Portman: Federal Government Needs Accountability in Cybersecurity

WASHINGTON, DC – Today, U.S. Senator Rob Portman (R-OH), Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, highlighted the need for accountability for cybersecurity in the federal government to ensure a more effective national defense against cyberattacks. Portman also stressed the importance of improving baseline cybersecurity practices throughout the federal government. 

Last month, Senators Portman and Gary Peters (D-MI), Chairman of the Senate Homeland Security and Governmental Affairs Committee, released a bipartisan report reviewing cybersecurity at eight federal agencies and documenting the continued failure of seven of those agencies to comply with the baseline cybersecurity requirements in the Federal Information Security Modernization Act (FISMA) and to safeguard America’s data. The report titled Federal Cybersecurity: America’s Data Still at Risk shows that, two years after Portman’s bipartisan 2019 report on federal agency cybersecurity, which he released as then-Chairman of the Permanent Subcommittee on Investigations (PSI), there are still systemic failures to safeguard American data at the Department of State; the Department of Transportation; the Department of Housing and Urban Development; the Department of Agriculture; the Department of Health and Human Services; the Department of Education; and the Social Security Administration, including failures: to protect personally identifiable information adequately, to maintain accurate and comprehensive IT asset inventories, to maintain current authorizations to operate for information systems, to install security patches quickly, and to retire legacy technology no longer supported by the vendor. 

A transcript of his opening statement can be found below and a video can be found here. 

“Thank you, Mr. Chairman, and thanks for convening this critically important hearing. I look forward to the dialogue, and it’s great to have people in place who are now in charge of our cybersecurity system at the federal government level. Our strategy for protecting our cyber networks and our critical infrastructure is something that we’ve been struggling with, frankly and to have the leadership in place is very important to get that strategy right. 

“One important part of it, in my view, is accountability, and I hope to have a conversation about the appropriate roles and responsibilities for the many different cybersecurity positions within the federal government. Who’s in charge, who’s making the decisions, who’s accountable. I also look forward to discussing how cyber incident reporting legislation might better inform that strategy as the Chairman has just said, I think that’s very important, and I think we can get that right. I think we can get a bipartisan product on that. 

“In recent years, hostile cyber adversaries, both foreign and domestic, have executed some of our most damaging cyberattacks ever and we all know about these. We’ve had hearings about them – Colonial Pipeline most recently. Both the federal government and the private sector companies have been targeted. We held hearings on SolarWinds, Colonial Pipeline, and others. These events are stark reminders of the wide-ranging and real-world impacts of sophisticated cyberattacks and impacts on people. These attacks have become more and more common, and so it’s important that we work to protect ourselves and our networks. One of the best strategies for preventing these attacks, of course, is to improve baseline cybersecurity practices, basic cyber hygiene. 

“We also know that federal agencies have failed to make meaningful progress on the implementation of these practices, as is actually required by law under FISMA, the Federal Information Security Modernization Act. In August, just last month, Chairman Peters and I released a report detailing the significant cyber security vulnerabilities of eight key federal agencies; the Department of Homeland Security, State, Transportation, Housing, Health and Human Services, Ag, Education, and Social Security. This report follows a 2019 report I released with Senator Carper as Chair of the Permanent Subcommittee on Investigations evaluating the same eight agencies. In this year’s report only DHS, the Department of Homeland Security, had an effective cybersecurity program. Every other agency featured in the report failed to meet the standard. We also found that the average grade across all government agencies was a C minus, close to failing. The report identifies several common agency vulnerabilities, including the failure to adequately protect personally identifiable information, maintain an accurate and up-to-date list of the agencies’ IT assets, install security patches in a timely fashion, and retire vulnerable legacy technology that is no longer secure. Securing fragmented networks against increasingly sophisticated attackers is not an easy or trivial task. It would be unfair to suggest otherwise. Yet in nearly seven years since FISMA was last updated in 2014, agencies still have the same vulnerabilities year after year. 

“Accountability is a critical aspect of any strategy. All three witnesses with us here today have heard me discuss the importance of it for federal cybersecurity, in particular, at all of your confirmation hearings. And in our conversations, we talked about the need to ensure that we have appropriate accountability through these federal networks and the agency systems. Among the three of you and the Deputy National Security Advisor for Cyber, I believe we will continue to see these inconsistencies or vulnerabilities because of the question about accountability, unless we’re clear about who’s in charge, who’s in charge to better prevent, who’s in charge to better respond to cyberattacks. I look forward to continuing that discussion today again of how we can best achieve that accountability. 

“We’re also here to discuss this topic of overarching strategy and particularly cyber incident reporting. As I said, recent attacks on critical infrastructure, particularly through ransomware, demonstrated how prompt notification to the government can benefit both the government and its victims. In the case of Colonial Pipeline, the FBI was able to recover part of the ransom paid by Colonial to the attackers. There is a balance between getting information quickly, letting victims respond to an attack without imposing onerous requirements on them, and getting accurate information. We understand that balance and we want to try to reach the right balance to be sure that we are actually doing what we intend to do, which is to both help the private sector and government agencies deal with cyberattacks. 

“I look forward to the witnesses’ perspective on how to balance those competing priorities. Again, Mr. Chairman I appreciate the witnesses being here today. Glad you’re in place and I look forward to the dialogue.”