McCaul says OPM hack should push Senate to act on cyber

The recently disclosed theft of information on federal employees from government systems should provide the Senate with the necessary urgency to pass cybersecurity legislation, according to one of bill's key sponsor in the House.

"We always say around here it would take a big event for Congress to act. I think the big event has happened, and now it's time for Congress to act. The House has acted. It is now time for the Senate to act and pass the bill that we passed out of the House with overwhelming bipartisan support," said Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee.

The National Cybersecurity Protection Advancement Act of 2015, which the House passed in April by a vote of 355-63, would give the government the authority to share information on cybersecurity threat indicators with the private sector. The bill also would authorize and put requirements on the implementation of the Einstein network perimeter defense systems operated by the Department of Homeland Security.

The Einstein systems, including the most recent Einstein 3A that which detects and blocks suspicious traffic based on known threat indicators, require stronger legal authority to be fully deployed, said Andy Ozment, assistant secretary at DHS and head of the National Protection and Programs Directorate, in written testimony presented at a June 24 hearing of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.

"Some agencies have questioned how the deployment of Einstein under DHS authority relates to their existing statutory restrictions on the use and disclosure of data. DHS and the administration are seeking statutory changes to clarify this uncertainty and to ensure agencies understand that they can disclose their network traffic to DHS for narrowly tailored purposes to protect agency networks, while making clear that privacy protections for the data will remain in place," Ozment said.

Einstein 3 was not deployed at the Department of the Interior or the Office of Personnel Management, both of which were breached by adversaries with administrative credentials stolen via hacks on contractors. The attacks have been linked to China, although publicly the administration has been mute on the topic of attribution. According to Ozment, no perimeter defense alone could have prevented the attacks.

"You cannot possibly say that you can prevent any given intrusion, but the more layers of security you have the more difficult you make it for an adversary," he said.

It was the Einstein 2 system that detected the breach into the systems of the Office of Personnel Management, according to Ozment. OPM rolled out Einstein 2 as part of a May 2014 mitigation plan developed with DHS. When the breach was discovered, OPM reported the incident to DHS, and the threat indicator was plugged into the Einstein 2 system and identified an ongoing intrusion into an Interior Department database that stored OPM information on federal employees.

This is the big hack -- the 4.2 million records that the government has thus far acknowledged were stolen. This includes highly sensitive data from security clearance forms. However, other estimates, including reports of a closed briefing for senators from FBI Director James Comey, suggest that information on more than 18 million current and former federal employees, contractors, and family members were compromised.

Ozment deferred questions about the identity of the culprit or whether the OPM intrusions were part of a larger incident. He did say there were "clearly relationships between the government incidents including the two that we are talking about today and recent incidents targeting the personally identifiable information of government employees."

Despite backing in the House and from the administration, the Senate is going its own way on cyber. Intelligence Committee Chairman. Richard Burr (R-N.C.) has a bill that includes information sharing provisions, but which also would give the National Security Agency more of a role in cyber defense information than privacy hawks would like. Still, Majority Leader Mitch McConnell (R-Ky.) seems committed to the Burr legislation.

"Whatever happens tomorrow," McConnell said on the Senate floor, in reference to an upcoming Senate hearing, "one thing doesn't change: the need for the Intelligence Committee's cybersecurity bill we tried to pass earlier this month."