Feinstein introduces bill allowing DHS to quickly remove ‘compromised software’

Sen. Dianne Feinstein (D-Calif.) on Tuesday introduced a bill that aims to boost the Department of Homeland Security’s (DHS) ability to protect federal computer networks from foreign attacks.

Feinstein’s Federal Network Protection Act clarifies that the head of the DHS has the authority to issue orders, known as binding operational directives, to remove compromised software from federal systems before notifying the “affected software company” about such changes.

{mosads}

The Democratic senator said the move would help block a company from taking defensive actions in response to the removal because such actions could stall the DHS’s removal of the software.

“By clarifying what actions the Secretary of Homeland Security can take, we allow the department to act quickly in response to cyber threats,” Feinstein said in a statement.

Feinstein’s measure builds on two previous bills that passed in 2002 and 2014. Those bills similarly gave DHS the ability to modernize federal systems as well as remove compromised or outdated software.

The legislation comes as federal computer networks face increasingly sophisticated foreign attacks, with attacks against federal computer systems jumping from 5,500 in 2006 to more than 77,000 in 2015, according to the Government Accountability Office.

“We’re seeing more and more attacks on federal computer systems by foreign agents, and we need to make sure we have all the tools and authorities necessary to block those attacks,” Feinstein said.

The legislation comes after the federal government last year banned software from their computer systems that was developed by the Russian-based cybersecurity firm Kaspersky Lab amid fears its products could pose security risks for the U.S.

Sen. Claire McCaskill (D-Mo.) criticized the DHS at the time for giving other federal agencies a 90-day time frame to remove Kaspersky Labs products from federal computer systems.

“You’re giving them a long time,” McCaskill said during a congressional hearing in October.

Although Congress mandated the software be removed in its annual defense policy bill, the DHS had already issued a directive last September ordering civilian agencies to expunge Kaspersky products from their systems by a December deadline.

The U.S. government and Congress made the decision last year to remove Kaspersky Lab’s products from government computer systems amid growing concerns about Russian efforts to sow discord and interfere in the 2016 election.

“Do you think if this happened in Russia, if they found a system of ours was looking at all their stuff, that they would give their government 90 days to remove it, seriously?” McCaskill said at the time.

“The point I am making, I mean, is that why don’t you just say you have to remove it immediately?”

The software company has repeatedly maintained that it operates independently of the Russian government, describing the U.S. government’s assertions last year as “completely unfounded.”

U.S. policymakers, however, argue that removing the anti-virus software gets rid of a vulnerability that Russia could have exploited in the future.