Hearing Wrap Up: Effective Implementation Is Crucial to Ensure National Cybersecurity Strategy Protects U.S. from Malicious Actors
WASHINGTON—The House Committee on Oversight and Accountability Subcommittee on Cybersecurity, Information Technology, and Government Innovation, held a hearing yesterday titled “Unpacking the White House National Cybersecurity Strategy.” At the hearing, subcommittee members asked the lead cybersecurity official in the White House to explain and defend the Biden Administration’s recently unveiled National Cybersecurity Strategy (NCS).
Key Takeaways:
- Subcommittee members brought oversight to the NCS to ensure government systems are secure, private citizens’ data remains safe, and U.S. critical infrastructure is protected from foreign threat actors. Members also asked for clarity on how the strategic plan will be implemented.
- A key shift proposed in the Biden cyber strategy is to elevate cybersecurity standards in the private sector through new regulations and increased liability for technology providers, meaning these private sector companies would shoulder more of the responsibility for securing cyberspace.
- Subcommittee members asked how the NCS balances voluntary industry compliance with government enforcement through mandates, new regulatory incentives, and legal penalties.
Member Highlights:
Chairwoman Nancy Mace (R-S.C.) asked witness Kemba Walden, acting director of the Office of the National Cyber Director, to clarify who will take responsibility for the implementation of the plan and for an estimated timeline.
Chairwoman Mace also inquired about accelerating the hiring of federal employees in the cybersecurity space, noting that she is developing legislation to address the issue.
Chairwoman Mace: “On the topic of workforce, obviously we all agree here we want to build a robust cyber workforce, drawing from all parts of our society…I’m working on legislation to try to accelerate the hiring of federal employees in the cybersecurity space, and I would look forward to working with you and your office on some of the ideas that we have, including how education is considered in the way that we hire.”
Ms. Walden offered to work with Chairwoman Mace towards solutions to improve hiring in the cyber space. “In terms of the federal cyber workforce, I share a similar concern. We are working with OPM to shore up and harmonize the differing federal authorities across departments and agencies for hiring and retaining talent in this space. We are working with OPM to develop a legislative proposal. I would love the opportunity to work with you on those initiatives.”
Rep. William Timmons (R-S.C.) pointed out that U.S. businesses can still fall victim to cyberattacks despite their best efforts to fortify their cybersecurity.
Rep. Timmons: “U.S. businesses, no matter how hard they try to have the best cybersecurity possible, can still fall victim to nation-state attacks, and those attacks can often cost billions of dollars to publicly traded companies. Do you think that the federal government has a role in backstopping those businesses, assuming they’re doing everything possible to avoid an attack?”
Ms. Walden stated that a priority of the cybersecurity strategy is to make sure that small and medium businesses don’t bear the significant brunt of cybersecurity risk on their own.
Ms. Walden: “[Backstopping] is indeed one of the tools that we are considering [as] a cyber insurance backstop. Think of flood insurance, for example, in order to make sure that cybersecurity small and medium businesses don’t bear the full cost of a cyber security breach while also working on making sure that the systems are resilient.”
Rep. Tim Burchett (R-Tenn.) asked about how the National Cybersecurity Strategy protects United States infrastructure from threat actors and foreign adversaries and how we can better secure our global financial institutions from bad actors.
Rep. Burchett: “What countries do you think are our biggest threats to national cybersecurity?”
Ms. Walden: “As articulated in the worldwide threats report that ODNI published, it’s China, North Korea, Iran, and Russia.”
Rep. Burchett also warned that 1,600 offshore oil and gas facilities face a significant risk of cyberattacks and requested more information about the potential impact of a cyberattack on these facilities.
Rep. Nick Langworthy (R-N.Y.) discussed how cloud service providers shouldn’t be regulated in an indiscriminate manner.
Rep. Langworthy: “I’m concerned that this categorical effort to sweep in all cloud-based services is inconsistent with a risk-based approach. Can you explain the rationale for the blanket approach that you plan to pursue?”
Ms. Walden: “There is some work still to be done. We are ready, willing, and able to work directly with cloud service providers, not necessarily to kowtow to their demands but to make sure that we have effective harmonization across all sectors for the proposes of making cloud services more secure.”