New bill aims to secure federal government IT against cyberattacks

A bipartisan bill introduced in the Senate on Thursday would attempt to address cybersecurity threats to the federal government stemming from the use of potentially insecure third party services.

The Supply Chain Security Training Act, introduced by Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and Sen. Ron Johnson (R-Wis.), would establish a training program for federal employees tasked with purchasing information technology products for agencies. 

The General Services Administration would coordinate with the Department of Homeland Security, the Department of Defense, and the Office of Management and Budget (OMB) in creating the program, and OMB would be required to develop guidance for federal agencies to understand how to implement the program. 

The bill was introduced more than six months after the SolarWinds hack was discovered in December, one of the largest cyberattacks in U.S. history. The incident involved Russian government hackers exploiting a software update from IT group SolarWinds to compromise its customers, which included nine federal agencies and 100 private sector groups. 

Other recent incidents have also demonstrated escalating cybersecurity risks, including vulnerabilities on Microsoft’s Exchange Server application. These allowed both Chinese and Russian hackers to potentially compromise thousands of organizations earlier this year before the vulnerabilities were patched. 

Peters said in a statement Thursday that these attacks “show that our foreign adversaries and criminal organizations will stop at nothing to breach federal networks, steal information and compromise our national security.”

“Federal employees need to know how to recognize possible threats when they are purchasing software and equipment that could allow bad actors a back door into government information systems,” Peters said. “This bill will help strengthen national security by safeguarding against cybersecurity vulnerabilities and other threats posed by the technology our government uses.”

Johnson, who served as chair of the Senate Homeland Security Committee prior to Peters, stressed the need for cybersecurity training for federal workers. 

“Counterintelligence training for federal workers who buy and sell goods and services for the government is critical at a time when our adversaries are probing cyber vulnerabilities to breach our systems and steal information,” Johnson said in a separate statement. “This type of training will help close a potential gap in our cyber and physical security defenses.”

Peters and Johnson introduced similar legislation in 2019, which was approved by the Senate later that year. However it was never given a vote in the House.