This week, the Subcommittee on Cybersecurity and Infrastructure Protection held a hearing in Washington, D.C., focusing on improving cooperation between the federal government and private sector to strengthen U.S. defenses against cyber threats. The session was led by Chairman Andy Ogles (R-TN) and included testimony from cybersecurity leaders across industry and academia.
Witnesses included Joe Lin, co-founder and chief executive officer at Twenty Technologies; Emily Harding, vice president of defense and security at the Center for Strategic and International Studies; Frank Cilluffo, director at Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security; and Drew Bagley, chief privacy officer at CrowdStrike.
In his opening remarks, CrowdStrike’s Drew Bagley outlined several recommendations: “I recommend the following: First, public and private organizations must take reasonable actions to defend themselves with a focus on threat hunting and identity security. Second, the cybersecurity community should radically increase the operational tempo of malicious infrastructure disruptions and take downs. Given its stakeholder engagement functions, CISA should be central to coordinating public and private actors to this end. Third, federal law enforcement, along with Title 10 and Title 50 entities should work to increase deterrence. Finally, we must defend AI systems and leverage AI to defend enterprises.”
Chairman Ogles asked panelists about congressional policies that could help empower private companies in deterring cyber adversaries. Joe Lin responded: “The ability to use law enforcement authorities in combination in concert with Title 18, Title 10, and Title 50 is absolutely critical. But number two. I think what needs to shift here is a mindset, not just around doing episodic one-off operations of disruption, which are important and critical and can be successful, have been proven to be successful… But what does it take to match the speed and scale of our adversaries, to match the scope of what it is that they’re conducting against us?”
Ogles also questioned differences between deterring intelligence versus disruptive cyber operations. Emily Harding said: “Ideally, yes, you’d be able to establish deterrence in an intelligent sense, and you’d be able to say, ‘okay, if you penetrate our networks, then you will feel consequences for that.’ It also is sort of a normal spy versus spy tit-for-tat. A very clear distinction, however, is between the Salt Typhoon kind of activity and the Volt Typhoon kind of activity. There is zero intelligence value in penetrating water networks, power networks––especially around military bases. That is there for one reason and one reason only: to disrupt the United States military in the case that we had to deploy suddenly.”
House Committee on Homeland Security Chairman Andrew Garbarino (R-NY) sought views on strengthening CISA’s role in national cybersecurity strategy:
Mr. Lin said: “We have to start thinking about cyber as a core element of multi-domain operations. So when HSI is conducting investigations they should have the ability…the authority…the resources needed…to leverage cyber capabilities as part of their work…When Coast Guard is conducting missions…they should have…the capabilities…and toolsets needed…to leverage cyber…as part of their core responsibilities.”
Frank Cilluffo added: “I think there are some authorities and some protections that are needed. Firstly WIMWIG [the Widespread Information Management for the Welfare of Infrastructure and Government Act], you’ve got to get that over the goal line...You can’t trust––the government is going to lose all confidence in the private sector if we can’t even get the basics...So thank you for your leadership there...But I think just as importantly...you do need...to look...to what that combined operation could look like from a collaboration standpoint...not industry on its own––in conjunction with government.”
Rep. Vince Fong (R-CA) asked about supporting future workforce development in cybersecurity as well as reducing barriers for information sharing:
Joe Lin replied: “What you alluded to is spot on…these days private sector companies…have extraordinary global sensor networks that rival those of even other signals intelligence agencies…and so…it makes enormous sense for there to be very robust information sharing bidirectionally…it has to be bidirectionally…We have to make it possible easy…and we have to encourage private sector companies…to share what their sensors are seeing…with our intelligence agencies…and vice versa.”
Cilluffo commented further: “I think the Committee itself should be applauded for the PILLAR Act and PIVOTT…I mean these are essential…but…I think…it’s not just…the traditional route––learning in a classroom––you need…students opportunities…in applied environments where they’re actually engaged…I think looking…where we can build co-ops…with both industryand government will be absolutely essential…”
“We’ve got to move beyond information sharing to operational collaboration...Until we get...to that stage...we’re always going...to be marching into the future backwards....That is always...reactive....We need...combined,...same foxhole,...fighting same fight,...build trust,...which is everything.”
Subcommittee on Transportation and Maritime Security Chairman Carlos Gimenez (R-FL) raised questions about foreign state involvement with criminal hackers:
Emily Harding responded: “In the sense of China,we are seeing more sort of popping up of criminal networks that seem to be government people who are moonlighting on the side at night doing criminal activity.But China’s pretty locked down.They like to control their people ... Russia,on the other hand,is a very different story …There’s kind of a deal ... between ... Russian criminal networks ...and ... Russian state ...where ...the Russian state says,you’re going operate outside Russia,you’re going make life hard for our adversaries.We’re going ignore ...criminal activity ...allow you operate …There’s probably some interesting work ...following money there.”
