Langevin Introduces Bill to Strengthen Cybersecurity, Prevent Attacks

Congressman Jim Langevin (D-RI), co-founder of the Congressional Cybersecurity Caucus, is introducing legislation today to significantly strengthen protections against dangerous cyber threats. The Executive Cyberspace Coordination Act would establish a National Office for Cyberspace to evaluate and enforce requirements for federal agencies to protect themselves and the public, make certain that the government buys the most advanced and secure technology possible, and train a workforce with the ability to defend us against attacks. Langevin’s proposals would address the troubling report released last month revealing that in the past two years little was done to protect our power grid and critical infrastructure from unprecedented damage.

The bill has received bipartisan support, including co-sponsorship by: Rep. Roscoe Bartlett (R-MD), a senior member of the House Armed Services Committee (HASC); C.A. Dutch Ruppersberger (D-MD), Ranking Member of the House Permanent Select Committee on Intelligence; and Loretta Sanchez (D-CA), Ranking Member of the HASC Strategic Forces Subcommittee and a senior member of the House Committee on Homeland Security.

“Our nation sits at a crucial moment, where cyber attacks are common, but have not yet significantly impacted or endangered the American way of life,” said Langevin. “As the Director of the CIA said at a hearing last month, ‘This is the battleground for the future.’ Those charged with protecting the American people must be vigilant and responsive as serious threats grow, whether they come from practices on Wall Street, poor environmental safeguards or cyberspace. In this case, we have the opportunity to improve prevention and response to cybersecurity threats, but we must take action now.”

Langevin’s legislation would accelerate the sluggish progress in cybersecurity on the heels of the second version of a report by the CSIS Commission on Cybersecurity for the 44th Presidency, which Langevin co-chaired. The report found that we are “still unprepared” to meet the challenges of securing cyberspace and “many important actions have been deferred.” (The full review can be read at: https://csis.org/files/publication/110128_Lewis_CybersecurityTwoYearsLater_Web.pdf.)

In a February 10th hearing held by the House Intelligence Committee on which Langevin sits, CIA Diretor Leon Panetta and Director of National Intelligence James Clapper described the United States’ vulnerability to terrorist attacks on the country’s computer networks that could shut down government agencies, power grids or financial markets. Panetta told the Committee, “The next Pearl Harbor may very well be a cyber attack,” and warned that Russia, China, Iran and other countries had begun developing capacities to launch cyber attacks.

This bill particularly expands Langevin’s past efforts by dealing with the lack of young people entering the job market with the math and science skills necessary to keep up with ever-changing cyber threats. In February, he announced the launch of the Rhode Island Cyber Foundations Competition to test the computer networking skills of high school students, while introducing them to the field of information technology. This bill would require that programs address these goals nationally at the secondary and post-secondary education levels.

Among the top ten recommendations of the CSIS report that this legislation addresses directly are:

• Developing coherent organization and leadership for federal efforts for cybersecurity and recognition of cybersecurity as a national priority;
• Providing clear authority to mandate better cybersecurity in critical infrastructure and develop new ways to work with the private sector;
• Building an expanded workforce with adequate cybersecurity skills;
• Enhancing outdated Federal Information Security Management Act (FISMA) policies; and
• Changing federal acquisition policy to drive the market toward more secure products.

The Executive Cyberspace Coordination Act includes provisions to:

Establish a National Office for Cyberspace (NOC)
The NOC, within the Executive Office of the President, will coordinate and oversee the security of agency information systems and infrastructure. This office will have strong budgetary oversight powers that are backed by financial pay-for-performance authorities, while remaining accountable to Congress. Federal agencies will be responsible for reporting on their information security threats, practices and history to the NOC before submission of their budgets to OMB.  The Director of the NOC would be appointed by the President, subject to Senate confirmation, and will also have a seat on the National Security Council.  This will allow the Director to review agency information security budgets and make recommendations back to the Agencies as well as the President. 

Create secure federal acquisition policies
The bill requires development of secure acquisition policies to be used in the procurement of information technology products and services, including a vulnerability assessment for any major system and its significant items of supply prior to development.

Improve our workforce by establishing Cyber Challenge Programs
Given the great deficiency of advanced cybersecurity capabilities in today’s workforce, it is imperative that the government support educational programs designed to engage students in the skill sets that they will need to keep our country competitive and safe online into the future.

Cement FISMA Reforms
The legislation includes requirements for agencies to undertake automated and continuous monitoring of their systems to ensure compliance and identify deficiencies and potential risks caused by cyber incidents or threats to an agency's information technology assets. These activities are intended to move agencies away from current manually intensive, compliance focused, periodic assessments.

Require annual independent audit of federal agencies
Agencies must obtain an annual independent audit of their information security programs to determine their overall effectiveness and compliance with FISMA. Audits would also be required of contractors responsible for managing agency systems or programs on their behalf.

Additionally, the legislation will:

Establish a Federal Cybersecurity Practice Board
This Board within the NOC will develop policies and procedures for agencies to meet FISMA requirements and to oversee the implementation of approved standards and guidelines by the National Institute of Standards and Technology. The Board would be chaired by the Director of NOC, and include standing members from OMB, DoD, and selected members from civilian and law enforcement agencies.

Establish Office of the Chief Technology Officer
The Chief Technology Officer within the Executive Office of the President will work collaboratively across the government and private sector to analyze and improve the use of information technology. The head of this Office, the Federal Chief Technology Officer (Federal CTO), would be appointed by the President and subject to Senate confirmation. In addition, the Federal CTO would also be a standing member of the Cybersecurity Practice Board outlined above.

Grant authority to protect critical infrastructure
Homeland Security Presidential Directive-7 provides authority to the Secretary of Homeland Security to coordinate the protection of critical infrastructure. This bill clarifies this authority to include the creation, verification, and enforcement of measures with respect to the protection of the information systems that control critical infrastructure. This does not give DHS control over private systems, but it allows them to establish risk-informed security practices and standards for critical infrastructure.

Develop better cooperation across agencies
The bill brings the Departments of Defense and Homeland Security to the table to better coordinate their resources under the appropriate authority of the Office of the President.

Define the sectors of our society that most urgently need protection
The Secretary of Homeland Security will determine what critical infrastructure should fall under cyber regulation and receive new protections developed between industry and government, recognizing that not every part of our critical infrastructure is as vulnerable to cyber threats as our power grid is.

Enhance the Public Private Partnership for Critical Infrastructure
The bill requires DHS to work with the Departments of Defense and Commerce, the National Institute of Standards and Technology and the sector specific Federal regulatory agencies to establish standards to protect critical infrastructure. These efforts will also be carried out with the consultation of appropriate private sector bodies, including private owners and operators of the infrastructure affected. This will ensure that standards are based on the recommendations of cyber experts as well as those with first hand knowledge of the reality of the challenges facing each industry.

Ensure the above protections are carried out
The bill provides the authority to ensure these standards and practices are carried out. Coordinating through a new National Office for Cyberspace in the Executive Office of the President, DHS will work with sector-specific Federal regulators to establish enforcement mechanisms. These include the ability to conduct security audits or issue subpoenas to determine compliance with regulatory requirements for securing critical infrastructure.