Madam Speaker, today we are introducing the Homeland Security Network Defense and Accountability Act of 2008, a bill designed to improve the cybersecurity posture of the Department of Homeland Security. 

The security of our federal and critical infrastructure networks is an issue of national security.  The United States and its allies face a significant and growing threat to our information technology (IT) systems and assets, and to the integrity of our information.  The acquisition of our government’s information by outsiders undermines our strength as a nation and over time could cost the United States our advantage over our adversaries.  This is a critical issue that we can no longer ignore.

One of the first things that Chairman Thompson tasked me with when I was named Chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology was to lead a bipartisan inquiry into the cybersecurity posture of our federal networks and our critical infrastructure.  Viewing the potential for cyber attacks on federal networks as an emerging threat that warrants attention, Chairman Thompson challenged me to address the four areas that the 9/11 Commission determined our  systems failed: in imagination, policy, capabilities, and management.  The same can be said of the federal government’s approach to cybersecurity – and as a result, our critical information and technology systems are vulnerable to cyber terrorists.

So far in the 110th Congress, we have held seven hearings on cybersecurity, heard from hundreds of experts on how best to tackle this issue, reviewed information security best practices in the public and private sectors, investigated cyber incidents across the spectrum, from the State and Commerce Departments to our nation’s electric grid, and uncovered and assisted law enforcement in investigating breaches at the Department of Homeland Security.  It has become clear that an organization is only as strong as the integrity and reliability of the information that it keeps.  Therefore we must make cybersecurity a national priority.

This legislation represents a small but critical step toward improving the cybersecurity posture at the Department of Homeland Security by addressing two key issues: ensuring a robust defense-in-depth of our information systems, and holding individuals at all levels accountable for mitigating vulnerabilities.  Early in our investigative process, I announced that the Committee’s oversight goals were to increase public awareness of the problems associated with federal network security; fix those vulnerabilities that are, or could be, successfully exploited; and hold individuals, agencies, and private sector entities responsible for their actions.  Though much work remains to be done, I believe that we are moving in the right direction.  The Department has already begun acting to improve its information security as a result of several Committee hearings.  By fully implementing and carefully considering the intent of this bill, I believe the Department of Homeland Security will continue to make great strides in improving its information security posture.  I hope that one day DHS will be considered a global leader in cybersecurity.

This measure is comprised of several important pieces.  First, this bill would establish authorities and qualifications for the Chief Information Officer (CIO) position at the Department of Homeland Security.  In March 2007, Secretary Chertoff issued a management directive giving the Chief Information Officer hiring authority for CIOs and approval authority over agency CIO budgets and IT investments.  This bill statutorily authorizes that directive, but includes additional requirements for information security qualifications.  In a number of hearings, we expressed concern that the lack of an information security background can hamper the CIO’s understanding and efforts to secure the Department’s networks.  We cannot allow future Presidents to repeat the mistakes made by this Administration in appointing unqualified individuals to this important office.

This bill would also establish specific operational security practices for the CIO, including a continuous, real-time cyber incident response capability, a network architecture emphasizing the positioning of security controls, and vulnerability assessments for each external-facing information infrastructure.  As we learned through our investigations of cyber incidents on DHS networks, the absence of a 24 hour/7 day a week real-time response capability can lead to devastating consequences, and we simply cannot afford significant time lapses in our response to cyber incidents.

This legislation also includes testing protocols to reduce the number of vulnerability exploitations throughout the Department’s networks.  Through our investigations and oversight hearings, we identified a significant gap between requirements under the Federal Information Security Management Act (FISMA) and the current threat environment.  As we have learned, agencies that receive high FISMA scores are not necessarily secure from the latest attacks.  This provision will require the CIO to consult with other federal agencies and establish attack-based testing protocols to secure Department networks.  Today, one of the biggest problems with FISMA is that while we continue to identify vulnerabilities in our systems, we fail to provide adequate funding to mitigate those vulnerabilities.  This bill will hold both the CIO and the agency head responsible for developing and implementing a vulnerability mitigation plan that includes budget and personnel marks.

The ubiquitous nature of the Internet can lead to significant problems if one party is infected with a virus or rootkit that can penetrate another person’s network undetected.  That is why our bill requires the Secretary to determine if the internal security policy of a contractor who provides network services to the Department matches the requirements of the Department.  Network service providers for the Department are also required to implement and regularly update their internal information security policies, and deliver timely notice of any computer incidents that could affect the Department’s computers.  This section is similar to provisions contained in the security controls developed by the National Institute of Standards and Technology (NIST) special condition “SA-9.”

Finally, we seek a formal report from the Secretary on several critical issues.  I was disturbed to learn that the Department still has not conducted a risk assessment on its unclassified network, despite a series of breaches, and we seek a detailed counter-intelligence plan from the Secretary to investigate all breaches, as well as an outline of a program to increase threat information sharing with cleared contractors.  DHS must also examine a similar undertaking, and consider offering training to contractors using the attack-based protocols established in consultation with the defense and intelligence communities.  We also ask the Secretary to update us on how effective the Department has been in meeting the deadlines established by the Office of Management and Budget (OMB) for Trusted Internet Connections (TIC), encryption and authentication mandates.   

Regrettably, poor information security practices plague the entire federal government, not just DHS.  NIST continues to serve as an excellent guide for robust cybersecurity practices; unfortunately, federal agencies are often quick to cut cybersecurity budgets in favor of tangible products.  If we care about information security, then we must not allow agencies to bleed money out of these programs.     

Of course, legislation alone will not accomplish our goals.  The Homeland Security Committee continues to conduct robust oversight over this Administration’s Cyber Initiative.  While I support the aim of the Cyber Initiative, I continue to have significant questions about the scope, budget, and secrecy of these efforts.  Furthermore, there are several critical issues that each federal agency must immediately address to improve its security posture.  We must start conducting robust damage assessments that can measure exposure to current attacks, and continue to fix those vulnerabilities.  We must enhance and educate the federal workforce to limit successful exploits.  We must support focused R&D efforts to solve the big challenges that face us in the world of cybersecurity.  We must support and enhance initiatives like the Federal Desktop Core Configuration, the OMB-mandated security configuration for all Microsoft Windows Vista and XP operating system software.  We must continue to monitor the efforts of the Administration to collapse federal connections to the Internet, known as the TIC Initiative.  And finally, we must hold accountable those responsible for these efforts – whether they are our CIOs or Chief Information Security Officers, OMB, DHS, the Defense Department, the Intelligence community or contractors charged with securing our networks.  Information security must become a prime concern for each of us if we are to ever be successful in defending ourselves from attack. 

Madam Speaker, the Homeland Security Network Defense and Accountability Act of 2008 is a robust and carefully crafted bill, and is the result of a bipartisan effort to treat information security and cybersecurity with the same attention and effort that our adversaries would use to exploit us.  I thank Chairman Thompson for co-sponsoring this bill with me, and I send the bill to the desk and ask that it be properly referred to the Homeland Security Committee.