threat to TSA’s mission.
In an Oct. 3 response letter to the IG audit, the lawmakers requested a detailed description of TSA’s current spending related to the insider threat, an estimate of the anticipated lifecycle cost of the monitoring software the agency plans to buy, when TSA will have policies, procedures and a risk management plan and other information by Oct. 17.
A top Democratic senator is calling on the president to use executive branch authorities to better secure critical systems against cyber attacks.
In a letter to President Obama on Monday, Sen. John Rockefellar, (D-W.Va.), urged the president to “explore and employ every lever of executive power that you possess to protect this country from the cyber threat.”
Rockefeller co-sponsored the Cybersecurity Act, S. 3414, which failed passage in the Senate this month. The bill would have set voluntary standards for companies operating critical infrastructure, such as the electric grid, water treatment facilities and transportation systems.
Rockefeller said that many portions of the bill could be implemented via executive order, regulatory processes or under the authorities of the Homeland Security Act.
Obama’s assistant for homeland security and counterterrorism, John Brennan, told the Council on Foreign Relations last week that the administration is considering the use of executive branch authorities. White House officials are determining what cybersecurity guidelines or policies can be enforced through executive order to enhance cybersecurity of critical infrastructure, most of which are controlled by the private sector.
The Navy and Marine Corps are soliciting ideas on how to reduce costs through better management of information technology, efficient business processes and improving cyber-related procurements.
Under orders last year to cut information technology budgets by 25 percent over the next five years, the Department of the Navy is consolidating data centers, increasing the use of departmentwide software licenses and reducing cellphone costs.
Navy and Marine Corps employees, industry, academia and the public are welcome to make recommendations. Submissions must include a brief discussion of the problem, a proposed scope, key assumptions, constraints and risks, costs, savings and other benefits and operational impacts. Email completed submission forms to email@example.com.