New legislation introduced on July 15 by Rep. Eric Swalwell, D-Calif., aims to mandate penetration testing and other proactive cyber defense measures for some Federal agency networks, and to give the National Cyber Director (NCD) the authority to weed out risk conflicts between agencies that have overlapping cybersecurity missions.
The Proactive Cyber Initiatives Act of 2022, Rep. Swalwell’s office said, is a “bill that invests in innovative cybersecurity methods to ensure we are fixing cyber vulnerabilities before our adversaries.”
Among other provisions, the bill would:
- Mandate penetration testing for “moderate to high-risk government systems” and provide agencies with recommendations for needed authorities and resources;
- Give the NCD authority to “clear up risk conflicts between agencies with overlapping cyber jurisdiction”;
- Require Federal agencies to “report on proactive cyber methods such as deception technologies, continuous monitoring, and proportional actions taken in response to an unlawful breach”; and
- Require new recommendations on cyber risk mitigation.
The bill’s call for penetration testing of Federal agency network defenses tracks with pending Senate and House legislation to make major reforms to the 2014 Federal Information Security Management Act (FISMA), and with the often-expressed wishes of Federal CISO Chris DeRusha. Speaking about FISMA-reform-related goals last year, DeRusha said, “our goal is to shift from untested security to tested security … . it won’t be easy, and it will be a bit of a transition.”
“Cybercrime is increasingly putting American families, businesses, and government agencies at serious risk,” Rep. Swalwell said when he introduced the new bill.
“For too long, we have been addressing vulnerabilities only after a breach occurs,” he said. “My bill shifts the focus to one that is more proactive and innovative to protect our most critical infrastructures.”
And he defined the scope of the problem as nothing short of dire. “The U.S. is hopelessly losing the cybersecurity battle against other nations,” the congressman’s office said.
“In 2018, FBI cybercrime agents estimated that every American should expect that their personal information is already stolen by criminals and on the dark web,” his office said. “This is largely because most current cybersecurity practices are defensive, usually only patching vulnerabilities after they are exploited. More resources and new initiatives are needed to strengthen our cyber posture. This includes increasing Federal government penetration testing to internally fix vulnerabilities, utilizing deception techniques to trap bad actors and study their behaviors, and engaging in continuous monitoring to test our systems against millions of distinct inputs.”
