This week, the Subcommittee on Cybersecurity and Infrastructure Protection held a hearing to discuss ways the federal government and private sector can better collaborate to strengthen the United States’ cyber defenses. The session was led by Chairman Andy Ogles (R-TN) and included testimony from several experts in cybersecurity.
Witnesses at the hearing were Joe Lin, co-founder and CEO of Twenty Technologies; Emily Harding, vice president of defense and security at the Center for Strategic and International Studies; Frank Cilluffo, director at Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security; and Drew Bagley, chief privacy officer at CrowdStrike.
Drew Bagley outlined several recommendations for addressing cyber threats. He stated: “I recommend the following: First, public and private organizations must take reasonable actions to defend themselves with a focus on threat hunting and identity security. Second, the cybersecurity community should radically increase the operational tempo of malicious infrastructure disruptions and take downs. Given its stakeholder engagement functions, CISA should be central to coordinating public and private actors to this end. Third, federal law enforcement, along with Title 10 and Title 50 entities should work to increase deterrence. Finally, we must defend AI systems and leverage AI to defend enterprises.”
Chairman Ogles asked about policy priorities that would enable the private sector to play a greater role in deterring cyber adversaries. Joe Lin responded: “The ability to use law enforcement authorities in combination in concert with Title 18, Title 10, and Title 50 is absolutely critical. But number two. I think what needs to shift here is a mindset, not just around doing episodic one-off operations of disruption, which are important and critical and can be successful, have been proven to be successful… But what does it take to match the speed and scale of our adversaries, to match the scope of what it is that they’re conducting against us?”
Ogles also questioned witnesses about distinguishing between intelligence-gathering operations versus disruptive actions in cyberspace. Emily Harding said: “Ideally, yes, you’d be able to establish deterrence in an intelligent sense, and you’d be able to say, ‘okay, if you penetrate our networks, then you will feel consequences for that.’ It also is sort of a normal spy versus spy tit-for-tat. A very clear distinction, however, is between the Salt Typhoon kind of activity and the Volt Typhoon kind of activity. There is zero intelligence value in penetrating water networks, power networks––especially around military bases. That is there for one reason and one reason only: to disrupt the United States military in the case that we had to deploy suddenly.”
House Committee on Homeland Security Chairman Andrew Garbarino (R-NY) sought input on how CISA’s role could evolve as part of strengthening national cybersecurity strategy. Joe Lin testified: “We have to start thinking about cyber as a core element of multi-domain operations. So when HSI is conducting investigations, they should have the ability, the authority, the resources needed to be able to leverage cyber capabilities as part of their work. When Coast Guard is conducting missions…they should have the capabilities and toolsets needed…to leverage cyber…as part of their core responsibilities.”
Frank Cilluffo added: “I think there are some authorities and some protections that are needed. Firstly WIMWIG [the Widespread Information Management for the Welfare of Infrastructure and Government Act], you’ve got to get that over the goal line…You can’t trust––the government is going to lose all confidence in the private sector if we can’t even get the basics…But I think just as importantly…you do need to also look to what that combined operation could look like from a collaboration standpoint…not industry on its own––in conjunction with government.”
Rep. Vince Fong (R-CA) asked about developing future cyber talent pipelines and removing barriers for information sharing between sectors. Joe Lin replied: “What you alluded to is spot on…private sector companies…have extraordinary global sensor networks that rival those of even other signals intelligence agencies…it makes enormous sense for there to be very robust information sharing bidirectionally…We have to make it possible…and we have to encourage private sector companies to share what their sensors are seeing…with our intelligence agencies…”
Cilluffo praised recent legislative efforts such as PILLAR Act and PIVOTT but stressed hands-on learning opportunities: “It’s not just traditional route––learning in a classroom––you need …students …in applied environments where they’re actually engaged…I think looking …where we can build co-ops …with both industryand government will be absolutely essential for success.” He continued: “We’ve got to move beyond information sharing to operational collaboration….Until we get …combined,…you’re fighting the same fight,…trust,…is everything.”
Subcommittee on Transportation and Maritime Security Chairman Carlos Gimenez (R-FL) questioned how foreign governments cooperate with criminal groups involved in cyber warfare activities targeting U.S interests abroad. Emily Harding described differences between China’s more controlled approach versus Russia’s relationship with criminal hackers: “In China,…criminal networks seem …government people who are moonlighting …doing criminal activity….China’s pretty locked down….Russia,…There’s kind of a deal …between Russian criminal networks …and Russian state,…you’re going operate outside Russia,…make life hard for our adversaries….We’re going ignore …allow you operate…There’s probably some interesting work …following money there.”
