Senate Committee Passes Bill Requiring Einstein UseMeasure Would Accelerate Deployment of Intrusion Prevention Program
Legislation aimed to toughen cybersecurity at federal government civilian agencies by requiring the implementation of state-of-the-art tools has passed the Senate Homeland Security and Governmental Affairs Committee. The measure now goes to the full Senate.
See Also: 2016 State of Threat Intelligence Study
The bill, known as the Federal Cybersecurity Enhancement Act of 2015, would accelerate the deployment and adoption of the Department of Homeland Security's federal intrusion detection and prevention program known as Einstein and would require civilian agencies to participate in it. The panel approved the measure unanimously on July 29, just two days after it was introduced (see Bill Would Mandate Agencies Use Einstein Program).
One of the bill's sponsors, Ranking Member Tom Carper, D-Del., says the legislation should "ensure every agency is equipped with the ever-improving capabilities needed to fend off future cyber-attacks."
The measure would require the deployment of cybersecurity best practices at agencies, including measures such as intrusion assessments, strong authentication, encryption of sensitive data and appropriate access controls.
The bill also would authorize Einstein, an intrusion detection and prevention system intended to screen federal agencies' Internet traffic for potential cyberthreats. According to the bill's sponsors, more than half of federal agencies have yet to deploy the full Einstein systems. Only 45 percent of federal agencies use the program's intrusion prevention capabilities.
"With this act in place, it will become far more difficult for our adversaries to steal our private data and to penetrate government networks," says bill co-sponsor and Committee Chairman Ron Johnson, R-Wisc.
A Response to OPM Breach
"Had the powers of this bill been implemented already, they likely would have stopped the hack of the Office of Personnel Management," said Johnson, the Wisconsin Republican who chairs the Senate Committee on Homeland Security and Governmental Affairs. "They will make it far more difficult for our adversaries to steal our private data and to penetrate government networks."
Yet former CIA CISO Robert Bigman is on record saying that although Einstein will strengthen civilian agencies' IT security, the intrusion prevention system - which cannot decipher encrypted communications - would not have prevented the OPM breach. That's because the hacker - believed to have ties to the Chinese government - stole the credentials from a government contractor to access the OPM system, Bigman says. And with those credentials, he says, the hacker logged in using encryption. "Einstein doesn't help if it can't decrypt communications," Bigman says.
Specifically, the legislation would:
- Accelerate the adoption of the Einstein program across the government by clarifying the Department of Homeland Security's legal authority to deploy it and by mandating adoption by agencies;
- Require better cybersecurity practices across government to ensure a defense-in-depth approach, including intrusion assessments, two-factor authentication and encryption for sensitive systems;
- Advance the capabilities of Einstein by requiring that it include the most advanced cyber technologies, including leading commercial tools, and that it evolve to better protect agencies as threats evolve; and
- Mandate strong privacy protections for the Einstein program and data.
FISMA Reform Act
Also during the committee's markup session on July 29, members adopted amendments that incorporated another bill aimed at strengthening DHS's role in ensuring the security of federal government agencies. That bill, known as the Federal Information Security Management Reform Act of 2015, was introduced last week by a bipartisan group of senators (see OPM Breaches' Impact on Legislation).
The FISMA Reform Act would revise the dozen-year-old Federal Information Security Management Act, the law that governs government IT security, by giving DHS legal authority to operate intrusion detection and prevention capabilities at all federal agencies on the .gov domain. The legislation also would permit the DHS secretary to operate defensive countermeasures on civilian networks once a cyber-threat has been detected.