What does the White House network breach mean for cybersecurity reform?
In the wake of a breach of an unclassified White House network, representatives on Capitol Hill and members of the private sector have taken a look at what it could mean for the legislative future of cybersecurity.
Sen. Tom Coburn, R-Okla., the ranking member of the Senate Homeland Security & Governmental Affairs Committee, said the breach underscored the need for cybersecurity reform.
“I’m deeply concerned about the reported attacks on White House networks,” Coburn said in an Oct. 29 release. “We’ve worked very closely with the administration to improve our nation’s cybersecurity.”
Coburn said he was frustrated the executive branch did not notify Congress of the breach, especially after the two entities collaborated on new provisions for the Federal Information Security Management Act of 2002.
Earlier this year, Coburn and Senate Homeland Security Committee’s chairman, Tom Carper, D-Del., involved the White House in discussions for the 2014 Federal Information Security Modernization Act, which may be considered by the Senate when Congress returns later this month.
The 2014 update does not rewrite the 2002 FISMA, but it does remove some agency cybersecurity reporting requirements and pivot its focus to a continuous monitoring structure by codifying the Department of Homeland Security’s role in the executive branch agency cybersecurity efforts.
According to Coburn, in the negotiations over the bill, the White House argued with his staff about how agencies should be required to tell Congress when their networks have been breached, something Coburn claimed the White House did not do last week.
“I’m disappointed that the White House decided not to notify Congress of the breach, even as its officials debated with my staff the need for agencies to tell Congress when they’ve been hacked,” Coburn said.
Yet Bernadette Meehan, a spokeswoman for the National Security Council, told FedScoop in an emailed statement that the administration did in fact notify Congress of the breach — just not all of Congress.
“Consistent with sensitive intelligence matters, the director of the FBI notified congressional leadership and ranking members of the intelligence committees [of the breach],” Meehan said.
Carper didn’t comment on the White House’s notification to Congress about the breach, but he instead told FedScoop in an email that cybersecurity is one of the top threats and biggest growing challenges the nation faces today.
“We must do all that we can to be better prepared,” Carper said. “Our committee has approved three bills that take important steps in our effort to modernize our nation’s cybersecurity programs and help the public and private sectors work together to tackle cyber threats more effectively in the future. I am committed to continuing to work with my colleagues on both sides of the aisle, the administration and stakeholders to pass our legislation and additional measures that address this critical issue as soon as possible.”
The White House echoed Carper’s sentiment, and, in an email to FedScoop, renewed the administration’s commitment to cybersecurity legislation.
“Since 2011, we have urged Congress to move forward on cybersecurity legislation, including legislation that enhances the government’s ability to protect its networks,” Mark Stroh, an NSC spokesman, said. “The administration will continue to act under existing authorities to protect the nation from cyber threats. We, again, call on Congress to pass cybersecurity legislation to ensure that the government has the authorities it needs to protect the nation.”
Richard Bejtlich, the chief security strategist at FireEye and a nonresident senior fellow at the Brookings Institute specializing in cyber defense, said the best chance cybersecurity legislation has is related to information sharing — even though the scope of how beneficial it is for the government is relatively narrow.
According to Bejtlich, the White House network breach might not actually make a whole lot of difference in the future of federal cybersecurity.
“I think pretty soon no one will even care about [the breach],” Bejtlich said. “There have been breaches in all different parts of government. Government breaches don’t tend to get a whole lot of attention or motivate any change.”
But the breach could harm the public perception of any potential future requirements the federal government puts in place regarding private sector cybersecurity, Bejtlich said.
“Something I hear pretty frequently is, the private sector fears that [some sort of requirements will be imposed] from the federal government, yet the government hasn’t cleaned it’s own act up,” he said. “‘It can’t even really defend itself, so who are they to tell us what to do?’ That’s kind of an emotional response, but I do hear it a decent amount of times when I talk to different customers.”
The White House has been relatively silent about the breach itself. According to White House Press Secretary Josh Earnest, the White House is subject to daily cyber attacks, which makes the issue of the breach a sensitive one to discuss publicly.
“I think it would be unwise for me to discuss from here what we have learned so far,” Earnest said. “The administration is continuing to learn all we can about where those activities originated and what sort of methods are associated with those activities.”
Bejtlich said because the White House and other online government entities are attacked often, there isn’t a large cause of alarm, even despite the need for a more robust, congressional response to cybersecurity.
“I think it’s always important to remember that you could have the best security in the world, but you will have a breach,” Bejtlich said. “It’s what happens next that matters.”