CBSN

What can the government do to improve cybersecurity?

Nearly 22 million Americans had their personal information stolen in a major breach of Office of Personnel Management (OPM) databases, the federal government acknowledged this week.

The Obama administration insists it's already taking steps to respond to the massive hack and to lessen the risk of future breaches. For starters, the administration is replacing the head of the OPM. Even so, some members of Congress say Mr. Obama isn't off the hook just yet.

"We will hold the president accountable for restoring the public's confidence," House GOP leaders said in a group statement Friday.

The administration can indeed take concrete steps to improve the government's cybersecurity and restore public confidence -- but so could Congress.

For starters, Congress can reform the Computer Security Act of 1987, Jim Lewis, a senior fellow at the Center for Strategic and International Studies (CSIS), told CBS News.

"The problem here is really Congress," Lewis said. "Because in 1987, Congress passed a law that said [the National Security Agency] can't protect civilian agencies. It's got to be one of the world's dumbest laws, but it's still on the books, and so OPM was not being protected by NSA."

That limitation is "a lot of the reason" this OPM hack succeeded, he said, "because you did not have the best defenders able to work with a civilian agency. That needs to change."

On top of that Congress, needs to streamline its oversight of cybersecurity measures, Sen. Cory Gardner, R-Colorado, a member of the Commerce, Science, and Transportation Committee, told CBS.

"There's something like over 80 different committees or subcommittees that have a role in cyber," he said. "Is that the most effective way to proceed?"

He noted that the Defense Department has already taken steps to consolidate its cyber efforts. "I think that's something I'm going to be looking at... moving forward with ways to consolidate 82 different subcommittees into a group that actually understands all elements," he said.

In the meantime, as the slow-moving legislative body considers its next steps, the administration is implementing basic security measures -- like two-step authentication -- to prevent further cyber attacks.

"There is an ongoing effort to... accelerate reforms that need to be adopted... One of those is two-factor authentication," White House spokesman Josh Earnest said Friday. He called it a security measure that is becoming "more and more common" and that OMB " is trying to accelerate all across the government."

Additionally, he said the government is reassessing the number of "privileged users" who have greater access to government databases.

"One of the things our experts tell us is that it's important to limit the number of privileged users," Earnest said. "It's also important to think about the capability given to those privileged users. It's possible and important to closely monitor the activity of privileged users."