Even in an era when denial-of-service attacks and cyber-theft are all too common, the security of one particular website — HealthCare.gov — has garnered significant public and congressional scrutiny.
While Department of Health and Human Services officials have said they performed all necessary security checks, this site (like all other federal websites) is certainly under threat of cyberattack. Unfortunately, the additional attention is only increasing the threat, as more hackers and cyber-criminals around the world see it as a prime target.
While criticizing the security of HealthCare.gov is not surprising in today’s hyperpartisan environment, we should focus on what Congress is doing to address the overall security of federal Internet properties.
In this context, it is ironic that last spring, the House of Representatives passed HR 1163, the Federal Information Security Amendments Act, which would actually undo proactive steps taken by the Obama administration to focus expertise and interagency cooperation on just this type of cyber-problem.
As passed by the House, HR 1163 would amend the Federal Information Security Management Act of 2002 to “re-establish” the authority of the Office of Management and Budget director to oversee FISMA compliance and require each federal agency to take certain steps to secure its networks.
On the surface, this sounds reasonable, and the legislation passed unanimously without amendment. (At the time, Congress was focused primarily on information sharing legislation and privacy issues associated with the Cyber Intelligence Sharing and Protection Act.) The legislation does take some necessary steps to update the current FISMA compliance regime. But the problem with HR 1163 is that it would completely undo the advances made over the past several years.
Issued in 2010, OMB Circular M-10-28 clarified the responsibilities of the OMB and the Department of Homeland Security and ensured that the DHS would oversee the operational activities related to agency compliance with FISMA. This step was taken because the DHS already has the statutory responsibility to protect the “dot Gov” domain and has been growing its capacity exponentially over the past several years.
Each agency is still required to secure its networks, but this approach allows the administration to continue to leverage the growing cyber-expertise of the DHS for the benefit of all federal networks. This interagency responsibility has been recognized in congressional appropriations, with more than $150 million designated in fiscal 2014 for the DHS to provide continuing monitoring and diagnostics for federal agencies.
Even as cyber-threats grow exponentially, Congress has been unable to address the issue in a comprehensive and thoughtful way. To be sure, the issues are complicated and there is little understanding (and much disagreement) about the right way to proceed. The injection of jurisdictional infighting makes the problem much more difficult to address effectively.
Instead of criticizing or defending the security of a single federal website to promote a partisan agenda on either side, Congress should redouble its efforts to pass comprehensive cybersecurity legislation. And with numerous committees claiming jurisdiction over the issue, one step in the right direction would be the establishment of a bipartisan select committee on cybersecurity to take the jurisdictional hurdles off the table.
Nelson Peacock is vice president of Cornerstone Government Affairs and co-leads the homeland security practice group with Michelle Mrdeza. He was previously assistant DHS secretary for legislative affairs in the Obama administration.