Top counterintelligence agency: OPM security not our problem

The nation’s top counterintelligence agency says it’s not responsible for keeping tabs on the Office of Personnel Management’s insecure networks.

The National Counterintelligence and Security Center (NCSC) on Tuesday deflected questions from Sen. Ron Wyden (D-Ore.) about whether it had identified the OPM as a security risk prior to the massive data breach that exposed millions of federal workers’ personal information.

{mosads}“Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget and the Department of Homeland Security (DHS),” NCSC head William Evanina said in a letter to Wyden.

Wyden fired back on Wednesday, calling the letter “a bureaucratic response to a massive counter-intelligence failure … unworthy of individuals who are being trusted to defend America.”

“While the National Counterintelligence and Security Center shouldn’t need to advise agencies on how to improve their IT security, it must identify vulnerabilities so that the relevant agencies can take the necessary steps to secure their data,” Wyden said in a statement.

The NCSC pointed to a 12-year-old information security law governing agency oversight to justify its claim that monitoring the OPM’s network security was the responsibility of the Department of Homeland Security.

A piece of bipartisan Senate legislation introduced this summer would update the Federal Information Security Management Act (FISMA) to expand and formalize the DHS’s role in safeguarding federal cybersecurity.

Known as the FISMA Reform Act, the bill would give Homeland Security the authority to search for digital intruders on any agency’s network without a formal request.

Senate Homeland Security Committee members have combined the legislation with another major DHS-focused bill, the Federal Cybersecurity Enhancement Act, which would require all agencies to adopt several cybersecurity best practices.

The legislation is part of a broad push among lawmakers to clarify the agency’s role in federal cybersecurity. Most recently, Rep. Cedric Richmond (D-La.) introduced a bill that would require the DHS to develop a formal cybersecurity strategy.

In the Senate, an amendment to the stalled Cybersecurity Information Sharing Act (CISA) would require all sensitive data to be funneled through the DHS, thought to have some of the government’s best data privacy procedures.

Earlier this week, Wyden indicated that understanding the NCSC’s actions leading up to the OPM hack was important because CISA would channel more information from the private sector to potentially vulnerable agencies.

He echoed those claims on Wednesday.

“The way to improve cybersecurity is to ensure that network owners take responsibility for plugging security holes, not encourage the sharing of personal information with agencies that can’t protect it adequately,” Wyden said.