A Senate bill would require agencies to deploy the EINSTEIN intrusion prevention system and implement basic cybersecurity practices in an effort to stem breaches of federal information systems. It remains to be seen whether additional congressional mandates would make any difference.
The Senate Homeland Security and Governmental Affairs Committee has approved a bill that would require agencies to deploy the EINSTEIN intrusion prevention system and implement some basic cybersecurity practices in an effort to stem the breaches of federal information systems. But it is unlikely that merely telling agencies to do what they already should be doing will be effective without addressing the underlying problems.
Addressing the underlying problems will be difficult for Congress. Problems include the serious shortage of trained cybersecurity professionals, which is the kind of long term issue that legislators have displayed little interest in dealing with. It also will require adequate long-term funding, and adequate funding for lofty mandates is anathema to politicians.
The Federal Cybersecurity Enhancement Act of 2015 (S.1869) was introduced July 27 by Senators Tom Carper (D-Del.) and Ron Johnson (R-Wis.) and approved by the committee two days later. It is a response to breaches recently discovered at the IRS and the Office of Personnel Management that exposed sensitive information on millions of citizens.
Currently, fewer than half of civilian agencies have deployed the full intrusion prevention capabilities of the Homeland Security Department’s EINSTEIN system. There are two main reasons for this. EINSTEIN’s functionality is limited to identifying threats for which it has signatures, which limits its effectiveness against newer, more sophisticated attacks. There also are privacy concerns about data gathered from network traffic by DHS and private sector service providers. The bill addresses these issues by requiring DHS to update EINSTEIN with current cybersecurity technology, and specifically authorizing DHS and contractors to gather network traffic data for use in cybersecurity. It also shields service providers from liability as long as they use the information only for legitimate cybersecurity purposes.
DHS also would be responsible for requiring agencies to implement best practices, including the encryption of all sensitive and mission critical data and use of multi-factor authentication for remote access and those with elevated privileges.
It is hard to believe, however, that agency officials—from the C-suite down to IT administrators—have failed to deploy these measures already simply because it has not occurred to them to do so. I have been accused of being cynical, but I am willing to give these people the benefit of the doubt and assume that they are neither lazy nor stupid.
It is easy enough to say “encrypt your data.” It is more difficult to update legacy IT systems so that they can support modern encryption, and to fund the program not only to implement encryption but to also ensure the long-term job of managing keys and certificates.
Agencies also need the people to manage and carry out these programs. It is possible that some agencies already have the number of bodies required for these jobs. The problem is that many of these people now are busy with the day-to-day job of putting out brushfires. Taking on new jobs would mean ignoring some current ones.
The goals of the Cybersecurity Enhancement Act are fine, but it is unlikely to make much difference unless Congress demonstrates its commitment to real cybersecurity through a willingness to tackle tough issues.