Senators Seek to Bolster DHS Cyber Oversight

U.S. lawmakers launched a bipartisan bid to boost the Department of Homeland Security's powers to better oversee cybersecurity compliance by federal agencies and intervene when they might fail to safeguard their networks.  

The Senate bill would strengthen the department's ability to enforce cybersecurity standards governmentwide, and “in the event that a federal agency chooses not to do so, [the] DHS would have the authority to stand in … and prevent worse damages from occurring,” Sen. Susan Collins (R-ME) said in announcing her plans to submit the bill to the full Senate on Tuesday. 

“We cannot afford to wait for another 9/11—this time done through a cyber attack—or another Edward Snowden or another OPM breach before protecting our critical infrastructure, our .gov networks or our classified national security system, which aren’t, I will say, in the best shape,” Collins said. “We need legislation. Executive orders are important, but they cannot confer the kind of authority that needs to be done by law.”

Hackers behind the most recent, and possibly egregious, cyber attacks on the Office of Personnel Management (OPM) pilfered personal information from 21.5 million current and former federal workers, their families and friends. They lifted Social Security numbers, birth dates, addresses, job assignments and highly coveted security clearance details.

Collins is joined by Sens. Mark Warner (D-VA), Kelly Ayotte (R-NH), Barbara Mikulski (D-MD) and Daniel Coats (R-IN) in introducing the bill, she shared at an event on Tuesday presented by the National Intelligence University Foundation (NIUF), a nonprofit corporation affiliated with AFCEA International.

The measure has passed out of the Senate Intelligence Committee on the heels of a companion bill that provides incentives to increase sharing of cybersecurity threat information, addresses privacy and civil liberty concerns, and offers liability protections to members of the private sector who share information with the government.

Collins also seeks to mandate that owners of critical infrastructure share intelligence about significant cyber breaches with the federal government. “In some cases … the current threat is too great and the existing vulnerability too widespread for us to depend solely upon voluntary measures to protect the cyber backbone on which our country and our citizens depend,” Collins told attendees.

The United States might be on the precipice of two types of attacks that have yet to occur and would have “much greater ramifications for our country” than any of the preceding attacks, Collins shared. “The first would be a scenario in which the [U.S.] military fails to prevail in an armed conflict because of an inability to maintain reliable, digital communications with our satellites, our platforms, our weapons and our military members,” she opined. “This remains a daunting challenge because there are so many information systems involved. The second—and more likely scenario—is the disruption of critical infrastructure by cyber attack."

A coordinated cyber attack on the U.S. electric grid, for example, could cause blackouts in 15 states and levy economic losses totaling as much as $1 trillion, Collins said, citing the results of a study conducted by the Center for Risk Studies at the University of Cambridge and insurance giant Lloyd's of London.

“The owners and operators of the country’s most critical infrastructure, in my judgment, should be required to report significant cyber intrusions,” Collins said. One of the biggest threats against the nation is the “erosion of our technological advantages due to stolen intellectual property [and] stolen secrets by hackers and nation-states, yet information sharing is fragmented, and the private sector still hesitant,” she added. 

The rash of cyber breaches and government failures to secure key and sensitive data “overshadow a greater attack to come, unless transformative action is taken now to defend our networks,” Collins cautioned.

Three years ago, cyber bumped terrorism off the top spot as the greatest threat against the United States and remains the chief concern of the intelligence community and nation leaders, said Stephanie O’Sullivan, principal deputy director of national intelligence. “It leads because our reality right now, and for some time, has been because of the fear of living with the constant barrage of cyber attacks—cyberbreaches that are hugely damaging to our economy and our national security,” she said.

O’Sullivan addressed flak over the creation of the Cyber Threat Intelligence Integration Center (CTIIC) as the primary federal organization to analyze and integrate cyberthreat intelligence. Critics lament that CTIIC duplicates the work of existing cybersecurity-focused centers—a charge O’Sullivan countered.

“When you look deeper, you see that each IC [intelligence community] center has a unique mission and focus area," she said. The Department of Homeland Security is responsible for incident prevention, mitigation and recovery for the government’s unclassified networks, and it supports the private sector, while the FBI's equivalent conducts foreign and domestic investigations into cyber incidents, and the Defense Department defends in-house networks and seeks to improve security.

Collins expressed her own concerns. “I retain reservations about whether the center duplicates organizations in the Department of Homeland Security and Cyber Command,” she said. “The CTIIC seems to be primarily a response to policymakers’ frustrations about the need for a better and clearer picture of the cyber problem. But the center is not a solution to the cyberthreat problem in the same way that [the] NCTC [National Counterterrorism Center] directly addresses the problem of information sharing across the federal government that was identified by the 9/11 Commission.”

CTIIC will be a small organization of roughly 50 people and “therefore will not and cannot duplicate the work of other centers,” O’Sullivan said. “Instead, it will be integrated to leverage their work in order to present a whole IC picture of the cyberthreats and events that we are dealing with.”

That includes worrisome threats emanating from China, Russia, North Korea and Iran. “China in particular has a long history of robbing our industrial base blind, with the primary motivation to catch up to and then surpass Western industrial and defense capabilities,” O’Sullivan told attendees at the NIUF event. “Iran and North Korea are not as capable as China, but have proven to be unpredictable and aggressive actors in cyberspace. And they aren’t afraid to undertake offensive cyber operations, including against private-sector targets.”