Senator wants to allow DHS to ban software from federal IT without notice
New legislation would give the Department of Homeland Security the power to ban specific software from federal IT systems without first notifying the software maker.
The Federal Network Protection Act— introduced Tuesday by Sen. Dianne Feinstein, D-Calif., — would amend federal statutes to provide the secretary of Homeland Security the ability to issue a binding operational directive without a requirement of notice “to any private entity.” The legislation comes as Moscow-based Kaspersky Lab and the U.S. government continue their legal fight over a federal law banning the cybersecurity’s company’s products from government networks.
Under current Federal Information Security Modernization Act (FISMA) statutes, the DHS secretary can issue a binding operational directive — effectively a compulsory order — to executive branch agencies in order to protect federal information systems from a suspected security threat.
BODs do not apply to national security systems, and the secretary is required by statute to provide notice to potentially affected third parties and consult, where appropriate, with federal contractors on the procedures under which a directive may be issued. The new bill would remove any requirement of that notice.
In a statement on her website, Feinstein did not mention any company by name, but said the bill was meant to curb increasing attempts of cyber-espionage by foreign nations, citing a Government Accountability Office figure that said attacks on federal systems had increased from 5,500 in 2006 to more than 77,000 in 2015.
“We’re seeing more and more attacks on federal computer systems by foreign agents, and we need to make sure we have all the tools and authorities necessary to block those attacks,” she said. “By clarifying what actions the Secretary of Homeland Security can take, we allow the department to act quickly in response to cyber threats.”
DHS banned Kaspersky Lab products from federal IT systems in September 2017, claiming its antivirus software posed a national security risk.
The company has since filed two lawsuits seeking to overturn the ban, due to provisions within the proposed 2018 National Defense Authorization Act that wrote the ban into law. Separately, the U.S. government is considering broader sanctions on the company’s products.
Feintstein’s bill has been referred to the Senate Committee on Homeland Security and Governmental Affairs.