Madam Speaker, I rise in strong support of the Homeland Security Network Defense and Accountability Act of 2008 (H.R. 5983).  The United States and its allies face a significant and growing threat to our information technology (IT) systems and assets, and to the integrity of our information.  The acquisition of this information by outsiders threatens to undermine and over time could cost the United States our advantage over our adversaries.  This is a critical national security issue that we can no longer ignore.

As Chairman of the Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, I have prioritized this issue in the 110th Congress.  I have held seven hearings on cybersecurity issues, heard from hundreds of experts on how best to tackle these problems, reviewed information security best practices in the public and private sectors, investigated cyber incidents across the spectrum -- from the State and Commerce Departments to our nation’s electric grid -- and uncovered and assisted law enforcement in investigating breaches at the Department of Homeland Security.  It has become clear that an organization is only as strong as the integrity and reliability of the information that it keeps. 

The legislation we’re considering today represents a critical step toward improving the cybersecurity posture at the Department of Homeland Security by addressing two key issues: ensuring a robust defense-in-depth of our information systems, and holding individuals at all levels accountable for mitigating vulnerabilities. 

This measure is composed of several important provisions.  First, it establishes authorities and qualifications for the Chief Information Officer (CIO) position at the Department.  In a number of hearings, I have heard concerns that the lack of an information security background can hamper the CIO’s understanding and efforts to secure the Department’s networks.  We cannot allow future Presidents to repeat the mistakes made by this Administration in appointing unqualified individuals to this important office.

Second, the bill establishes specific operational security practices for the CIO, including a continuous, real-time cyber incident response capability, a network architecture emphasizing the positioning of security controls, and vulnerability assessments for each external-facing information infrastructure.  These are fundamental elements of a comprehensive information security program.

Third, the bill establishes testing protocols to reduce the number of vulnerability exploitations throughout the Department’s networks.  Time and again we have heard that the Federal Information Security Management Act – or FISMA – does not operationalize security, and does not effectively reduce the number of successful attacks.  We must change this, and we can do so by bringing together the heads of appropriate federal agencies to mitigate known attacks against our governmental infrastructure. 

The fourth major provision of the bill requires the DHS Secretary to determine if the internal security policy of a contractor who provides network services to the Department is consistent with the Department’s requirements.  Again, this is standard operating procedure for all private sector companies; it should be so for the federal government as well.

Finally, this bill seeks a formal report from the Secretary on meeting the deadlines established by the Office of Management and Budget (OMB) for Trusted Internet Connections (TIC), encryption and authentication mandates.  These are critical for the Department’s efforts in information security, and I am not confident that the proper deadlines are being met.

I encourage my colleagues to support the Homeland Security Network Defense and Accountability Act of 2008 and thank Chairman Thompson for his leadership in bringing this important measure to the floor.